Commission says single identifier in eIDAS reform ‘not necessary’

“It is not necessary to have a single identifier and when identifiers are used, the strictest legal and technical safeguards must be applied,” a Commission spokesperson told EURACTIV.  [tsingha25/Shutterstock]

In its proposal for the amending regulation to establish a framework for a European Digital Identity, the Commission proposed a much-debated “unique and persistent electronic identifier” – which it is now backing down from.

The unique, life-long identifier is among the most controversial provisions of the reform of the eIDAS regulation on electronic identification and trust services for electronic transactions in the European Single Market.

In Austria and the Netherlands, it would be illegal for the government to track its citizens by using only one identifier for all its databases or the private sector eID services. In Germany, the constitutional court even found such permanent identifiers for citizens to be unconstitutional, while other countries, such as Belgium, are already using them. 

It is not necessary to have a single identifier and when identifiers are used, the strictest legal and technical safeguards must be applied,” a Commission spokesperson told EURACTIV. 

The most recent amendments from the file’s leading European Parliament Committee on Industry, Research and Energy (ITRE) and the previous report of the rapporteur Romana Jerković can also be understood as attempts to rectify this problem. 

The amendments suggest that unique identifiers should only be used in a cross-border context, while at the national level it should be up to the member states to decide. 

Issues with the single identifier

A single identifier would “enable a level of tracking and profiling of citizens, that is contradicting the goal of the whole reform to put users back in control about their data,” Thomas Lohninger, executive director of the digital rights association epicenter.works, told EURACTIV. 

“The fact that the Commission itself is shying away from its own proposal is only adding proof of how dangerous such a unique, life-long identifier would be,” Lohninger said.  

As a compromise, Lohninger suggests that identifiers only be “unique per service”. In this way, companies would only know if they have interacted with a person before, but they would not be able to correlate user behaviour across sectors or companies.

Possible damage after identity theft would be more limited if different identifiers were assigned, according to Patrick Breyer, Pirate Party MEP (Greens/EFA) and shadow rapporteur of the file’s opinion-giving Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament.

However, this is more complex to implement, and countries already using only one identifier are likely to hold on to their systems. 

Data oversharing

The Commission also clarified that for the vast majority of use cases such as renting a bike, online shopping or social media, identifiers are not necessary. “The proposal is clear on this point: The use of identifiers must only be possible in cases where this is required by law (of the country where the transaction takes place),” the spokesperson stressed.

There are numerous use-cases and attributes, such as vaccination certificates or e-prescription, that do not need identification and shall be managed safely, “following privacy by design”, the spokesperson added.

Further, privacy advocates worry that online platforms would ask for as much data as possible. The Commission clarified that in cases where the wallet is used for authentication of online platforms, only the minimum attributes for the specific service may be requested.

In addition, a registration system for service providers has been proposed to ensure that service providers only have access to data they are entitled to,” the Commission spokesperson said.

Internet leaders' concern over revised article on web authentication

12 internet players sent a letter to MEPs and representatives of the EU Council on Wednesday (6 April) to express their security concerns about the revised Article 45 of the e-ID Draft Legislative Proposal. 

Web authentication

Apart from the controversial points regarding unique identifiers and data sharing, Article 45 on web authentication has also evoked much debate.

Various proposals are on the table on how to address the issue of authenticating web pages.

Internet leaders have expressed concern about the Commission’s proposal, Article 45, which would force web browsers to accept a system of Qualified Web Authentication Certificates from Certificate Authorities (CAs), irrespective of whether they met the browser’s security standards.

Web leaders are arguing that this would pose serious threats and weaknesses to web security.

So far, browsers first make sure that CAs satisfy their standards, Marshall Erwin, head of trust intelligence specialist at Mozilla, told EURACTIV. However, the idea behind the current proposal is that “this would create a parallel process in which individual states would decide based on an unspecified set of standards”.

Some political parties in Parliament proposed to delete the article altogether. Others proposed amendments through which web browsers could retain the right to suspend a qualified certificate when end-user privacy and security are compromised.

The vote on amendments and the final report in the ITRE committee is scheduled for 26 October, and the final vote is in the plenary of November.

[Edited by Nathalie Weatherald]

Read more with Euractiv

Subscribe to our newsletters

Subscribe