Biometrics regulations, misconceptions threaten to undermine EUDI Wallets

Is it a case of shoot first and ask questions later? Asking for a biometrics provider. Maybe it’s due caution on a fraught topic. In some cases, it may be driven by political ideology. Where biometrics are involved, this week news on Biometric Update shows that even basic facts of the matter and whether the major policies of a single body can align are points of contention. But EUDI Wallets will depend on regulatory alignment – and biometrics — for their effectiveness, and the market is accelerating launches toward their launch.

Fact and interpretation in dispute

Researchers from Georgia Tech and UC Irvine said in a presentation at the IEEE Symposium on Security and Privacy that Yoti shares personal information with third and fourth parties, including biometric data. The company has publicly challenged the claims, calling the latter “wholly false” and inviting the researchers to nominate an independent cybersecurity expert to review the findings.

Meanwhile Spanish data protection regulator AEPD has ruled that biometric data cannot be offered by services as a sole option for verification by digital ID wallets and apps under GDPR. Yoti has already clashed with the regulator on this same subject. The AVPA warns the ruling could undermine the whole EUDI Wallet scheme, since the alternatives are relying on device-bound identity or knowledge-based verification methods like PINs, neither of which meet the standards for high-value use cases. The EDPB needs to step in with clarifying guidance, AVPA says.

Part of the promise of EUDI Wallets is in enabling widespread public use of Qualified Electronic Signatures. Cloud Signature Consortium President Viky Manaila tells Biometric Update in an interview that this capability is what EU citizens actually need, but QESs rely on KYC-grade identity verification to be legally recognized.

The clash of interpretations comes as the market continues to prepare for the launch of EUDI Wallets, possibly at the end of this year.

EU Digital Identity Wallet market taking shape

Belgium-based Itsme is using its recent acquisition of Dutch firm iDIN as a springboard to expand into the Netherlands. The company is building up cross-border reach ahead of the EUDI Wallet launch in part to strengthen its pitch to consumer segments like truck drivers and expats.

Poland has passed a broad digital reform law requiring age checks for access to pornographic sites by the end of this year. The law does not specify a method, but the government is recommending businesses use EUDI Wallets for data minimization.

Denmark’s EUDI Wallet, Altid, launched for download this week for use online or in-person. The country has one of Europe’s highest digital identity adoption rates and the app, developed by Nine, will provide digital ID and age verification through zero-knowledge proofs. Signicat provides the NFC-scanning and biometrics capabilities that make that possible.

Google Wallet users in some EU Member States will be able to add digital IDs and age assurance credentials to theirs this summer. An early partner in the regional expansion is German bank Sparkasse, for digital age verification.

Please let us know in the comments below or through social media if you hear any podcasts or see any other content we should share with those in biometrics and the digital identity community.

Article Topics

age verification  |  biometrics  |  data protection  |  digital wallets  |  EU Digital Identity Wallet