- European Union lawmakers are planning an EU-wide digital identity wallet for access to essential services.
- Many Concerns have risen in realization of the lack of privacy that comes with these new digital ID wallets.
- There is much time left and consideration that will be taken before passing this purposed idea.
On March 15, the European Parliament voted 418 to 103 (with 24 abstentions) in favor of negotiating a mandate for talks with the European Union member states about revising the new European Digital Identity (eID) framework and creating the “European Digital Identity Wallet,” also known as EUDI Wallet or EU wallet.
Citizen’s IDs, health cards, certificates, and many other documents could soon be digitally stored in a smartphone application for EU citizens.
According to an official statement from the European Parliament, the system would allow citizens to identify and authenticate themselves online without relying on big commercial providers like Apple, Google, Amazon, or Facebook.
The new eID framework will give EU citizens digital access to critical public services across the EU. Citizens will remain in “full control of their data” and be able to “decide for themselves what information to share and with whom.”
European lawmakers have set an ambitious goal for this new wallet, aiming to bring it to 80% of the population by 2030. This could be achieved by mandating that e-government services and companies support the wallet with a legal requirement to identify their customers through Know Your Customer checks. It could require major online platforms like Google or Facebook to offer the EU wallet to log in to their services, with soft law and delegated acts that could require small and medium-sized enterprises to support the wallet.
Negotiations with the European Council on implementation would be the next step, but digital transformation and data protection experts have doubts and differing opinions about implementing the wallet.
Usability is the Key to Adoption
The EU wallet — like the current electronic ID cards in Germany and other European countries — will hardly be adopted by citizens in their daily lives if it doesn’t offer a good use case.
The challenge is to make it easier and more efficient for citizens to interact with public services and administrations, enabling authentication and verification processes, especially in the private sector.
According to Clemens Schleupner, policy officer of digital identity and trust services at Germany’s digital association Bitkom, the possibility of storing electronic IDs on a smartphone to use online as well as digitizing drivers’ licenses, health cards, passports, tickets, school reports, credit cards, membership certificates, etc., and combining them into one wallet could have mass market potential.
The EUDI Wallet could make that happen; however, this will only succeed “if adoption among citizens in Europe is ensured through security and usability, relevance through a high number of possible uses and interoperability of different applications throughout Europe,” Schleupner said.
Lack of usability and public awareness are also significant concerns for Christof Stein, spokesperson for Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI).
Stein said that using proven technologies and trusted infrastructures with enforced IT security and data protection standards is crucial for citizens using the EU wallet.
Privacy is King
As the final rules have yet to be discovered, it is too early to evaluate the EU wallet at this early implementation stage. For citizens, the legal framework must provide a data-saving solution that only lets organizations ask for user data when needed.
According to Stein, it is critical that users are protected from tracking by wallet providers, and wallet providers must ensure that wallet data processing is in line with legal requirements.
“What is necessary is a central anchor of trust enabling the enforcement of rules for the protection of individuals. For example, the infrastructure must be designed so that all organizations participating in the system must register to ‘identify’ themselves to users.”
The previous proposal from the European Commission lacked essential privacy safeguards that would have enabled third parties to obtain data about user transactions, possibly allowing bad actors to exploit the system for identity theft or fraud.
According to Thomas Lohninger, executive director of data protection Austrian NGO. He said
“It is unlikely that the Parliament will win 100% of the trialogue negotiations. But we hope that the Council and the Commission will realize that the success of the whole system depends on the privacy and trust built in. Only if it is the trusted and chosen tool of citizens for their most sensitive health, identity, and financial data can the European Digital Identity Wallet be a success.”
What about Zero-Knowledge Proofs?
Although ZK-proofs allow personal data to be anonymized, Schleupner sees two challenges. First, ZK-proofs in their current application are “a new technology and vulnerabilities may arise if they are not implemented properly,” and second, “many use cases [of ZK-proofs] have not yet been conclusively evaluated.”
Before trusting the technology, EU regulators must ensure that ZK-proofs comply with privacy regulations and meet all specific requirements of the General Data Protection Regulation.
The trialogue at the EU has much to consider before passing eID into a usable, safe, and reliable tool for Europeans. How regulators balance these considerations could have profound implications for other formers of digital or blockchain-based ID.