An EU MP, Rob Roos has publicly cast doubt over Europe’s stance on digital identity as regulation changes to eIDAS were approved last week. Roos said digital identity is an ‘instrument nobody asked for’ which has been pushed down from the top parliamentary authority, in an interview for Sky News Australia.
With new digital ID wallet pilots just announced in Estonia and Luxemburg, digital identities have become a crucial part of delivering government mandates for digitalisation, social inclusion, economic stability and promoting innovation. The amendments to Regulation No 910/2014 have been promoted as going to ‘harmonise conditions’ around decentralised data ownership for citizens in the EU’s proposed digital identity framework, but since being legislated in 2014, there is no doubt eIDAS’ role in governing the widespread use of digital identities.
Critics opposed to eIDAS put forward the adjoining argument concerned with privacy, as well as delivering social inclusion for citizens who will have more access to public and private services. Both a challenge of and a perspective on eIDAS is that the EU has been pushing and driving for a cross-border digital identity which is accepted by international organisations and financial institutions. At a cost, those who reject eIDAS believe it enables governments more than citizens in the capture of more data used to monitor how people are interacting with government and private services.
The definite direction towards digital raises potential concerns for citizens’ privacy when they can bypass verifying via a commercial provider to use their own wallet storing their digital credentials. A disconnect with verified physical identity appears even greater and opens the increased risk of identity-related fraud and cyber crime.
The digital identity is sold as a solution for ‘convenience’, enabling people by 2023 to access key services online, electronic medical records and hold an eID.
“When governments have access to infrastructure, they will use it. Always”
Whilst setting out milestones that digital identity will help achieve, the communication around eIDAS built upon the 2020 strategy for Europe’s digital future has not addressed problems such as how companies will often access more personal data than they require for verification by requesting digital identities. Moreover, citizens’ personal data is not safe. The eIDAS framework proposes to ‘govern’ currently 19 national eID systems implemented by 14 member states, which all follow “varying standards” and “focus on a relatively small segment of the electronic identification needs of citizens and businesses”.
Moreover, there is currently no requirement for all EU Member States to develop an national eID which is interoperable and open with eIDs developed by other member states where partnership would be necessary. More broadly, regulatory EU bodies have not converged standards and certifications ensuring compliance of all technical solutions in the market for digital identity verification. For example, while in the UK the Digital Identity Trust Framework makes recommendations on the trust assurance qualities of any digital solution, there is no current passed requirement enforced by the Home Office for certification of third-party digital verification solutions.
The “Updating the European digital identity framework” briefing report, produced by the European Commission, includes the views of an expert group on eID and know-your-customer (KYC) processes that recognised that “national regulatory bodies across the EU have different standards regarding the compliance of technical solutions for digital identity verification”.
“Meanwhile, identification and authentication means developed by the private sector outside the eIDAS framework can only go so far in responding to the challenge. User friendly third-party authentication services (for instance, using a Facebook or Google account to log in to different services) are common for accessing unregulated private online services that do not require a high level of security, but they cannot offer the same level of legal certainty, data protection and privacy, mainly because they are self-asserted and do not provide a link to trusted and secure government eIDs”.