European Digital Identity: Things are going to get ‘Real’ very quickly
Norbert Sagstetter, head of the Unit for eGovernment and Trust under the European Commission’s Directorate General, provided an overview and update for his unit’s work in proposing and implementing a “European Digital Identity Framework” in a talk at DigiT Baltic 2022 in September.
His talk, titled European Digital Identity: Setting out the Objectives and State of Play in the Establishment of the European Digital Identity, made clear just that: The objectives of his unit’s work on digital identity, and the current timeline for getting a proposal into place for digital identity wallet offerings across the European Union. Digital identity, Sagstetter said, is the linchpin of the “digital environment of the future.”
Overview: The Current Proposal
At its core, the proposal being discussed is a requirement for member states of the EU to offer a digital identity wallet to every citizen who wants one. The idea is to create a level playing field by giving all EU citizens access to an identity wallet, and by ensuring the highest level of security, trust, and convenience. It is hoped that, by doing so, EU citizens will have easy access to a number of public services and perhaps private ones as well. Use cases have already been identified and tested for mobile driver’s licenses, healthcare information, tax filing and payment, education and more.
Sagstetter is quick to point out that citizens themselves will not be required to use such a wallet; the proposal merely states that any citizen wanting one should be able to obtain one.
The proposal also makes clear that member nations will not be forced into adopting any one solution, public or private. Rather, each nation has the right to determine which solution they will offer—as long as the solution meets the technical and legal requirements set out by the proposal.
So What is Actually Being Required and What is Being Offered?
To put it another way: Individual nations can decide what form their own digital wallets will take. They can pursue a private option, or create a national identity wallet if they like. The proposal simply requires member nations to provide a digital identity wallet that meets certain specifications.
What are those specifications? Well, they’re still being developed. Part of the timeline the unit has set forward includes time for member nations to review the proposal and provide feedback, as well as to pilot possible solutions. This means that the specifications are still fluid.
That said, there are some specifications which are already clear (and, for that matter, not up for debate):
- GDPR Compliance. The EU’s GDPR (General Data Protection Regulation) is one of the most stringent laws to date when it comes to data privacy and data security. One of the goals of the unit is to ensure that personal data will be strictly protected, no matter which digital identity wallets its member states ultimately adopt.
- Strict User Control. Wallets must leave the decision to share certain bits of data—or no data at all—in the hands of the wallet’s user. The user decides both what to share and with whom to share it. More importantly, deciding not to share certain data or engage with certain service providers cannot affect the option to use the wallet or its performance.
Compliance with eIDAS Regulation. The eIDAS Regulation (electronic identification and trust services) lays out guidelines for people and businesses to use their own national electronic identification schemes (eIDs) to access public services, both within and across borders. The idea here is that eIDs should have the same legal status as equivalent paper-based forms of identification throughout the EU.
Timeline: What Happens Next?
The EU Parliament has asked for the proposal to be made available by the end of November 2022, with member states converging on a common agreement by the end of 2022. If this timeline works out, member nations could see the proposal entered into force in the first half of 2023, though we at Liminal think there’s a low chance of that happening.
This said, the assumption being made by the unit and by the European Parliament is that the proposal will be a living document, fleshed out in future iterations and subject to change as laws and technologies are refined. The reason for haste in getting the proposal out into the open is to allow private industries and digital identity experts to provide their feedback.
Several large-scale pilots are also being discussed, with the unit already having received a number of proposals. The goal was to have these proposals evaluated by the end of October 2022 so that the chosen pilots can move forward, but there’s been no public update on this. The purpose of these large-scale pilots is simply to test the emerging technological concept “in real life,” with the hope that these experiments go beyond the well-trodden use cases mentioned above (for MDLs, healthcare, education, etc.).
Even with this impending timeline, there are still a number of questions that need to be answered. What exact role will private industry play? How will technical specifications be verified and enforced? How realistic is it to demand a similar user experience and performance across borders? How will different countries handle security challenges, like identity theft? The hope seems to be that these questions will have straightforward answers, or at least enough of consensus to be practically viable.