State Secretary Van Huffelen (BZK - Digitalization and Kingdom Relations) answers questions on the development of a European digital identity and its relation to the corona access card. Member of Parliament Van Haga (Van Haga Group) asked these questions.
Questions by Member Van Haga (Van Haga Group) to the Secretary of State for the Interior and Kingdom Relations on the development of a European digital identity in general and, in particular, in relation to the corona ticket (submitted March 14, 2022).
Reply by State Secretary Van Huffelen (Interior and Kingdom Relations) (received April 7, 2022).
1 Since when has the European Union (EU) been developing a European digital identity?
On June 3, 2021, the European Commission submitted a legislative proposal for a "Framework for a European Digital Identity," which revises the current eIDAS Regulation.1) The Commission submitted this proposal in accordance with the request of the European Council.2)
2 Is it true that in June 2021 the EU notes that the implementation of European digital identity is not going well, as evidenced by the passage, "As of the entry into force of the e-ID part of the Regulation in September 2018, only 14 Member States have notified at least one e-ID scheme (. ). Only 7 schemes are fully mobile (...). 3)
This is incorrect because in your quote, the Commission is talking about the 2014 eIDAS regulation and not the June 3, 2021 bill for a "framework for a European Digital Identity" that revises that earlier eIDAS regulation.
The Commission has found, as has the government, that the implementation of the 2014 eIDAS regulation has not produced sufficient results. The digital single market is still too fragmented for citizens and businesses to easily and securely purchase online services in another European country. The number of electronic transactions in other member states is low, the number of recognized eIDs is limited to 14 member states and 59% of the
EU population, and the number of online services available for cross-border use is too limited. This is what the new bill addresses. We are also facing a changing social context in which more and more is done digitally, and technological development has begun to focus more on solutions where eIDs (logins) can be linked to attributes. Online (social media) platforms offer accounts and are becoming increasingly dominant in Europe, while these accounts and the online transactions with them, do not provide sufficient security for reliable and secure use and protection of users' data. The Commission's proposal aims to facilitate the operation of the eIDAS regulation by requiring member states to recognize eIDs for European use as well as increasing the functionalities of eIDs in the form of a digital identity wallet to be introduced nationally. The wallet can be issued by member states in-house or under mandate or they can recognize an independently issued wallet. This wallet should offer citizens and companies who so wish the possibility to make their electronic identity and related attributes, such as qualifications, authorizations and digital documents, available themselves under a high level of security.4)
3 Klopt het dat de EU in oktober 2021 stelt dat: «{ het digitale EU-COVID- certificaat [heeft] aangetoond dat het mogelijk is op een toegankelijke manier een veilig en beveiligd systeem te ontwikkelen dat privacy en persoonsgege- vens beschermt. Het is een belangrijke testcase voor de ontwikkeling van een «toolbox voor digitale identiteit» van de EU.»?5)
It is true that the Commission stated this about the technology enabling the EU Digital COVID Certificate. The EU Digital COVID Certificate is substantively separate from the development of the "toolbox for a digital identity." The lessons learned from handling digital assets in the Netherlands in a privacy-protective manner in the fight against the COVID-19 pandemic will be included in the development of the European Digital Identity Framework. We also take very seriously the risk of wallet overfishing, where citizens are unnecessarily asked to prove data from a digital wallet.
4 In what way is the EU-COVID certificate a test case for the development of the EU's "toolbox for digital identity"?
As also mentioned in the March 9 committee debate, the EU DCC is only deployed in the context of the current COVID-19 pandemic. The establishment of the "Framework for a European Digital Identity," which revises the current eIDAS regulation, and the development of the EU's "toolbox for a digital identity" are therefore separate from this. However, as a matter of course, the lessons learned during the use of the COVID digital certificate will be included in the development of this toolbox.
5 Can the technology and software for the corona app and for the scanner for checking vaccination status be used for the further development of European digital identity? Is the technology for the corona app and scanner being further developed in any way for the purpose of the broader European digital identity? Can you provide a detailed overview of the technical possibilities and impossibilities for this further development?
CoronaCheck (both the app for the citizen and the app for the verifier) was developed with the goal of being able to provide reliable proof of a test result and/or vaccination, where anyone can verify that proof without providing more personal data than strictly necessary. This privacy-by-design philosophy has led to several choices in the architecture, and the software and cryptography used. These are openly described on the Ministry of Health's GitHub.6) Anyone who wants to can check and reuse this technology because it is openly viewable. The specific software for the CoronaCheck app is not being further developed by the government into a more widely deployable EU digital identity wallet.
6 Can you give a further explanation of your and the Minister of Foreign Affairs' statements that the Netherlands is already connected to the European infrastructure for cross-border use of e-IDs? Can you provide a detailed description of what this European infrastructure entails and how and by whom it is currently being used? What specifically does the Netherlands' connection entail? "7) 8)
As mentioned in the answer to question 2, this affiliation concerns the 2014 eIDAS regulation. The current regulation aims to ensure the proper functioning of the digital single market by promoting secure and reliable electronic transactions between citizens, businesses and public authorities through mutual recognition of electronic identifiers (eIDs) and harmonization of trust services. The eIDAS regulation establishes the conditions under which member states must mutually recognize each other's eIDs for citizens and businesses. "Public entities" (governments and organizations with public law functions) must allow recognized eIDs at "substantial" and "high" trust levels free of charge in cross-border transactions in the public domain. To enable cross-border use of electronic identification and authentication, the Netherlands is connected to the European eIDAS network. In addition, the Netherlands has had both the public means DigiD for citizens and the public-private system eHerkenning for companies, recognized for use across borders.
An overview of the European notified eID schemes can be found on the public website of the European eID User Community.9) I receive a monthly overview of the current use of European eIDs among Dutch service providers with a public law task. It currently concerns approximately 10,000 authentications with eIDs from other EU countries each month, with Belgium, Germany, Italy, Spain and Portugal leading the way. The service providers with the most queries are the Tax Office, the SVB, the UWV, DUO and the pension register.10)
7 Can you indicate whether and how parliament was involved in the decision-making process on connecting the Netherlands to the European infrastructure for cross-border use of e-IDs?
In 2016, the House of Representatives approved Amendments to the Telecommunications Act, Books 3 and 6 of the Civil Code, the General Administrative Law Act as well as related amendments to other laws in connection with the implementation of EU Regulation on Electronic Identities and Trust Services (Implementation of EU Regulation on Electronic Identities and Trust Services, eIDAS).11)
8 Is the software used for the EU-COVID certificate usable within the European infrastructure for cross-border use of e-IDs?
Yes. The CoronaCheck and CoronaCheck Scanner apps have both been developed to support both DCC travel and domestic coronagraph access card (CTB) use. The CoronaCheck app is nothing more than a digitally signed certificate regarding a citizen's testing, vaccination, and/or recovery status. The CoronaCheck Scanner app can then be used to check the validity of this certificate or proof. Checking the validity of signed certificates is standard, reusable technology.
9 Are you aware that the Dutch healthcare sector has been a "forerunner and quartermaster" for the EU e-ID system since 2016? "12)
Medical personal data is sensitive data. It is therefore important that patients can log in securely to access their own data and that professionals can log in securely to access their patients' data. A well-functioning e-ID system is therefore important for healthcare. For the introduction of the e-ID system in healthcare, the Ministry of Health, Welfare and Sport therefore has intensive consultations with both the Ministry of the Interior and Kingdom Relations and the healthcare field. In recent years, the Ministry of Health has also invested in this; think of the development of the necessary technical infrastructure such as the Access Service (for the efficient handling of the various login methods) and the support in connecting to it. This can be qualified as leading the way.
10 Is there a relationship between the healthcare sector as a "forerunner and quartermaster" for e-ID and personal health environments (PBMs)? If so, which ones?
No. However, it is important that people can log in securely to retrieve their medical data in their PBM. This is why the development of PBMs follows the eID means authorized by the Ministry of the Interior and Kingdom Relations to allow patients to log in securely.
11 Is the technology used for PBMs, such as websites and apps for online access to medical data, to which Dutch general practitioners are connected via the Huisarts Informatie Systeem (HIS) (General Practitioner Information System) and which allow patients to share their data with healthcare institutions, aligned with the (existing or to be developed) European infrastructure for cross-border use of e-IDs?
No. See also the answer to question 10.
12 Apart from the healthcare sector, are there other sectors in the Netherlands that have a role in the development of European digital identity now and/or in the recent past? Which sectors are/were these and what were the results?
The development of the European digital identity framework requires the involvement of different sectors. The European Commission has made facilities available for an open consultation where all parties can express their position on this proposal and its elaboration. This will be done in as open a manner as possible. In answers to questions from member Jansen (FvD), I already indicated that the Cabinet is seeking the broadest possible advice on the details of the Dutch implementation of the European digital identity framework.13) Various sectors are involved, such as education, the mobility sector, employment, the financial sector, and healthcare.
13 Is the test in the House of Representatives with facial recognition at the entrance gates using a camera and the access card in any way part of the (existing or to be developed) European infrastructure for cross-border use of e-IDs? Is the technology used in this process aligned with the (existing or to be developed) European infrastructure for cross-border use of e-IDs? If yes how? If no, why not?
This trial is not known to me, so there is no alignment here.
14, 15, 16 Can you confirm that the storage of the personal characteristics address, age, gender, marital status, family composition, nationality, educational qualifications, titles and diplomas, "professional qualifications, titles and licenses, public licenses and permits, and financial and business data has been set by the EU as a minimum requirement for European digital identity? If so, do you endorse the mandatory accessibility of at least all of these personal data through the European digital identity? What will go wrong if any of these personal data are not mandatorily accessible through the European digital identity? "14)
Can the Cabinet still speak out against this minimum EU requirement? If so, are you prepared to do so?
Can parliament still speak out against this minimum EU requirement? If so, how?
Yes, I can confirm that. Annex VI of the proposed regulation for the European digital identity framework (revision of the eIDAS regulation) defines the minimum set of attributes that member states must make available from authentic sources for use in wallets.15)
However, this data is never stored "by the EU" anywhere. Citizens will always voluntarily choose to include attributes (verified data) in a wallet of their own choosing. It will be up to the citizens themselves which attributes they want to include in their wallet and then under their own direction to use this data to conduct business easily and while maintaining privacy.
This proposal actually gives people more autonomy and control over their own data than the current situation where citizens cannot have these attributes and they are often transferred in an insecure manner. Think of copies of passports, scanned signatures or less secure cloud or social media platforms.
I endorse the need to agree at European level on what data or rather attributes should be able to be exchanged as a minimum at what time in a European context. I note that at this point in the negotiations the Cabinet has not yet taken a position on the final details of Annex VI. You know that I am mandated in the BNC fiche, to which I also adhere for Annex VI, and I cannot give you an answer with respect to the negotiations. The Parliament, as you know, does not review proposals from the Commission on substance and has not raised any objections to the subsidiarity and proportionality of the proposal.16)
I do note that the government is cautious about the scope, impact and feasibility of the proposal and the proposed time frame. The high ambition can only be realized with an appropriate, realistic time frame. The proposal calls for a manageable, phased implementation based on joint prioritization by the member states, especially in the area of the attributes to be included on a mandatory basis. There must also be sufficient room for timely implementation of the necessary measures and regulations within the context of national implementation agendas and policy developments and of manageable implementation and realistic impact in the implementation. Thus, this is also stated in the BNC fiche.17)
17 Is it true that the EU wants to require all member states to recognize a European digital identity? Is it true that the government is a strong supporter of this? Does the parliament have the possibility to stop this obligation? If so, how?
See answers to questions 2 and 14-16. It is true that the revision of the eIDAS regulation requires member states to develop at least one digital identity wallet. As stated in the coalition agreement, citizens will have their own "online" identity. Central to this is the control of one's own data.
18, 19 Please comment on the passage "Widespread availability and usability of European digital identity wallets requires acceptance by private service providers. Private trusted parties providing services in transport, energy, financial services, social security, healthcare, drinking water supply, postal services, digital infrastructure, education or telecommunications should accept the use of European digital identity wallets for the provision of services for which strong user authentication for online identification is required by national or Union law or contractual commitment."?18)
Is it true that, in addition to the minimum requirements mentioned (see question 14), the intention is for data in the above areas (see question 18), including health care, to become accessible via the European digital identity? Is it conceivable that the European digital identity to be developed will eventually also be used to store and check vaccination status? Can you rule out this future use?
This is a consideration underlying the proposed regulation. Not part of the legislative text.
Users should not be required to use the wallet or wallet, as the recital you cite a few sentences later states.19) The proposal indicates that the intended means could also be used in healthcare; for example, for identification and authentication of healthcare providers as well as patients. The proposal includes a minimum list of attributes that (could) be in the wallet when the user wants to add them. This minimal list does not currently include attributes with medical data and therefore no COVID certificates and/or proofs.
20 Is the document EU 2016/679, dated April 27, 2016 still the data protection regulation in force? If yes, how does the goal of data minimization from this regulation relate to the intended accumulation of personal and other data in the European digital identity? If not, what is the current EU data protection regulation and what does it regulate about data minimization?)20)
Leading is indeed the General Data Protection Regulation (AVG).21) The concept of "data minimization" defines that when personal data are processed, no more personal data should be processed than is strictly necessary for the defined purpose. The European Digital Identity Wallet will not "stack" this data, but will allow citizens to access it from their own environment to public or private parties with which the citizen wishes to do business.
21 Can you answer these questions by March 22, 2022 in connection with the scheduled committee debate Digitale overheid, Data Use and Algorithms, Digital Identity?
No. Unfortunately, due to necessary interdepartmental coordination, it was not possible to answer your questions before March 22, 2022.
1) See the European Commission's proposal: https://eur-lex.europa.eu/legal-content/NL/TXT/ HTML/?uri=CELEX:52021PC0281&qid=1625048320890&from=NL
2) EUCO 13/20 - CO EUR 10 CONCL 6. P. 6 https://www.consilium.europa.eu/media/45915/021020- euco-final-conclusions-nl.pdf
3) See: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No. 910/2014 on a European Digital Identity Framework, dated June 3, 2021, page 1
4) Parliamentary Record 22 112, no. 3161
5) See: REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL pursuant to Article 16(1) of Regulation (EU) 2021/953 of the European Parliament and of the Council of 14 June 2021 on a framework for the issuance, verification and acceptance of interope- rable COVID-19 vaccination, testing and recovery certificates (EU-COVID digital certificate) to facilitate free movement during the COVID-19 pandemic, page 4.
6) https://github.com/minvws/nl-covid19-coronacheck-app-coordination.
7) Parliamentary paper 22 112, no. 3241
8) Parliamentary paper 20 112, no. 3161
9) https://ec.europa.eu/digital-building-blocks/wikis/display/EIDCOMMUNITY/Overview+of+pre- notified+and+notified+eID+schemes+under+eIDAS
10)rijksoverheid everything-you-need-to-know-about-eidas
11) House Bill 34 413
12) See, among others, the report "The new eID system; an introduction for the healthcare sector," Nictiz, May 22, 2017
13) Appendix Proceedings, session 2021-2022, no. 2142
14) See Annex VI from ANNEX to the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 on a European Digital Identity Framework
15) See the European Commission's proposal: https://eur-lex.europa.eu/legal-content/NL/TXT/ HTML/?uri=CELEX:52021PC0281&qid=1625048320890&from=NL
16) See Article 12 Treaty on European Union
17) Parliamentary paper 34 413, no. 2
18) COM (2021) 281 final, dated June 3, 2021, page 20.
19) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016, recital 28.
20) See: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), Article 5.1c
21) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016
