Alessandra Fratini and Giorgia Lo Tauro – FratiniVergano, European Lawyers

Photo credit: Martin Firrell, via Wikimedia Commons

Introduction

In June 2021, during the review of the eIDAS Regulation, the European Commission put forth a proposal to create a European Digital Identity framework. This framework would include a “European Digital Identity Wallet,” or EUDI Wallet. Seen as a major element of this proposal, the Wallet aims to address the increasing use of digital services across borders, both public and private. The goal is to eliminate obstacles citizens, residents, and businesses face when using these online services within the EU.

An evaluation of the existing eIDAS Regulation had highlighted several issues. These included the regulation not covering electronic versions of documents like medical certificates or professional qualifications, creating difficulty with cross-border recognition. There were also concerns regarding data protection in identity solutions provided by entities like social media companies and financial institutions, which were not within the scope of the existing regulation. Additionally, there was no way to limit the sharing of identity data to only what was absolutely necessary for a service. The proposed EUDI Wallet aims to tackle these issues.

A stated goal of the proposal is to give users more control over their personal data. The proposal itself aligns with the European Commission’s 2020 strategy “Shaping Europe’s digital future,” which seeks to cultivate trust in the online world by empowering users with more control over and responsibility for their data. This is in harmony with the concept of a Digital Europe that emphasizes a user-centric approach. The Commission acknowledges that ensuring user trust in the European Digital Identity framework requires robust security measures across all aspects of digital identity, especially the issuance of EUDI Wallets. This framework empowers users to manage who can access their digital identity and what data they can access. The Explanatory Memorandum accompanying the proposal highlights its role in supporting the implementation of the General Data Protection Regulation (GDPR) by giving users control over their personal data usage. Additionally, it complements the Cybersecurity Act and its cybersecurity certification schemes. All proposed measures are designed to fully comply with data protection laws.

However, legislative discussions around the proposal have raised potential data protection concerns related to using the EUDI Wallet. This piece will first summarize the Wallet’s main features and then examine how these potential issues have been addressed in ongoing legislative discussions, particularly within the European Parliament.

The main features of the European Digital Identity Wallet

Defined in Article 3.1.42, the EUDI Wallet is “a product and service that enables the user to store identity data, credentials and attributes linked to her/his identity, to provide them to relying parties on request and to use them for authentication, online and offline, for a service in accordance with Article 6a; and to create qualified electronic signatures and seals.” Essentially an app, it will allow EU citizens to prove their identity digitally, both online and offline, confirm personal details like age, and store and manage identity documents such as diplomas, driver’s licenses, and medical prescriptions in electronic format—all with a simple click on their phones.

The European Commission envisions the EUDI Wallet simplifying interactions with national administrations and service providers for EU citizens, residents, and businesses. While some already use digital wallets to store data, the EUDI Wallet will be universally available in the EU. It will grant users control over their data, allowing them to decide what to share, for instance, proving their age for an alcohol purchase without revealing additional personal information, and to monitor how their data is shared. This control over their data is meant to increase user trust in the digital environment, ultimately benefiting the entire digital single market. Recital 28 emphasizes the data minimization principle, while Recital 29 positions selective disclosure as a core design element of the Wallet, thereby promoting both user convenience and the protection of personal data.

Dedicated to the Wallet, the proposed new Articles 6a to 6d fall under the title “Electronic Identification” (Section I, Chapter II). Article 6a mandates Member States to issue an EUDI Wallet under a notified eID scheme adhering to common technical standards. This includes mandatory compliance assessments and voluntary certification within the European cybersecurity framework established by the Cybersecurity Act. These wallets are designed to provide individuals and legal entities within the EU secure, reliable, and seamless access to public and private services across borders. They will be issued either directly by a Member State or independently but with recognition from a Member State. These wallets empower users to securely request, obtain, store, choose, combine, and share necessary identification data and electronic proof of attributes in a way that is transparent and traceable to them. This enables online and offline authentication for public and private online services, and the use of qualified electronic signatures. Importantly, the certification does not supersede the GDPR. Personal data processing related to the Wallet can only be certified in accordance with GDPR Articles 42 and 43.

Article 6a.4 stipulates that the Wallet must prevent trust service providers from accessing information about the use of attributes. It must also provide a high level of assurance, a mechanism for relying parties to authenticate the user and receive electronic proof of attributes, and ensure that the identification data uniquely and permanently represent the associated person or legal entity. Article 6a.7 establishes the user’s full control over the Wallet, prohibiting the issuer from collecting or combining data unnecessary for providing Wallet services. Article 10a outlines provisions for managing security breaches involving the Wallets.

The proposal includes provisions in Article 11a to ensure the unique and permanent identification of individuals in specific cases. The Explanatory Memorandum clarifies that this applies when identification is legally required, such as in healthcare, finance (for anti-money laundering purposes), or legal proceedings. To achieve this, Member States must incorporate a unique and permanent identifier within the minimum set of personal identification data outlined in Article 12.4(d).

The specifications and standards for the Wallet will be developed concurrently with the legislative process, aligning with its outcome. To prevent inconsistencies and barriers caused by differing standards, the Commission issued a recommendation for a structured collaboration process. This process will include Member States, the Commission, and relevant private sector stakeholders to develop a “Toolbox” that will guide the creation of a technical Architecture and Reference Framework (AFR). This AFR will comprise common standards, technical specifications, guidelines, and best practices for implementing the European digital identity framework. The recommended implementation schedule sets the publication of the Toolbox for the end of October 2022, with updates following the legislative process outcome. The eIDAS expert group, responsible for implementing the recommendation, published an outline in February 2022. This outline summarizes their understanding of the EUDI Wallet concept, including its objectives, the roles of stakeholders, functional and non-functional requirements, and potential building blocks.

The use of the EUDI Wallet: potential data protection issues

Regarding data protection, Recital 6 of the proposal states that the GDPR applies to personal data processing during the implementation of the proposed regulation. It emphasizes the need for safeguards to prevent the combination of personal data related to services under the regulation with data from other services.

The European Data Protection Supervisor (EDPS), in its formal comments on the proposal issued in July 2021, was the first to voice concerns. It noted that the sufficiency of the safeguards depends largely on the technology used to implement the proposal. While commending the user control and provisions like selective disclosure (Article 6a.7) and certification requirements (Article 6c.2), the EDPS expressed concerns about the unique and permanent identifier (Article 11a). The EDPS argued that storing this additional data category solely to facilitate Wallet usage constitutes interference with data subject rights and liberties, which might not be insignificant. Citing examples like Germany, where unique identifiers have been deemed unconstitutional due to human dignity violations, the EDPS recommended exploring alternative methods for secure identity matching.

Essentially, the EDPS emphasizes the need to balance the convenience of the Wallet with the potential risks to data subject rights and liberties. When identifiers are used, the most stringent legal and technical safeguards must be implemented, including appropriate preventative measures in both regulation and technology.

Following the proposal’s publication, questions arose regarding the EUDI Wallet’s compatibility with the data minimization principle outlined in Article 5.1(c) of the GDPR. This principle states that personal data processing should be “adequate, relevant and limited to what is necessary” for the processing purpose. While Recital 28 encourages large online platforms to respect data minimization when accepting the Wallet, Recital 29 presents this principle and selective disclosure as core features, and Articles 6a.7 and 12b.3 reflect it (all improvements on the current eIDAS Regulation), concerns remain. The required minimum set of personal identification data within the interoperability framework raises concerns, especially since the proposal removes the criteria in Article 12(3)(c) (“it facilitates the implementation of the principle of privacy by design”) and (d) (“it ensures that personal data is processed in accordance with Directive 95/46/EC”) without replacing them with corresponding GDPR references.

Committees within the European Parliament involved in the legislative process have all raised concerns regarding potential impacts on individual rights and freedoms. These include the ITRE, IMCO, JURI, and LIBE committees, as evidenced by their draft reports, opinions, and proposed amendments.

The ITRE draft report’s proposed amendments, as explained by Rapporteur Jerković, focus on cybersecurity, data protection, governance, and the digitization of public services. These include explicitly requiring “cybersecurity by design” for the EUDI Wallet in Article 6a and strengthening preventative mechanisms to align with the GDPR, such as incorporating the “privacy by design principle” in Article 6a and Recital 29.

Concerning the GDPR, proposed amendment AM. 8 (Recital 6) suggests that the new regulation should “complement Regulation (EU) No 2016/679 by laying down specific safeguards.” The specific rules should not supersede the GDPR, and AM. 158 clarifies that in case of conflict, the GDPR takes precedence. Amendments to Article 12.3(c) and the new Article 5a emphasize GDPR-compliant processing of personal data, while AM. 22 adds to Recital 29 that personal data processing should generally be based on the grounds provided in Article 5(1)(c) of the GDPR. The proposed new Article 6a.6a (AM. 69) emphasizes that using the EUDI Wallets should be voluntary, highlighting the importance of user consent.

Other relevant amendments from a privacy and data protection perspective can be categorized into four groups. The first group emphasizes user control through data minimization and selective disclosure. These amendments aim to minimize users’ digital footprints when using the internet via the Wallet, incorporate a transaction history feature to track all transactions executed through the Wallet, introduce the “Zero Knowledge Proof” (ZKP) concept using cryptographic algorithms to verify claims without revealing the underlying data, enhance the definition of the Wallet to include data management capabilities, and reinforce the data minimization principle by requiring both users and relying parties to minimize personal data processing.

The second group focuses on data protection by maintaining confidentiality and privacy while using the Wallet. This includes establishing “privacy by design” as a standard feature, as reflected in amendments to Recital 29 and Article 6a.7. These amendments aim to prevent Wallet issuers, electronic attribute issuers, and relying parties from accessing information about Wallet usage or attributes without user consent. Other amendments in this group promote untraceability and unlinkability of user interactions, the implementation of essential Wallet functions in a privacy-preserving manner, and the use of pseudonyms as an option when full identification is not legally required. Additionally, there are amendments addressing concerns about using biometric data, requiring explicit consent for storing Wallet information in the cloud, and proposing pseudonymization or anonymization where appropriate.

The third group focuses on amendments related to the controversial unique and permanent identifier. Amendments from ITRE, LIBE, and IMCO propose removing references to this identifier from the proposal. The justification behind these amendments highlights concerns about the identifier’s legality and constitutionality in certain Member States, the potential for less intrusive identification methods, and the redundancy of Article 11a given the existing interoperability framework in Article 12.4(d).

The fourth group addresses data security, specifically regarding the Wallet’s cybersecurity design. Amendments in this group introduce the concept of “cybersecurity by design” in Article 6a.6, requiring robust security features to protect against skilled attackers and ensure the confidentiality, integrity, and availability of the Wallet’s contents. Other amendments emphasize data security through common standards, technical specifications, and reinforced security breach protocols for electronic identification schemes used for cross-border authentication.

The overview shows how European Parliament committees, particularly ITRE and LIBE, have worked towards addressing data protection concerns related to the EUDI Wallet. However, these amendments await voting. While many appear to enhance the proposal from a data protection standpoint, some ambiguities and missed opportunities to alleviate concerns remain. LIBE’s warning highlights the potential for the proposal, in its current form, to contribute to a “social-credit” system enabling mass surveillance and control, which is unacceptable and contradicts the EU’s core values of freedom and individual rights.

Privacy issues in a broader context

It’s crucial to acknowledge the broader implications of amendment AM. 40 (Article 6a.2.c). This amendment proposes that the EUDI Wallet be issued “by an organisation established in the Union” instead of “independently but recognised by a Member State.” This sparked debate during the ITRE meeting on June 14, 2022, raising concerns about a potential redefinition of Member States’ roles in Wallet issuance. While the Rapporteur denied any intention to redefine Member States’ roles, the issue remains significant, echoing the EDPS’s concerns. The proposal’s goal is to strengthen public sector involvement in digital identity, shifting control away from powerful private entities and towards users. However, defining the boundaries of state intervention in digital identity is crucial. Limited state involvement could expose user data to the very threats the proposal aims to address, while excessive intervention could lead to mass surveillance, contradicting the EU’s fundamental values.

A key objective of the proposal is to empower users with control over their data. Amendments from LIBE and ITRE advocating for data revocability within the Wallet exemplify this. The success of the EUDI Wallet hinges on user trust and acceptance. Providing users with genuine control over their data and mitigating the risks of both public and private surveillance are crucial for its success.

Ultimately, the co-legislators bear the responsibility of finding the right balance and prioritizing individual rights within the EU’s digital transformation.