Saturday, 13 August 2022

To Use or Not to Use the European Digital Identity Wallet: Data Protection issues in the ongoing legislative debate




Alessandra Fratini and Giorgia Lo Tauro – FratiniVergano, European Lawyers

Photo credit: Martin Firrell, via Wikimedia Commons

Introduction

On 3 June 2021, in the context of the review of the eIDAS Regulation, the Commission proposed to establish a framework for a European Digital Identity, including a ‘European Digital Identity Wallet’ (the EUDI Wallet, or simply Wallet). Considered as the main innovation of the Proposal, the Wallet intends to respond to the growing digitisation of cross-border public and private services and remove barriers for citizens, residents and businesses when using online services across the EU. The evaluation of the eIDAS Regulation, in fact, had revealed a number of shortcomings (e.g., non-coverage of electronic attributes, such as medical certificates or professional qualifications, which makes cross-border legal recognition of such e-credentials difficult; data protection concerns as regards identity solutions offered by social media providers and financial institutions, which fall outside the scope of the Regulation; no possibility to limit the sharing of identity data to what is strictly necessary for the provision of a service), which the proposed EUDI Wallet seeks to address.

The declared aim of the Proposal is to enhance users’ control over their own data. At the outset, the Proposal is set in the context of the 2020 Commission Strategy ‘Shaping Europe’s digital future’, aimed at strengthening trust in the online world by giving consumers greater control and responsibility over their own data, in line with the Digital Europe that “puts people at the centre”. The Commission further acknowledges that giving citizens and residents full confidence that the European Digital Identity framework will offer everyone the means to control who has access to their digital identity, and to which data exactly, requires a high level of security with respect to all aspects of digital identity provisioning, including the issuing of EUDI Wallets. In this respect, the Explanatory Memorandum that accompanies the Proposal notes that the latter ‘supports the implementation of GDPR (2016/679) by putting the user in control over how the personal data is being used. It provides a high level of complementarity with the new Cybersecurity Act and its common cybersecurity certification schemes’. Finally, the proposed “measures are designed to fully comply with the data protection legislation”.

However, the legislative debate on the Proposal has brought up potential data protection issues associated to the use of the EUIDI Wallet. This contribution, after a brief recap of the main features of the Wallet, reviews how those potential issues have been addressed at the current stage of the legislative debate, in particular in the European Parliament.

The main features of the European Digital Identity Wallet

The EUDI Wallet is defined in Article 3.1.42 as a ‘product and service that allows the user to store identity data, credentials and attributes linked to her/his identity, to provide them to relying parties on request and to use them for authentication, online and offline, for a service in accordance with Article 6a; and to create qualified electronic signatures and seals’. It is basically an app, that will enable citizens to digitally identify themselves online and offline, confirm certain personal attributes (age, for example), store and manage identity data and official documents (diplomas, driving licenses, medical prescriptions, …) in electronic format, with the click of a button on their phone.

In the Commission’s intentions, the EUDI Wallet provides simplification and convenience for EU citizens, residents and businesses when dealing with national administrations and other service providers. While some are already using digital wallets for storing certain data, the EUDI Wallet will be available to everyone in the EU and grant users full control over their data, allowing them to choose what they share with third parties (for example, age when buying alcohol, without revealing their identity or other details) and keep track of such sharing. Choice and control over their data will enhance users’ trust in the digital environment, for the sake of the digital single market as a whole. Recital 28 recalls the principle of data minimisation, while recital 29 sets forth selective disclosure as a basic design feature of the Wallet, “thereby reinforcing convenience and personal data protection including minimisation of processing of personal data”.

The proposed new Articles 6a to 6d, under the title ‘Electronic Identification’ (Section I, Chapter II), are dedicated to the Wallet. Under Article 6a, Member States are required to issue a EUDI Wallet under a notified eID scheme to common technical standards following compulsory compliance assessment and voluntary certification within the European cybersecurity certification framework, as established by the Cybersecurity Act. The Wallets 1) are envisaged for ensuring natural and legal persons in the EU a secure, trusted and seamless access to cross-border public and private services; 2) shall be issued by a Member State, under a mandate of a Member State or independently, but recognised by a Member State; and 3) shall enable users to securely request and obtain, store, select, combine and share, in a manner transparent and traceable by them, the necessary legal person identification data and electronic attestation of attributes to authenticate online and offline in order to use online public and private services - and to sign by means of qualified electronic signatures. The certification is without prejudice to the GDPR, in the meaning that personal data processing operations relating to the Wallet can only be certified pursuant to Articles 42 and 43 GDPR.

Article 6a.4 provides that the Wallet shall: (b) ensure that trust service providers cannot receive any information about the use of the attributes; (c) grant a ‘high’ assurance level; (d) provide a mechanism to ensure that the relying party is able to authenticate the user and to receive electronic attestations of attributes; (e) ensure that the person identification data uniquely and persistently represent the natural or legal person associated with it. Article 6a.7 establishes the full control of the user over the Wallet and adds that the issuer shall not collect, nor combine, data not necessary for the provision of the Wallet services. Article 10a further includes provisions to handle security breach of the Wallets.

In addition, the Proposal contains provisions to ensure the unique and persistent identification of natural persons in Article 11a. The Explanatory Memorandum clarifies that this concerns cases where identification is required by law such as in the area of health, in the area of finance to discharge anti-money laundering obligations, or for judicial use. For this purpose, Member States will be required to include a unique and persistent identifier in the minimum set of person identification data referred to in Article 12.4(d).  

The specifications and standards of the Wallet will be developed in parallel with the legislative process- and in alignment with its outcome. In fact, to avoid fragmentation and barriers due to diverging standards, the Commission adopted a Recommendation setting up a structured process of cooperation between Member States, the Commission and, where relevant, private sector operators to develop a Toolbox, which should in turn lead to a technical Architecture and Reference Framework (AFR), a set of common standards and technical specifications and a set of common guidelines and best practices as a basis for implementing the European digital identity framework. According to the schedule for the implementation of the Recommendation, the Toolbox shall be published by the end of October 2022 and updated following the outcome of the legislative process. The eIDAS expert group, tasked as main interlocutor for the purposes of implementing the Recommendation, adopted in February 2022 an Outline providing a summary description of its understanding of the EUDI Wallet concept, including the objectives of the new tool, the roles of the actors of the ecosystem, the Wallet’s functional and non-functional requirements, the potential building blocks.

The use of the EUDI Wallet: potential data protection issues

From a data protection perspective, recital 6 of the Proposal states that the GDPR applies to the processing of personal data in the implementation of the proposed Regulation. It also adds that specific safeguards are needed to prevent potential combinations between personal data relating to services falling within the scope of the Regulation and personal data from other services.

The EDPS, in its Formal Comments on the Proposal of 28 July 2021, was the first to raise some concerns in this respect, noting that ‘[w]hether the specific safeguards are sufficient depends mainly on the technology to be used in implementing the proposal’. It praised the fact that the new Wallet gives users control over their data and appreciated a number of provisions (Article 6a.7 on selective disclosure; Article 6c.2 on the certification for certain requirements of the Wallet). However, in connection with the unique and persistent identifier to be used by Member States (Article 11a), the EDPS highlighted that this provision constitutes an additional category of data stored solely for the purpose of facilitating the usage of the Wallet - and such an ‘interference with the rights and liberties of the data subject is not necessarily trivial’. Recalling that in some Member States (Germany, for example) unique identifiers have been considered unconstitutional due to a violation of human dignity, he recommended exploring alternative means to enhance the security of identity matching.

In other words, the EDPS appears to say that facilitating the use of the Wallet shall be adequately weighted against the risks for the rights and liberties of the data subjects. When identifiers are used, the strictest legal and technical safeguards must be applied, with adequate (regulatory and technological) prevention mechanisms.

Following publication of the Proposal, some have questioned whether the EUDI Wallet actually supports the principle of data minimisation set out in Article 5.1(c) GDPR (personal data shall be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’). It is true that recital 28 recalls the respect of data minimisation by large online platforms when they accept the Wallet for the purpose of users’ access to private services, that recital 29 presents this principle, in conjunction with that of selective disclosure, as a basic feature of the Wallet, and that Articles 6a.7 and 12b.3 reflect it – which are all improvements of current eIDAS Regulation. However, the very compatibility with the principle is put in question by the minimum set of person identification data, which is part of the interoperability framework, in particular because the Proposal deletes the criteria under Article 12(3)(c) (‘it facilitates the implementation of the principle of privacy by design’) and (d) (‘it ensures that personal data is processed in accordance with Directive 95/46/EC’), and does not replace those with the corresponding references of the GDPR.

The committees of the European Parliament involved in the legislative procedure have all flagged issues for the rights and freedoms of individuals (see ITRE draft report of 31 May 2022 and amendments published on 5 July 2022; IMCO draft opinion of 8 February 2022 and its amendments of 24 May 2022; JURI draft opinion of 29 April 2022; LIBE draft opinion of 19 May 2022 and its amendments of 13 June 2022).

The amendments proposed in the ITRE draft report, as explained by Rapporteur Jerković, are focused on four areas: cybersecurity, with the introduction in Article 6a of the explicit requirement that the EUDI Wallet ensures ‘cybersecurity by design’ (AM. 68, 405 and 407); data protection, with the strengthening of prevention mechanisms and alignment with the GDPR, for example by introducing in Article 6a (AM. 70) and in recital 29 (AM. 21) the ‘privacy by design principle’ as a standard design feature of the EUDI Wallet; governance, with the introduction of a new Chapter IVa (AM. 131) on the tasks and coordination of national authorities; digitalisation of public services, with further support to the cross-border application of the ‘once only principle’ (AM. 7) to reduce administrative burden.

On the interplay with the GDPR, AM. 8 (recital 6) proposes that the new Regulation should ‘complement Regulation (EU) No 2016/679 by laying down specific safeguards’. Accordingly, its specific rules ‘should not be regarded as lex specialis’ to the GDPR. Under AM. 158, in ‘case of conflict Regulation (EU) No 2016/679 takes precedence over this Regulation’. Also, the amendments to Article 12.3(c) (AM. 97) and the new Article 5a (AM. 38) require that processing of personal data shall be in accordance with the GDPR, while AM. 22 adds to recital 29 that ‘[i]n general, insofar as personal data are concerned, the processing of such data should rely upon the grounds for processing provided in Article 5(1)(c) of Regulation (EU) 2016/679’ and the proposed new Article 6a.6a makes it clear that ‘the use of the European Digital Identity Wallets shall be on a voluntary basis’ (AM. 69): in other words, consent is key.

For the rest, the amendments that are relevant from a privacy/data protection perspective can be grouped under four clusters. The first cluster concerns amendments upholding users’ control via the principle of minimisation and selective disclosure, such as those aiming at: reducing to the minimum users’ digital footprint when using the internet via the Wallet (AM. 8, recital 6); embedding transaction history into the design of the EUDI Wallet, active by default, so that users can track all transactions executed through it (AM. 9, new recital 6a); introducing the so-called ‘Zero Knowledge Proof’ (ZKP), which allows verification of a claim without revealing the data that proves it, based on cryptographic algorithms (AM. 10, new recital 6b, AM. 31, new Article 3.1.5a, AM. 160, new recital 6a); adding to the definition of the Wallet the possibility for users to not only store, but also ‘manage’ their identity data credentials and attributes, and to use them for identification and authentication online and offline to access public and private services (AM. 32, Article 3.1.42, AM. 599, new Article 45e.1a); confirming the principle of minimisation, not only as regards the information requested from the user via the EUDI Wallet (AM. 20, recital 28), but also by requiring that relying parties ‘minimise the processing of personal data’ (AM. 57, Article 6a.4d). As explained in LIBE’s statement in connection with its amendment to Article 6a.4a.3 (LIBE AM. 8), the success of the EUDI Wallet will depend on ‘citizens making informed decisions on the information they share with relying parties’.

The second cluster includes amendments focusing on data protection by preserving confidentiality and privacy when using the Wallet, such as those establishing the ‘privacy by design principle’ as a standard feature of the EUDI Wallet: AM. 21 (recital 29) and AM. 70 (Article 6a.7) require it in order to reinforce user control, while the latter introduces also provisions to make it technologically impossible for issuers of the Wallets and of electronic attestation of attributes, as well as for relying parties, to receive any information on the use of the Wallet or its attributes without the users’ consent. This is also in line with amendments to Article 6a.4e tabled by IMCO and LIBE: IMCO proposes that data shared for person identification ‘shall work on the principle of pair-voiced anonymity, and the interactions with a user from one relying party to another relying party shall not be traceable to the same individual and combinable’ (IMCO AM. 89); LIBE requires ‘unlinkability’ and non-traceability (LIBE AM. 10), as does ITRE (AM.383, Article 6a.4d), and the implementation of the EUDI Wallet’s essential functions ‘in a privacy-preserving manner’ (LIBE AM. 3, recital 29). Along the same lines, AM. 38 introduces a new Article 5a on ‘protection of personal data’, to the effect that ‘processing of personal data shall be carried out in accordance with the GDPR and in particular by implementing principle of privacy by design and by default’. Similarly, AM. 158 clarifies that ‘[d]ata protection by design and by default, as well as data minimisation, as foreseen in Regulation (EU) 2016/679, should be leading principles in the set-up’ of the EUDI Wallet. AM 15 (recital 11) takes issue with the use of biometric data, specifying that using biometrics ‘to identify and authenticate should not be a precondition’ for using the Wallet and that those data should not be stored in the cloud. The same amendment requires the user’s explicit consent for storing information from the Wallet in the cloud. Similar amendments are tabled by LIBE (LIBE AM. 2, recital 11). Amendments calling for pseudonymisation and/or anonymisation suitably fit into this cluster: ITRE requires that the EUDI Wallet ensures that ‘the relying party is able to anonymously authenticate the user and to receive electronic attestation of attributes’ (AM. 57, Article 6a.4d) and refers to the right to pseudonymity (AM. 238, AM. 286, AM. 521, AM. 526); JURI proposes that ‘the use of services anonymously or under a pseudonym should be allowed and should not be restricted by Member States’ (JURI AM. 6, recital 28, and AM. 13, Article 5); LIBE specifies that the use of pseudonyms shall always be an option in all cases where full identification is not legally mandated (LIBE AM. 5, Article 5).

The third cluster concerns amendments to the provisions on the disputed unique and persistent identifier. Not only ITRE (AM. 92-94, AM. 202-204, AM. 492, 495-500), but also LIBE (LIBE AM. 12) and IMCO (IMCO AM. 24) delete the Proposal’s references to a such an identifier. LIBE’s justification explains that such an identifier would be illegal or unconstitutional in some Member States, it is not considered the least intrusive method for the purpose of uniquely identifying an individual, and finally Article 11a is not needed as the existing interoperability framework of identification schemes (Article 12.4 (d)) already entails a unique representation of an individual for cross-border cases (LIBE AM. 12). For this purpose, LIBE proposes to also amend Article 12 accordingly (AM. 13).

The fourth cluster of relevant amendments focuses on data security, with provisions mostly related to cybersecurity in the design of the Wallet. The main innovation is the above-mentioned addition of ‘cybersecurity by design’ in Article 6a.6 (AM. 68), which also requires necessary security functionalities ‘to offer resistance to skilled attackers, ensure the confidentiality, integrity and availability of the content’ of the Wallet. Other amendments underline data security, such as AM. 14 (recital 29) requiring common standards and technical specifications ‘to adequately increase the level of IT security, strengthen robustness against cyber-attacks and thus significantly reduce the potential risks of ongoing digitalisation for citizens and businesses’, while AM. 86 replaces the title of Article 10 with “Security breach of electronic identification schemes for cross-border authentication”.

The synthetic overview above shows how the European Parliament committees (ITRE and LIBE in particular) have this far addressed data protection issues associated to the use of the EUDI Wallet. However, the amendments are still to be voted upon and, while the ones reviewed above appear to improve the Proposal from a data protection perspective, others retain some ambiguities or do not fully capture instances that could properly reduce data protection concerns. It is worth recalling, in this respect, LIBE’s warning that the Proposal, as such, is able to lead towards ‘the creation of a like social-credit system that would determine the mass surveillance and control of all Europeans, which must not be accepted. EU was envisioned as an “area of freedom” and efforts must be continued to keep it as such’ (short justification, p. 4 LIBE draft opinion).

Privacy issues in a broader context

In addition to the above, and in a broader perspective, reference shall be made to AM. 40 (Article 6a.2.c), providing for the EUDI Wallet to be issued (instead of ‘independently but recognised by a Member State’) ‘by an organisation established in the Union’. The amendment triggered a discussion at the ITRE meeting of 14 June 2022, fuelling confusion over a feared re-definition of the role of Member States when it comes to the issuance of the Wallets. While the Rapporteur ruled out any intention to redefine the role of Member States in this respect, the issue is not trivial (to echo the EDPS), given that the implied aim of a new harmonised digital identity framework at European level is to strengthen the role of public intervention over that of strong private actors on the Internet, which is in turn linked to the extent of users’ effective control over their data. Defining the limits of State intervention on digital identity is a delicate exercise: a too limited role would expose users’ identity data to the very threats that the Proposal aims to address, while a too large role would entail risks of mass surveillance of citizens’ behaviour, contrary to the very funding values on which the EU is built. Concerns in both directions have been raised in the debate and some emphasised the need to consider digital identity as a tool serving individuals in their relationship with States and society, and not the other way around, noting that, in the current geopolitical context, it shall reflect the digital identity of the EU itself.

Emblematic in this respect, if one of the objectives of the Proposal is to give users effective control over their own data, are the LIBE (LIBE AM. 32, recital 11; LIBE AM. 57, recital 29; LIBE AM. 147, Article 6a.7) and ITRE (AM. 239 and AM. 332) amendments to allow the revocability of data entered in the Wallet:; then followed by some MEPs within ITRE: the prospect of using the Wallet, and enjoying the simplifications it promises to bring, can only convince if users are given actual control over the data in-and-out their Wallet and dangers of - public or private – control are fenced off.

At this stage, it will be the task of the co-legislators to strike the right balance and put individual rights at the centre of the digital transformation in the EU.

6 comments:

  1. It is relevant to consider that the eIDAS Expert Group is reversing the political intention 100% in order to enforce back door data retention.

    Through enforcing a "Unique and persistent identifier" in an architecture designed to be technically impossible to secure, the bureaucrats are enforcing data retention with no possibility of Privacy by Design or GDPR compliance.

    Adding support for zero-knowledge proofs in eIDAS has been a wish for a long time. The way it is done is terrible and will not provide the end user control of data in transactions as intended, but at least it is likely to enable alternate data flows.

    I described how EU Digital Wallet is designed to fail in a webinar arranged by Privacy Engineering in the Netherlands.
    https://www.youtube.com/watch?v=n_npR9AhFKM

    There are several huge problems, but two are categorical failures.

    1) Trying to locate key control in a software wallet means zero chance of success. There are no way to support this with smart enclave support without citizens losing data control.

    2) Tying issuance of credentials to a "Trusted Anchor" or non-pseudonymous linkable digital signature force surveillance at issuers, makes it impossible to secure the wallet and making it impossible to build a trustworty identity at the relying transaction end.

    One solution to both is to upgrade the basic PKI structure to Trustworthy PKI enforcing a control-shift from a softkey wallet controlled by BigTech to a hardware wallet controlled by the Citizen and upgrade the "Trusted Anchor" to a "Trustworthy Anchor" or a non-linkable Qualified Signature locked to purpose

    Such a solution was demonstrated at the recent EDPS Workshop on Digital Identity establishing Trustworthy Anonymity as a GDPR state-of-the-art must-carry requirement to eIDAS eID and applications. At the same time it was demonstrated how such a model can establish Trustworthy Inclusive Interoperability - even to the inherent bad wallet architecture on an interface level so issuers and relying parties can be upgraded through upgrading the client from eIDAS data retention to eIDAS trustworthy (article 24)
    https://edps.europa.eu/system/files/2022-07/03_-_stephan_engberg_-_edps_trustworthy_pki_engberg_20220622_en_0.pdf

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete