With the introduction of a European digital identity, every EU citizen will be able to identify themselves online and offline and choose what personal data they share. Ursula von der Leyen, president of the European Commission, says this means is being introduced because we have no idea what in reality happens to our data every time an app or website asks us to create a new digital identity or easily log in through a major platform.
In this article, I first explain what the EU eID wallet, hereafter referred to as eID, entails. Then, based on the identified advantages and disadvantages, I explore whether the eID can be expected to be as widely used as stated by the European Commission.
There is now a political agreement between the European Parliament and the European Council regarding the proposal (1). The text of this compromise proposal is not yet available. The present article is based on the Commission's proposal and the Council's previously published position, prior to the agreement.
In a legal sense, this is a revision of the eIDAS Regulation (2). This is the regulation under which the Dutch electronic identifiers Digid and eHerkenning are designated as means that are also accepted in other EU member states. The revision of the eIDAS regulation was proposed by the Commission in 2021 at the request of the European Council (3). The Commission considers revision necessary because:
only a limited number of electronic identifiers have been designated as eIDAS authenticators,
only limited eIDAS authentication capability is offered in member states,
eIDAS authentication is limited to public services, and
eIDAS does not allow the exchange of "attributes" (data from or about the data subject), such as medical data and professional qualifications.
Anyone who can obtain a national ID is also entitled to an eID, but users should not be required to use the eID. An eID is issued under a national scheme. With the eID, a citizen can easily and securely identify himself online and offline and decide what information - present in his wallet - he shares when using online services of government organization and private parties. The attributes in the wallet include at least address, age, gender, marital status, family composition, nationality, educational qualifications, professional qualifications, licenses, and financial and business data (Annex VI to (6)). Attestation of attributes issued by public agencies must bear an electronic signature and meet further requirements (Annex VII to (6)). The eID also allows a citizen to create and use digital signatures. To keep these services secure, the system must meet reliability level "high" (as referred to in Art. 52(7) of the Cybersecurity Regulation).
Here, the AVG is fully applicable. As a result, for example, providers of "attributes" included in the wallet are not allowed to receive data on the use and provisioning of those attributes (4).
In short (and in doing so I am seriously shortchanging the technology), the eID offers the possibilities of Digid combined with the use of, for example, a Google, Facebook or Apple account to log in to another service (such as Spotify) and provide data to it from the Google, Facebook or Apple account. On top of that, it may be data that a source holder, such as DUO for education data, has authenticated. The eID includes security measures such that data can be exchanged reliably and the reliability of the data stored in the eID is high.
The following advantages and disadvantages are described in various parliamentary documents, communications from the European Commission and other documents (briefly reproduced here):
you can use your digital identity with public administrations of all member states and with private parties, making the use of another digital identity such as from a major Internet platform unnecessary (provided the eID is accepted by the other party, as there is no obligation to do so for the time being),
digital identity is part of the digital foundation that enables digital government services, a digital society and a digital economy (5),
control over the identity data you share, allowing data minimization, (recitals 28 and 29 of (6)),
personal data of citizens should not be a commodity of providers of digital identity tools, and for this purpose safeguards are put in place that include that usage and user data should not be used for purposes other than the secure issuance of login tools and logging in with them (Article 6a(7) of (6)),
issue, use for authentication and withdrawal of wallets must be free of charge for natural persons, (Article 6a(6a) of (6)),
for some of the citizens, the eID will be too complex to deal with,
despite citizens deciding for themselves what data they share and with whom, the reliability and efficiency of the eID may make service providers increasingly inclined to ask for too much data (overloading),
by a widely available eID, (online) service providers may ask for identification in more and more situations or identification of too high a confidence level, even when it would support the citizen to express his opinion freely under a pseudonym (overidentification),
there is as yet no way to force private service providers to offer alternatives to using the eID, which may lead to citizens being effectively forced to use an eID (forced use), and
the eID can be used to monitor every aspect of citizens' lives, and people who do not meet a certain profile could be excluded from certain services or have to pay more, for example; when everyone has an eID, it becomes easier to ask people to show a certain proof (exclusion by selection and profiling).
Will eID change the way we log in to government services and private parties? And our way of receiving and transmitting authenticated data? That I can use (the then-developed) Digid - which will then also be an eID - to log in to government services, I assume. With the same ease, those with activities across national borders can use government services of another member state. The exchange of data required for those services also seems to me to be a welcome addition. For example, I can imagine that educational results issued by DUO that can be transmitted with eID when enrolling at a university in Italy could greatly simplify the process.
However, the aforementioned risks of the system increase with its use. If the eID is going to be widely used, the risks of overcharging, overidentification, forced use and exclusion through selection and profiling also increase - without further measures. On the one hand, the European Commission considers revision of the eIDAS regulation necessary to allow the use of the eID to increase significantly. This will give us more control over the digital identities we create on platforms and more control over the data provided when we are asked to log in via another platform. On the other hand, when widely used, the eID actually entails risks, against which only limited measures are currently included in the revised regulation.
Whether, when logging into Spotify, I will carelessly click OK to do so with my eID? I will not - with the current state of the revised regulation - be inclined to use the eID outside the sphere of public services. And let that be precisely what the European Commission does have in mind to increase the use of the eID. Only the future will tell which movement will take off. In any case, the subject is still very much in flux. Much will depend on the yet-to-be-published text following the recent agreement between the Council and the Parliament and the yet-to-be-expected 28 implementing regulations that will contain in more detail the measures for the protection of personal data.
https://www.consilium.europa.eu/nl/press/press-releases/2023/06/29/council-and-parliament-strike-a-deal-on-a-european-digital-identity-eid/
Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 on a European Digital Identity Framework (https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX:52021PC0281).
Formal comments of the EDPS on the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity (https://edps.europa.eu/system/files/2021-07/21-07-28_formal_comments_2021-0598_d-1609_european_digital_identity_en.pdf).
Annex 1 to the letter of parliament from State Secretary of the Interior and Kingdom Relations dated August 17, 2022.
General approach of the Council of the European Union on the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 on a European Digital Identity Framework.
