Will EU digital identity drop the unique identifier?
The European Commission may be changing its mind about its proposed requirement for all European Union member states to incorporate unique identifiers in digital IDs that become part of the bloc’s interoperable ID structure.
Proposals to remove the mandate are being considered by the committee overseeing legislative development, and a Commission spokesperson has told news outlet Euractiv that a single identifier is negotiable.
A persistent, or lifelong, unique identifier could be used to track individuals across any government database. While the first-look regulation on identity in 2014 was based on privacy by design, the Commission has added persistent identifiers for eIDAS 2.0, being developed.
Such a tracking device would be illegal in Austria and the Netherlands and unconstitutional in Germany, said Thomas Lohninger of the digital rights umbrella group European Digital Rights (EDRi), speaking at the Internet Privacy Engineering Network’s digital identity workshop. He called such identifiers “super cookies” and “outrageous.” Belgium is already using unique identifiers.
The European Parliament’s Committee on Industry, Research and Energy is leading the review of a draft report on proposals for a digital ID framework. The committee’s lead rapporteur, Romana Jerković, published suggested amendments with some notable changes.
Following is text proposed by the Commission in 2021 (emphasis shows proposed deletion):
“Member States shall, for the purposes of this Regulation, include in the minimum set of person identification data referred to in Article 12.4.(d), a unique and persistent identifier in conformity with Union law, to identify the user upon their request in those cases where identification of the user is required by law.”
Following are amendments (emphasis shows proposed addition):
“In order to ensure interoperability of European Digital Identity Wallets, Member States shall provide a minimum set of person identification data, in conformity with national and Union law, which can unequivocally identify the user upon their request in those cases where identification of the user is required by law.”
Proposals have been inserted to show how an individual can be identified in another member state (the key aim of the entire endeavour) via the wallet. Pseudonyms and self-sovereign identity principles could be called on:
“When accessing public and private services cross-borders, authentication and identification of a user of the Wallet should be possible. The receiving Member States should be able to unequivocally identify the user upon their request in those cases where identification of the user is required by law. In order to ensure high-level of trust and security of personal data, different technical solutions should be considered, including the use or combination of various cryptographic techniques, such as cryptographically verifiable identifiers, unique user-generated digital pseudonyms, self-sovereign identities and domain specific identifiers using state of the art encryption technology.”
Another insertion to the draft introduces a “once only” approach to data-sharing nationally or internationally. This could control interaction with organizations without them tracking the individual:
“This Regulation should support the use of the ‘once only’ principle in order to reduce administrative burden, to support cross-border mobility of citizens and businesses, and to foster development of interoperable e-government services across the Union. The cross-border application of the ‘once only’ principle should result in citizens and businesses not having to supply the same data to public authorities more than once, and that it should also be possible to use those data at the request of the user for the purposes of completing cross-border online procedures.”
Over at the European Commission, the stance on an identifier may be changing.
“It is not necessary to have a single identifier and when identifiers are used, the strictest legal and technical safeguards must be applied,” a Commission spokesperson told Euractiv.
Meanwhile, the third organ of the European Union, the European Council, is currently being hosted by the Czech Republic, which is keen to push ahead with Europe’s digital agenda.
digital ID | digital wallet | eIDAS | EU | European Commission | European Digital Rights (EDRi) | identity verification | interoperability | privacy | standards