The Road to the European Digital Identity: Enhancing Digital Identification and Privacy
Digital identification is an essential additional component to the well-established paper variety across industries, whether you’re in finance, telecom, healthcare, transport, retail, education, or the government sector. As the digital world evolves at a rapid pace, digital identification is becoming increasingly important for public and private sectors, as well as consumers.
And that brings along questions of its own. What does the European Digital Identity Wallet mean for the Netherlands and what is the potential added value? How to navigate the ethics involved with Digital Identities? What would a responsible Digital Identity solution look like? And how do the newest digital identity advancements impact our privacy and digital security? Follow these blogs and explore these waters with us.
The European Digital Identity aims to offer residents of European countries an alternative to identification solutions provided by large tech companies. It is a privacy-friendly, secure, and reliable national solution for online identification, accepted by governments and businesses in various sectors across the EU. It is not an all-encompassing database of your online behaviour and location history. Citizens have the choice, and alternatives remain available. It is a national solution, not a European passport or identity.
Why a digital identification solution? And why at the European level?
The European Union (EU) recognises that its citizens frequently use services, apps, and social media from large tech companies, often without realising their role as a ‘product’. They are often unaware that their behavioural data is used for increasingly targeted marketing messages (sometimes bordering on manipulation) and that this compromises their autonomy and privacy.
These threats are usually linked to your digital identity, such as your social media login or account, or how you log in with large tech companies. Such a login can often be used elsewhere (e.g., your Facebook login for other internet services). This allows for more extensive tracking of citizens and poses a greater threat to privacy. This raises significant concerns about the digital society.
In response, the EU has said: we want a reliable alternative for our citizens to log in and decide for themselves which data to share. No more logging in with a large tech company’s solution and no more mandatory data disclosure before proceeding (to use a service).
Learning from previous attempts to improve digital identification
What can we use for this? Well, there is European legislation stating that if you have a secure national (not European!) digital login method in one country (e.g., DigiD in the Netherlands), you can ensure that it is accepted in other EU countries (actually countries in the European Economic Area, EEA). You only need to apply for your DigiD in the Netherlands, and you can use it elsewhere. Three issues emerged:
- A country must go through complex procedures to have its national digital identification tool ‘accepted’ at the European level (called ‘notification’).
- You can only use it for government services (no commercial services, for which you still fall back on … big tech, and no longer achieve your goal of protecting citizens).
- As a result, there was no market for these identification solutions. It didn’t take off.
This legislation, electronic identification and trust services for electronic transactions in the internal market (eIDAS 1.0), started in 2014 and still applies. However, too few national identification solutions were submitted.
eIDAS 2.0: European Digital Identity, in a Wallet
That’s why there is now eIDAS 2.0 legislation. The EU says: now, we make a reliable alternative possible and learn from our previous attempts. The first thing this legislation does is provide a legal framework so that if a real solution comes, you know for sure that it is legally sound in all EU countries. That’s important because when things go well, it’s not that exciting, but when there is fraud in identification or misuse, you want to know how to address it (legally).
The EU then said: we want to make something safe and free for the citizen, but not at the European level. Countries are sovereign; they are responsible for their citizens (not the European Parliament or the EU). So each country must create or designate a solution by the end of 2024, with which the citizen can identify themselves from 2025 onwards. The EU then says: with current technology, this must be a wallet. All major tech companies are already working on this; it’s a good solution in the current technical landscape, and this solution enables several things we didn’t have working well before. Such as: derived attributes (if I need to prove that I am 18+, I don’t have to show my birthdate, but an ‘attribute’ that says ‘yes, this person is 18+’). This enhances privacy because you share less data about yourself (data minimisation).
Wallet technology also works in such a way that, if properly set up, it cannot collect information about where you have been, so no profile of your (online) behaviour, and you cannot be tracked online. More technically: The wallet also enables ‘zero-knowledge proof’ and sharing of ‘verified credentials’. Additionally, it can work both offline and online.
What does this mean for people?
From the wallet, the user (the citizen of an EU country, not the citizen of Europe, as that doesn’t exist) determines when they share which data. So, suppose an insurer asks for your medical history, birthdate, and first and last names. In that case, the citizen gets a pop-up in the wallet asking ‘do you want to share that data?’ (per data element). The citizen can then say: this is not health insurance but home insurance, so I won’t share medical data, but maybe the rest. This is one of the major concerns of privacy experts: how do we help citizens make the right choice, and ensure that they don’t just share all their data when they see a pop-up offering a 5% discount if they share all their data? See, for example, articles in Follow the Money and Nederlands Dagblad, both from February 2023.
What does this mean for businesses?
The EU has included in its eIDAS 2.0 that not only government services should accept this wallet, but every critical and vital industry where strong authentication is required (under local legislation). This currently applies to banks, insurers, and others. The EU also mentions sectors such as transport, energy, education, and others. It’s not that you’ll only be able to log in with a wallet in the future, but rather that these sectors must also allow login with a wallet (and not just your social accounts or other logins). What didn’t happen with eIDAS 1.0 is now enforced here: a market where the citizen can actually do something with their identification: log in and use services. Now, how can you accommodate that with your business in the future? Stay tuned to this blog series and join us in further exploring this domain!