In the context of the COVID pandemic, digitalisation has become more relevant than ever before. The digitalisation of almost every sector has become the most prominent solution to fight the spread of COVID-19. Social distancing has increased the need to be able to use services, identify and authenticate online. Nevertheless, the digitalisation of so many services has also engaged complex data protection considerations, given the entirely online exchange of a substantial volume of data.
Background
As part of the eIDAS Regulation (2014), the European Commission proposed to include a framework under which EU citizens, residents in the EU as well as businesses in the EU will have individual digital wallets, to facilitate citizens as well as businesses’ access to various services. This framework will also enable individuals to identify themselves easily when they need to as part of a specific service, such as for nationality, educational and professional purposes. The important milestone to note with regard to the discussion about the European Digital Identity (EDI) is the claim that the user will be in total control over their own personal data.
The actions that an individual will be able to take by using their electronic ID (e-ID) via their digital wallet are:
- identity verification;
- sharing of electronic documents via mobile;
- access online services;
- verify age in platforms that request it;
- seamlessly check in at the airport, rent a car;
- opening a bank account; and
- filing tax return forms.
Data protection considerations
An instrument such as the EDI wallet falls under the scope of the General Data Protection Regulation, because it will process the special category, biometric data of citizens and residents. It is within the discretion of the EU institutions and the Member States to establish security standards that will guarantee that any data shared in the wallet is adequately protected. An important feature is that the user decides if and what data to share.
On the one hand, one could argue that having the choice of signing or logging in to certain digital services by using the e-ID would be beneficial. Concerns have grown around the fact that tech giants (i.e. social media platforms) offer the possibility to access services by using the same credentials as the ones used to enter their platform (social log-in/plugin). This is particularly problematic as it creates a continuous profiling of the internet activity of anyone who opts to sign in for a service by using his / her social media credentials. By using their e-ID instead of social logins, users do not need to share unnecessary personal data with third service providers.
Users will also need assurance that their data is safeguarded in order to build trust the digital wallet and the e-ID, especially when this data is biometric. The Commission further proposed to co-operate with Member States as well as the private sector in order to create a Toolbox with a set of common standards, guidelines, best practices and technical references. The toolbox will enable platforms willing to incorporate the digital wallet and e-ID to test and improve the protection of personal data flowing as part of the digital wallet’s actualisation. The Toolbox will be released in September 2022 and will carve the path for the EDI framework.
The European approach
Although European Member States have been able to develop and recognise national electronic identification schemes and make use of the e-ID since 2018, only 14 out of the 27 Member States have notified an e-ID scheme and only seven of these schemes are operating on mobile phones.
The Commission has particularly underlined that a European approach to the digital wallet is deemed to be more desirable than national or private sector approaches, on the basis that such stakeholders will tend to adopt individual and divergent standards which ultimately hinder the interoperability of the digital wallet and the e-ID. By adopting an EDI framework, it is estimated that 80% of EU citizens will be able to access public services online by 2030.
There has been substantial discussion in regard to this nascent digital tool to date and it will likely continue until the Toolbox is published. The crucial consideration at this stage is to cultivate public trust in digital services in order to encourage more service providers to implement the new Regulation by integrating the e-ID wallet into their sign / log in options.
The Trilateral Data Protection and Cyber Risk Team has extensive experience working with organisations and third-party service providers to ensure that data processing operations are carried out in the most secure way, complying to legal obligations and following best practices. If you need help in this area, we would be happy to hear from you. Please feel free to get in touch with one of our advisors today.
