Reply by the State Secretary of the Interior and Kingdom Relations to the questions of July 16, 2021, by the Standing Committee on the Interior and the High Colleges of State / General Affairs and House of the King of the Senate of the States General in response to the European Commission's proposal for a regulation on European digital identity (COM(2021)281).
The members of the GroenLinks Group ask me to assess the risk that private service providers will request digital identity online everywhere where this was not previously possible or in places where in the offline world this is not considered necessary. These members also ask me to assess the degree of privacy protection through the highest cybersecurity standards.
First, neither the Commission's bill nor the digitale overheid (Wdo) bill are intended to provide bases for data processing that are not currently necessary. Data may only be processed in compliance with the principles, such as those on transparency and purpose limitation, in the field of personal data processing based on the General Data Processing Regulation (AVG) and additional national legislation.(1) The risk always exists that parties process data in a way that is not permitted, but this risk is neither increased nor decreased by the proposed rules in the Commission's proposal or in the Wdo. On the contrary, the Commission proposal, like the Wdo, aims to prevent, with specific safeguards, the improper use of electronic identities (eIDs) and data on individuals and businesses.
In addition, it is important that the elaboration of the new European Digital Identity (EDI) includes the regulations and standards that ensure that all Europeans can safely use digital services. A reliable link with the national identity as established by the government is important here. We call this the digital source identity, which is a government-issued, recognized and legislated digital identity for use in the public and private sectors. This digital source identity contains a minimum set of identity data needed in society.(2) Citizens and also companies should, as the Commission also proposes, have full insight and control over the data they share. Users determine which data are shared with whom and should be informed in advance of the attributes and data required for purchase of a concrete service, which should only be shared if this is in accordance with national law and to the extent necessary for the use of a particular service. Digital service providers and providers of eID tools, such as "e-wallets," and of attributes may not combine users' data and use it for other services. The Commission's proposal also requires separate storage of data and prohibits the retention and reuse of personal or business data and transactions.
Finally, according to the proposal, eIDs, for example in the form of "wallets," must themselves be secured at the highest level of reliability. The fiche states that the Cabinet is willing to explore the Commission's idea of allowing certification of eIDs to be recognized at European level under the Cybersecurity Regulation.(3) The Cabinet also wants to harmonize the supervision of resource and data providers and service providers in the public and private sectors to ensure the security and reliability of digital services and a level playing field within the internal market. Finally, it is crucial that in the elaboration of the proposal and in the future use of European eIDs, the knowledge of experts from the field of justice, security and intelligence is used to ensure their security as much as possible.
The members of the GroenLinks Group ask in which parts the proposals for the Wdo may have to be adjusted so that they are in line with the Commission's proposal, and ask whether parts of the current proposal for the Wdo conflict with (the choices made within) the Commission's proposal. The members also ask me to indicate which choices I make in the Wdo differ from those in the Commission's proposal.
The Commission's proposal and the Wdo proposal are largely in line with each other and do not conflict. However, the Commission's proposal regulates more than the proposed first tranche of the Wdo and in that respect the two proposals differ. Broadly speaking, the Commission's proposal envisages more functionalities and has a broader scope. Whereas the current eIDAS Regulation and, in line with it, the first tranche of the Wdo contain regulations for the secure and reliable use of eIDs in government services, the Commission's proposal regulates the use of eIDs and attributes with a mandatory e-wallet to be introduced in government agencies and in the private sector under the direction of citizens and businesses.
If this proposal is adopted, the Wdo will have to be supplemented with regulations now envisaged in the second tranche. The Wdo should include a public law system for admission of one or more wallets. The obligation to accept eIDs must also be supplemented with the obligation to accept accepted wallets for online services. In addition, use in the private domain should be regulated and regulations should be included in the context of data exchange under the direction of citizens and businesses and for the digital source identity as a minimum set of identity data in wallets. Finally, it will have to be considered how the proposed national certification of eIDs by member states themselves can be regulated under the Wdo and it will have to elaborate the supervision in the public and private domain. I will do this in the second tranche of the Wdo, building on the foundation laid for this in the first tranche. For the sake of completeness, I note that the Wdo, insofar as it regulates subjects included in the eIDAS Regulation, has the character of an implementing law.
The members of the GroenLinks Group point out that I intend to embed in the second tranche of the Wdo the basis for data sharing in combination with a digital source identity (for the wallet to which 'attributes', such as qualifications and powers, can be linked). The BNC fiche accompanying the Commission's proposal states that national implementation regulations are needed because of the broad scope of the proposal. The members ask me what adjustments are involved, which should enable digital transactions with national eID resources in the private domain, and what differences exist between the first tranche of the Wdo and the second tranche on citizen-directed data exchange. The members also ask in what way measures on inspection, correction, user protection, certification, electronic archiving, supervision and enforcement will be adapted.
The first tranche of the Wdo includes a basis for the infrastructure of facilities that enables the sharing of, access to and correction of data - which concerns the citizen himself - under the direction of the citizen. In the second tranche of the Wdo, such a basis for data sharing will be further developed in conjunction with digital source identity. Whereas the first tranche deals with secure login, in the second tranche the secure sharing of data - also under the direction of citizens and companies - will become more central to the Wdo. Exactly what adjustments are to be made will depend on the final content of the revised regulation that will eventually be adopted.
For access, correction and protection of users, no specific adjustments to the Wdo are necessary, as the rights, rules and measures for these follow from the AVG. However, provisions may have to be made in the Wdo to enable citizens to make the best possible use of their rights, and the Commission's proposal includes provisions for this. For the other aspects, the need to draw up national implementing regulations for this will have to be considered on the basis of the final text of the regulation. For the sake of completeness, it is noted that electronic archiving currently falls outside the scope of the Wdo.
The members of the GreenLeft Group ask me to specifically address the decision to allow private providers and the responsibilities these private providers have.
There is no disagreement with the Wdo on the choice to allow private providers of login resources. The Commission's proposal also offers the possibility of allowing private providers of login resources, as long as these providers meet the requirements set, such as those relating to privacy, reliability and security.
The members of the GroenLinks Group ask me to give an opinion on the Commission's choice to leave much room to member states for the development and use of digital identities. The members ask me whether I agree with them that if all member states choose a different infrastructure, they will hardly function or communicate with each other at the highest security levels.
The members of the GroenLinks Group see the digital identity that is now being designed at the European level as a ramp to the digital highway, in this case the infrastructure. In the members' view, it is vulnerable if each ramp and highway is of different design and has a different controller. The members ask me to assess this.
The Commission's proposal is a revision of the current eIDAS regulation and, in line with this, leaves room for member states to develop mandatory eIDs and wallets, which after European recognition within a harmonized European infrastructure can be used for digital services in other member states. On the one hand, the Cabinet noted in the BNC document that this infrastructure is not yet perfect from a technical point of view and requires development; on the other hand, what has now been developed in various member states generally does work in order to be able to use eIDs across borders. The Cabinet also agrees with the Commission that too few eID resources, service providers and services are connected in Europe to be able to speak of a successful implementation of the regulation. The cause lies with the member states themselves and therefore the Cabinet supports the idea in the proposal to oblige all member states to have at least one eID, including at least one wallet, recognized. In addition, the Cabinet urges the Commission to take measures to encourage more service providers and services in the member states to connect to the national interfaces, which in turn must be linked to the European infrastructure. In this way, the need and necessity to keep improving interoperability and to arrive at an increasingly harmonized infrastructure, while leaving sufficient room for national interpretation and innovation of the identity infrastructure, is growing.
The members of the GreenLeft Group ask me whether I believe that commercial exploitation of digital identities on user behavior should not be allowed. In other words, that meta-information on usage should therefore never be commercially exploited. The members ask how the answer to this question relates to the difference between the Commission's proposal and the Wdo proposals and ask me to indicate what is meant by commercial activities. Finally, the members ask if I can assure that nothing can be done with the personal login data in any way.
I believe that commercial exploitation of digital identities on user behavior is indeed not allowed. The point is that personal data is only used to securely issue login credentials and for the purpose of the citizen's use of the login credential, and that the processing remains within this purpose limitation, as stipulated in the Wdo proposal. Other types of commercial use, directly or indirectly, of these data and data generated in the context of service provision (logging with meta-information c.q. user behavior) are explicitly prohibited in the Wdo and, as a trading prohibition, are now also regulated at the legislative level via a novella at the request of your Chamber. By commercial activities in this context I mean activities that do not fall under activities to which private providers are entitled based on the purpose descriptions in the Wdo.
The Commission's proposal does not explicitly include the trading prohibition, at least not as in the Wdo. However, for the wallet, Article 6a(7) is included, which prohibits wallet providers from combining personal data - related to the wallet or its use - with data from other services of themselves or third parties. Thus, under this provision, the data may not be used for other, non-wallet-related, services. The prohibition on using the data commercially is not stated in so many words in the Commission's proposal, but the rationale behind this provision seems to be the same as the prohibition on trading in the Wdo.
Completely eliminating risks of unauthorized use, unfortunately, is never possible. With the instruments in the Wdo proposal, I expect to be able to minimize the risk of this. In the Wdo, in addition to the prohibition of trade in the law itself, the implementing regulations will also set further rules to make other types of use than on the grounds of the Wdo impossible. Examples include the separate storage of use and user data, as a result of which linking is no longer possible or only possible by means of clauses, and measures to work with encrypted data wherever possible. Providers of private means of login are not only checked for this at the time of admission, but also in the interim, as part of the ongoing supervision of the means of login. If these rules are violated, suspension, and ultimately exclusion from service provision, may be applied in appropriate cases, whereby the authorization is withdrawn and the provider must stop providing services. Incidentally, such use of personal data will also constitute a violation of the AVG, for which the corresponding sanction options are also open.
Finally, the members of the GroenLinks Group would like me to provide an appreciation of Germany's choice of digital identity. How does the German structure compare to the Commission's proposal and the Wdo, and what specific differences are there?
The German federal government, like the Cabinet, sees digital (source) identity as a fundamental building block for successful digitization. Germany is therefore committed to developing an infrastructure within which eIDs with attributes can be securely and reliably exchanged and used across borders by both citizens and businesses based on 'self-sovereign Identity' (SSI) technology. Germany and Spain have recently issued a joint statement confirming their cooperation and initiating a cross-border pilot in the field of digital identities.(4) I am following this initiative with interest and am in good consultation with both German and Spanish initiators on knowledge exchange and cooperation.
The government wants all residents and businesses in the Netherlands and in other European countries to be able to conduct as many digital transactions as possible in the public and private domain, including across borders, in a safe, reliable, accessible and user-friendly manner. Currently, the speed of digital innovation means that people are often dependent on large, non-Dutch companies ("Big tech") without alternatives under the direction of governments.
Here we too often see services that are supposedly "free," where people actually "pay" with their (transaction) data. The government wants to address this issue. The Wdo is the intended foundation for regulation and further development of such an eID system, and in the second tranche the government wants to anchor the basis for sharing data in combination with a digital source identity. This will eventually be able to be used in solutions such as a wallet, to which all kinds of attributes can be linked under the supervision of the government and under the direction of the citizens and companies that make their data available themselves.
The members of the PvdA Group ask how exactly the Commission's proposal for a framework for a European digital identity relates to the proposals of the Wdo, the first tranche of which is currently pending in the Senate. Could the envisioned legal enshrinement of privacy by design, the data trading ban and open source in the Wdo remain in place if the Commission's proposal were to take effect?
The Commission proposal, like the current eIDAS regulation, is based on the internal market and aims to improve, through harmonization, the interoperability of eIDs, wallets and attributes contained therein. To ensure that resources from different member states can be used across borders, the requirements for resources in member states should be as similar as possible. Privacy by design is already a design requirement under the AVG and has been adopted as such in the proposal, as well as in the Wdo, within which this will have to be explicitly tested. About the trading ban I informed you in the above. The Commission's proposal does not explicitly address the use of open source, but does not prevent it. If opportune, the Netherlands will aim for a provision such as that included in the novella, with the arguments I exchanged with the House during the discussion of the Wdo.
The members of the PvdA Group ask whether the Commission's proposal allows the Dutch (digital) government to use only decentralized data storage.
The Wdo allows for both centralized and decentralized storage of data. I informed your Chamber about this in previous answers to questions about the Wdo. The Commission's proposal, like the Wdo, does not express a preference for one way or the other. Like the Wdo, the proposal takes an approach to adequate protection of personal data, where the range of measures extends beyond the manner and location of data storage.
The members of the PvdA Group refer to the following passage in the BNC sheet: 'The government aims to introduce a regime of open admission under the Digitale Overheid Act, where market forces are deployed within the frameworks for secure and reliable digital interaction.' The members ask whether the Commission's proposal allows national legislation on digitale overheid (the Wdo) to be designed even without market parties.
The Commission's proposal requires member states to issue at least one wallet. This can be done by the Member State itself, under a mandate from the Member State or independently but recognized by the Member State. Thus, the proposal allows for the issuance of a wallet without market participants and, as such, to shape it in national legislation.
Members ask me to explain in detail what I believe the aforementioned "frameworks for secure and reliable digital interaction" entail and whether they include privacy by design, data trading prohibition, open source, and decentralized storage.
The frameworks for login tools, which the questions regarding privacy by design, the ban on trade in data, open source and decentralized storage in this context relate to, are formed by the eIDAS regulation, which sets the requirements for the reliable issuance and operation of login tools, and by the AVG, which requires that the personal data to be processed be well protected. This certainly includes privacy by design and the prohibition of data trading. These are elaborations of the AVG principles. Open source can contribute to transparency. I have therefore included in the novella to the Wdo that open source will be a weighting factor in the authorization of login resources, so that a responsible effort is made to use open source. Privacy by design is also included as a criterion in the novelle, making it a criterion for the admission of resources. As described above, the ban on trading is also explicitly included in the novella. Decentralized storage can contribute to the protection of personal data, but it is not a stand-alone means of privacy protection. It is a measure that, in conjunction with other measures, can ensure that personal data are protected.
Finally, the members of the Labour Party ask me if I have also communicated this to the Commission.
This is a new bill from the Commission that has not yet been discussed at ministerial level. The Dutch position as described in the BNC document is currently being put forward in the official working groups of the Telecom Council. The agenda for the next Telecom Council has not yet been determined, nor have the ministers to participate in it and the positions to be taken there.
Footnotes
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
(2) This is further explained in the vision letter digital identity: Parliamentary Papers II, 2020/2021, 26643 no. 743.
(3) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on Enisa (the European Union Cybersecurity Agency), and on the certification of information and communication technology cybersecurity and repealing Regulation (EU) No 526/2013 (the Cybersecurity Regulation).
(4) https://www.bundesregierung.de/breg-en/news/digital-identity-ecosystem-1947474
