By Luca Bertuzzi | Euractiv.com Est. 5min 06-12-2022 (updated: 07-12-2022 ) The European Commission aims to have 80% of EU citizens using the European digital identity system by 2030. [Arnont.tp/Shutterstock] Euractiv is part of the Trust Project >>> Languages: FrançaisPrint Email Facebook X LinkedIn WhatsApp Telegram The EU Council formalised its position on the European digital identity at the Telecom Council meeting on Tuesday (6 December). The European digital identity is intended to create a public version of digital wallets in each member state that can be used to identify, authenticate or verify certain aspects such as age in any other EU country. These wallets will take the form of apps for smartphones. In the digital sphere, the EU’s ambition is to compete with the identification systems currently offered by Big Tech companies like Amazon, Google and Facebook. “We are looking at a massive advancement in how people use their identity and credentials in everyday contact with both public and private entities, and in how they use digital services,” said Ivan Bartos, Czech Deputy Prime minister for digitalisation. Czech Presidency pushes forward on digital identity following political discussions The Czech Presidency of the EU Council presented a new compromise last week based on a debate at the ambassadors’ level on addressing the most sensitive questions blocking the European digital identity. Record matching The initial proposal to ensure that national e-wallets speak to each other was to have a unique identifier, a single number associated with an individual. However, this feature could have significant privacy implications as it can track the person and poses a constitutional problem for Germany. A more privacy-friendly solution was found in record matching, a feature that national governments will have to provide that consists of considering different pieces of information such as date of birth and home address from official documents. Within this arrangement, the unique identifier was maintained, although wording has been introduced mandating EU countries to protect personal data and prevent user profiling. Critics warned that this might create a weak spot for criminal abuses, especially in cross-border cases. Users could request member states to delete and replace their unique identifiers in a last-minute addition. Assurance level A much-debated question surrounded the level of assurance of the digital wallet, which will be fundamental for preventing identity theft. The controversy was spurred by the fact that existing national e-wallets like the French one are incompatible with stricter security requirements. As there was an overwhelming majority for a high-security level, a compromise was found in allowing specific onboarding procedures for users of national wallets with a lower assurance level. Commission says single identifier in eIDAS reform ‘not necessary’ In its proposal for the amending regulation to establish a framework for a European Digital Identity, the Commission proposed a much-debated “unique and persistent electronic identifier”, from which it is now shying away. Relying parties Another critical aspect was whether the so-called relying parties, the organisations or individuals that use digital identity, have to communicate that to the member states about their usage. The text gives national authorities discretion on whether the notification is made mandatory. The Czech presidency’s approach consisted of minimising the required information and making the notification process automated or via simple self-reporting procedures cost-effective and risk-based. At the same time, the compromise includes the possibility of having a specific regime based on sectorial requirements, notably, if the data handled is particularly sensitive such as health data. Certification The regulation mandates ENISA, the EU’s cybersecurity agency, to issue a certification scheme under the EU’s Cybersecurity Act specifically for the e-wallet. Until then, the Cybersecurity Act’s common criteria will apply. The member states will designate public and private bodies to certify the wallet, and the national cybersecurity authorities will be able to cross-check each other’s wallets via a peer-review mechanism. Cryptographic storage A fundamental aspect of the security of e-wallets is that the official documents are encrypted and stored securely using technologies such as Secure Element, a chip designed to prevent unauthorised access to sensitive data. However, as this technology is still not common enough in smartphones, a transitional measure has been included to store the encrypted data outside the mobile phone, for instance, via an external token, until certified secure storage is widely spread in the market offer. Czech EU presidency seeks way out of deadlock on European digital identity The Czech presidency of the EU Council circulated last week a new compromise text on the European Digital Identity (eIDs) proposal, a file that has so far seen limited progress due to its technical complexity. Interoperability Under the recently adopted Digital Markets Act, the tech companies so entrenched in specific markets to be designated gatekeepers will have to ensure access to hardware and software features to ensure they are compatible with rival products or services. The general approach makes this interlink with the digital wallet explicit, requiring gatekeepers to ensure free of charge and effective interoperability for its operating systems, devices and services at the same level as their own products and services. Electronic attestation Any institution issuing attributes such as diplomas and birth certificates will be empowered to become a qualified provider. These documents would have the same legal value in electronic format as if they were on paper. Private entities might also act as qualified providers on behalf of public authorities under certain conditions. Timeline Before the two-year deadline kicks in for the implementation of the wallet, the Commission will have to adopt implementing acts on the technical and operational specifications and cybersecurity requirements to be followed within six months from the entering into force of the regulation. [Edited by Nathalie Weatherald] Read more with Euractiv EU countries adopt a common position on Artificial Intelligence rulebookEU ministers green-lighted a general approach to the AI Act at the Telecom Council meeting on Tuesday (6 December). EURACTIV provides an overview of the main changes.
