Alessandra Fratini and Giorgia Lo Tauro – FratiniVergano, European Lawyers
Photo credit: Martin Firrell, via
Wikimedia
Commons
Introduction
On 3 June 2021, in the context of
the review of the eIDAS
Regulation, the Commission proposed
to establish a framework for a European Digital Identity, including a ‘European
Digital Identity Wallet’ (the EUDI Wallet, or simply Wallet). Considered as the
main innovation of the Proposal,
the Wallet intends to respond to the growing digitisation of cross-border
public and private services and remove barriers for citizens, residents and
businesses when using online services across the EU. The evaluation
of the eIDAS Regulation, in fact, had revealed a
number of shortcomings (e.g., non-coverage of electronic attributes, such as
medical certificates or professional qualifications, which makes cross-border legal
recognition of such e-credentials difficult; data protection concerns as
regards identity solutions offered by social media providers and financial
institutions, which fall outside the scope of the Regulation; no possibility to
limit the sharing of identity data to what is strictly necessary for the
provision of a service), which the proposed EUDI Wallet seeks to address.
The declared aim of the Proposal
is to enhance users’ control over their own data. At the outset, the Proposal
is set in the context of the 2020 Commission Strategy
‘Shaping Europe’s digital future’, aimed at strengthening trust in the online
world by giving consumers greater control and responsibility over their own
data, in line with the Digital Europe that “puts
people at the centre”. The Commission further acknowledges that giving
citizens and residents full confidence that the European Digital Identity
framework will offer everyone the means to control who has access to their
digital identity, and to which data exactly, requires a high level of security
with respect to all aspects of digital identity provisioning, including the
issuing of EUDI Wallets. In this respect, the Explanatory Memorandum that
accompanies the Proposal notes that the latter ‘supports the implementation of
GDPR (2016/679) by putting the user in control over how the personal data is
being used. It provides a high level of complementarity with the new
Cybersecurity Act and its common cybersecurity certification schemes’. Finally,
the proposed “measures are designed to fully comply with the data protection
legislation”.
However, the legislative debate
on the Proposal has brought up potential data protection issues associated to the
use of the EUIDI Wallet. This contribution, after a brief recap of the main features
of the Wallet, reviews how those potential issues have been addressed at the
current stage of the legislative debate, in particular in the European
Parliament.
The main features of the European Digital Identity Wallet
The EUDI Wallet is defined in Article
3.1.42 as a ‘product and service that allows the user to store identity data,
credentials and attributes linked to her/his identity, to provide them to
relying parties on request and to use them for authentication, online and
offline, for a service in accordance with Article 6a; and to create qualified
electronic signatures and seals’. It is basically an app, that will enable
citizens to digitally identify themselves online and offline, confirm certain
personal attributes (age, for example), store and manage identity data and official
documents (diplomas, driving licenses, medical prescriptions, …) in electronic
format, with the click of a button on their phone.
In the Commission’s intentions,
the EUDI Wallet provides simplification and convenience for EU citizens,
residents and businesses when dealing with national administrations and other service
providers. While some are already using digital wallets for storing certain
data, the EUDI Wallet will be available to everyone in the EU and grant users full
control over their data, allowing them to choose what they share with third
parties (for example,
age when buying alcohol, without revealing their identity or other details) and
keep track of such sharing. Choice and control over their data will enhance
users’ trust in the digital environment, for the sake of the digital single
market as a whole. Recital 28 recalls the principle of data minimisation, while
recital 29 sets forth selective disclosure as a basic design feature of the
Wallet, “thereby reinforcing convenience and personal data protection including
minimisation of processing of personal data”.
The proposed new Articles 6a to
6d, under the title ‘Electronic Identification’ (Section I, Chapter II), are
dedicated to the Wallet. Under Article 6a, Member States are required to issue
a EUDI Wallet under a notified eID scheme to common technical standards
following compulsory compliance assessment and voluntary certification within
the European cybersecurity certification framework, as established by the Cybersecurity
Act. The Wallets 1) are envisaged for ensuring natural and legal persons in
the EU a secure, trusted and seamless access to cross-border public and private
services; 2) shall be issued by a Member State, under a
mandate of a Member State or independently, but recognised by a Member State;
and 3) shall enable users to securely request and obtain, store, select,
combine and share, in a manner transparent and traceable by them, the necessary
legal person identification data and electronic attestation of attributes to
authenticate online and offline in order to use online public and private
services - and to sign by means of qualified electronic signatures. The
certification is without prejudice to the GDPR, in the meaning that personal
data processing operations relating to the Wallet can only be certified
pursuant to Articles 42 and 43 GDPR.
Article 6a.4 provides that the
Wallet shall: (b) ensure that trust service providers cannot receive any
information about the use of the attributes; (c) grant a ‘high’ assurance level;
(d) provide a mechanism to ensure that the relying party is able to
authenticate the user and to receive electronic attestations of attributes; (e)
ensure that the person identification data uniquely and persistently represent
the natural or legal person associated with it. Article 6a.7 establishes the
full control of the user over the Wallet and adds that the issuer shall not
collect, nor combine, data not necessary for the provision of the Wallet
services. Article 10a further includes provisions to handle security breach of
the Wallets.
In addition, the Proposal contains
provisions to ensure the unique and persistent identification of natural
persons in Article 11a. The Explanatory Memorandum clarifies that this concerns
cases where identification is required by law such as in the area of health, in
the area of finance to discharge anti-money laundering obligations, or for
judicial use. For this purpose, Member States will be required to include a
unique and persistent identifier in the minimum set of person identification
data referred to in Article 12.4(d).
The specifications and standards
of the Wallet will be developed in parallel with the legislative process- and in
alignment with its outcome. In fact, to avoid fragmentation and barriers due to
diverging standards, the Commission adopted a Recommendation
setting up a structured process of cooperation between Member States, the
Commission and, where relevant, private sector operators to develop a Toolbox,
which should in turn lead to a technical Architecture and Reference Framework
(AFR), a set of common standards and technical specifications and a set of
common guidelines and best practices as a basis for implementing the European digital
identity framework. According to the schedule for the implementation of the
Recommendation, the Toolbox shall be published by the end of October 2022 and
updated following the outcome of the legislative process. The eIDAS expert
group, tasked as main interlocutor for the purposes of implementing the
Recommendation, adopted in February 2022 an Outline
providing a summary description of its understanding of the EUDI Wallet concept,
including the objectives of the new tool, the roles of the actors of the
ecosystem, the Wallet’s functional and non-functional requirements, the
potential building blocks.
The use of the EUDI Wallet: potential data protection issues
From a data protection
perspective, recital 6 of the Proposal states that the GDPR applies to the
processing of personal data in the implementation of the proposed Regulation.
It also adds that specific safeguards are needed to prevent potential
combinations between personal data relating to services falling within the
scope of the Regulation and personal data from other services.
The EDPS, in its Formal
Comments on the Proposal of 28 July 2021, was the first to raise some
concerns in this respect, noting that ‘[w]hether the specific safeguards are
sufficient depends mainly on the technology to be used in implementing the
proposal’. It praised the fact that the new Wallet gives users control over
their data and appreciated a number of provisions (Article 6a.7 on selective
disclosure; Article 6c.2 on the certification for certain requirements of the
Wallet). However, in connection with the unique and persistent identifier to be
used by Member States (Article 11a), the EDPS highlighted that this provision constitutes
an additional category of data stored solely for the purpose of facilitating
the usage of the Wallet - and such an ‘interference with the rights and
liberties of the data subject is not necessarily trivial’. Recalling that in some
Member States (Germany, for example) unique identifiers have been considered unconstitutional
due to a violation of human dignity, he recommended exploring alternative means
to enhance the security of identity matching.
In other words, the EDPS appears
to say that facilitating the use of the Wallet shall be adequately weighted
against the risks for the rights and liberties of the data subjects. When
identifiers are used, the strictest legal and technical safeguards must be applied,
with adequate (regulatory and technological) prevention mechanisms.
Following publication of the
Proposal, some
have questioned whether the EUDI Wallet actually supports the principle of data
minimisation set out in Article 5.1(c) GDPR (personal data shall be ‘adequate,
relevant and limited to what is necessary in relation to the purposes for which
they are processed’). It is true that recital 28 recalls the respect of data minimisation
by large online platforms when they accept the Wallet for the purpose of users’
access to private services, that recital 29 presents this principle, in
conjunction with that of selective disclosure, as a basic feature of the Wallet,
and that Articles 6a.7 and 12b.3 reflect it – which are all improvements of
current eIDAS Regulation. However, the very compatibility with the principle is
put in question by the minimum set of person identification data, which is part
of the interoperability framework, in particular because the Proposal deletes the
criteria under Article 12(3)(c) (‘it facilitates the implementation of the
principle of privacy by design’) and (d) (‘it ensures that personal data is
processed in accordance with Directive 95/46/EC’), and does not replace those
with the corresponding references of the GDPR.
The committees of the European
Parliament involved in the legislative procedure have all flagged issues for
the rights and freedoms of individuals (see ITRE
draft report of 31 May 2022 and amendments
published on
5 July 2022; IMCO draft
opinion of 8 February 2022 and its amendments
of 24 May 2022; JURI draft
opinion of 29 April 2022; LIBE draft
opinion of 19 May 2022 and its amendments
of 13 June 2022).
The amendments proposed in the ITRE
draft report, as explained
by Rapporteur Jerković, are focused on four areas: cybersecurity, with the
introduction in Article 6a of the explicit requirement that the EUDI Wallet
ensures ‘cybersecurity by design’ (AM. 68, 405 and 407); data protection, with
the strengthening of prevention mechanisms and alignment with the GDPR, for
example by introducing in Article 6a (AM. 70) and in recital 29 (AM. 21) the ‘privacy
by design principle’ as a standard design feature of the EUDI Wallet; governance,
with the introduction of a new Chapter IVa (AM. 131) on the tasks and
coordination of national authorities; digitalisation of public services, with
further support to the cross-border application of the ‘once only principle’ (AM.
7) to reduce administrative burden.
On the interplay with the GDPR, AM.
8 (recital 6) proposes that the new Regulation should ‘complement Regulation
(EU) No 2016/679 by laying down specific safeguards’. Accordingly, its specific
rules ‘should not be regarded as lex specialis’ to the GDPR. Under AM. 158, in
‘case of conflict Regulation (EU) No 2016/679 takes precedence over this
Regulation’. Also, the amendments to Article 12.3(c) (AM. 97) and the new
Article 5a (AM. 38) require that processing of personal data shall be in
accordance with the GDPR, while AM. 22 adds to recital 29 that ‘[i]n general,
insofar as personal data are concerned, the processing of such data should rely
upon the grounds for processing provided in Article 5(1)(c) of Regulation (EU)
2016/679’ and the proposed new Article 6a.6a makes it clear that ‘the use of
the European Digital Identity Wallets shall be on a voluntary basis’ (AM. 69): in
other words, consent is key.
For the rest, the amendments that
are relevant from a privacy/data protection perspective can be grouped under four
clusters. The first cluster concerns amendments upholding users’ control via
the principle of minimisation and selective disclosure, such as those aiming at:
reducing to the minimum users’ digital footprint when using the internet via the
Wallet (AM. 8, recital 6); embedding transaction history into the design of the
EUDI Wallet, active by default, so that users can track all transactions
executed through it (AM. 9, new recital 6a); introducing the so-called ‘Zero
Knowledge Proof’ (ZKP), which allows verification of a claim without revealing
the data that proves it, based on cryptographic algorithms (AM. 10, new recital
6b, AM. 31, new Article 3.1.5a, AM. 160, new recital 6a); adding to the
definition of the Wallet the possibility for users to not only store, but also ‘manage’
their identity data credentials and attributes, and to use them for
identification and authentication online and offline to access public and
private services (AM. 32, Article 3.1.42, AM. 599, new Article 45e.1a); confirming
the principle of minimisation, not only as regards the information requested
from the user via the EUDI Wallet (AM. 20, recital 28), but also by requiring that
relying parties ‘minimise the processing of personal data’ (AM. 57, Article 6a.4d).
As explained in LIBE’s statement in connection with its amendment to Article 6a.4a.3
(LIBE AM. 8), the success of the EUDI Wallet will depend on ‘citizens making
informed decisions on the information they share with relying parties’.
The second cluster includes
amendments focusing on data protection by preserving confidentiality and
privacy when using the Wallet, such as those establishing the ‘privacy by
design principle’ as a standard feature of the EUDI Wallet: AM. 21 (recital 29)
and AM. 70 (Article 6a.7) require it in order to reinforce user control, while
the latter introduces also provisions to make it technologically impossible for
issuers of the Wallets and of electronic attestation of attributes, as well as for
relying parties, to receive any information on the use of the Wallet or its
attributes without the users’ consent. This is also in line with amendments to
Article 6a.4e tabled by IMCO and LIBE: IMCO proposes that data shared for
person identification ‘shall work on the principle of pair-voiced anonymity,
and the interactions with a user from one relying party to another relying
party shall not be traceable to the same individual and combinable’ (IMCO AM.
89); LIBE requires ‘unlinkability’ and non-traceability (LIBE AM. 10), as does ITRE
(AM.383, Article 6a.4d), and the implementation of the EUDI Wallet’s essential
functions ‘in a privacy-preserving manner’ (LIBE AM. 3, recital 29). Along the
same lines, AM. 38 introduces a new Article 5a on ‘protection of personal
data’, to the effect that ‘processing of personal data shall be carried out in
accordance with the GDPR and in particular by implementing principle of privacy
by design and by default’. Similarly, AM. 158 clarifies that ‘[d]ata protection
by design and by default, as well as data minimisation, as foreseen in
Regulation (EU) 2016/679, should be leading principles in the set-up’ of the
EUDI Wallet. AM 15 (recital 11) takes issue with the use of biometric data,
specifying that using biometrics ‘to identify and authenticate should not be a
precondition’ for using the Wallet and that those data should not be stored in
the cloud. The same amendment requires the user’s explicit consent for storing
information from the Wallet in the cloud. Similar amendments are tabled by LIBE
(LIBE AM. 2, recital 11). Amendments calling for pseudonymisation and/or
anonymisation suitably fit into this cluster: ITRE requires that the EUDI
Wallet ensures that ‘the relying party is able to anonymously authenticate the
user and to receive electronic attestation of attributes’ (AM. 57, Article 6a.4d)
and refers to the right to pseudonymity (AM. 238, AM. 286, AM. 521, AM. 526); JURI
proposes that ‘the use of services anonymously or under a pseudonym should be
allowed and should not be restricted by Member States’ (JURI AM. 6, recital 28,
and AM. 13, Article 5); LIBE specifies that the use of pseudonyms shall always
be an option in all cases where full identification is not legally mandated
(LIBE AM. 5, Article 5).
The third cluster concerns amendments
to the provisions on the disputed unique and persistent identifier. Not only
ITRE (AM. 92-94, AM. 202-204, AM. 492, 495-500), but also LIBE (LIBE AM. 12)
and IMCO (IMCO AM. 24) delete the Proposal’s references to a such an
identifier. LIBE’s justification explains that such an identifier would be
illegal or unconstitutional in some Member States, it is not considered the least
intrusive method for the purpose of uniquely identifying an individual, and
finally Article 11a is not needed as the existing interoperability framework of
identification schemes (Article 12.4 (d)) already entails a unique
representation of an individual for cross-border cases (LIBE AM. 12). For this
purpose, LIBE proposes to also amend Article 12 accordingly (AM. 13).
The fourth cluster of relevant
amendments focuses on data security, with provisions mostly related to
cybersecurity in the design of the Wallet. The main innovation is the above-mentioned
addition of ‘cybersecurity by design’ in Article 6a.6 (AM. 68), which also
requires necessary security functionalities ‘to offer resistance to skilled
attackers, ensure the confidentiality, integrity and availability of the
content’ of the Wallet. Other amendments underline data security, such as AM. 14
(recital 29) requiring common standards and technical specifications ‘to
adequately increase the level of IT security, strengthen robustness against
cyber-attacks and thus significantly reduce the potential risks of ongoing
digitalisation for citizens and businesses’, while AM. 86 replaces the title of
Article 10 with “Security breach of electronic identification schemes for
cross-border authentication”.
The synthetic overview above shows
how the European Parliament committees (ITRE and LIBE in particular) have this
far addressed data protection issues associated to the use of the EUDI Wallet.
However, the amendments are still to be voted upon and, while the ones reviewed
above appear to improve the Proposal from a data protection perspective, others
retain some ambiguities or do not fully capture instances that could properly reduce
data protection concerns. It is worth recalling, in this respect, LIBE’s
warning that the Proposal, as such, is able to lead towards ‘the creation of a
like social-credit system that would determine the mass surveillance and
control of all Europeans, which must not be accepted. EU was envisioned as an
“area of freedom” and efforts must be continued to keep it as such’ (short
justification, p. 4 LIBE draft opinion).
Privacy issues in a broader context
In addition to the above, and in
a broader perspective, reference shall be made to AM. 40 (Article 6a.2.c), providing
for the EUDI Wallet to be issued (instead of ‘independently but recognised by a
Member State’) ‘by an organisation established in the Union’. The amendment
triggered a discussion at the ITRE meeting of 14 June 2022, fuelling confusion
over a feared re-definition of the role of Member States when it comes to the issuance
of the Wallets. While the Rapporteur ruled out any intention to redefine the
role of Member States in this respect, the issue is not trivial (to echo the
EDPS), given that the implied aim of a new harmonised digital identity
framework at European level is to strengthen
the role of public intervention over that of strong private actors on the
Internet, which is in turn linked to the extent of users’ effective control
over their data. Defining the limits of State intervention on digital identity
is a delicate exercise: a too limited role would expose users’ identity data to
the very threats that the Proposal aims to address, while a too large role would
entail risks of mass surveillance of citizens’ behaviour, contrary to the very
funding values on which the EU is built. Concerns in both directions have been
raised in the debate and some emphasised the need to consider digital identity
as a tool serving individuals in their relationship with States and society,
and not the other way around, noting that, in the current geopolitical context,
it shall reflect the digital identity of the EU itself.
Emblematic in this respect, if one
of the objectives of the Proposal is to give users effective control over their
own data, are the LIBE (LIBE AM. 32, recital 11; LIBE AM. 57, recital 29; LIBE
AM. 147, Article 6a.7) and ITRE (AM. 239 and AM. 332) amendments to allow the
revocability of data entered in the Wallet:; then followed by some MEPs within
ITRE: the prospect of using the Wallet, and enjoying the simplifications it promises
to bring, can only convince if users are given actual control over the data in-and-out
their Wallet and dangers of - public or private – control are fenced off.
At this stage, it will be the
task of the co-legislators to strike the right balance and put individual rights
at the centre of the digital transformation in the EU.
It is relevant to consider that the eIDAS Expert Group is reversing the political intention 100% in order to enforce back door data retention.
ReplyDeleteThrough enforcing a "Unique and persistent identifier" in an architecture designed to be technically impossible to secure, the bureaucrats are enforcing data retention with no possibility of Privacy by Design or GDPR compliance.
Adding support for zero-knowledge proofs in eIDAS has been a wish for a long time. The way it is done is terrible and will not provide the end user control of data in transactions as intended, but at least it is likely to enable alternate data flows.
I described how EU Digital Wallet is designed to fail in a webinar arranged by Privacy Engineering in the Netherlands.
https://www.youtube.com/watch?v=n_npR9AhFKM
There are several huge problems, but two are categorical failures.
1) Trying to locate key control in a software wallet means zero chance of success. There are no way to support this with smart enclave support without citizens losing data control.
2) Tying issuance of credentials to a "Trusted Anchor" or non-pseudonymous linkable digital signature force surveillance at issuers, makes it impossible to secure the wallet and making it impossible to build a trustworty identity at the relying transaction end.
One solution to both is to upgrade the basic PKI structure to Trustworthy PKI enforcing a control-shift from a softkey wallet controlled by BigTech to a hardware wallet controlled by the Citizen and upgrade the "Trusted Anchor" to a "Trustworthy Anchor" or a non-linkable Qualified Signature locked to purpose
Such a solution was demonstrated at the recent EDPS Workshop on Digital Identity establishing Trustworthy Anonymity as a GDPR state-of-the-art must-carry requirement to eIDAS eID and applications. At the same time it was demonstrated how such a model can establish Trustworthy Inclusive Interoperability - even to the inherent bad wallet architecture on an interface level so issuers and relying parties can be upgraded through upgrading the client from eIDAS data retention to eIDAS trustworthy (article 24)
https://edps.europa.eu/system/files/2022-07/03_-_stephan_engberg_-_edps_trustworthy_pki_engberg_20220622_en_0.pdf
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete