European Commission outlines European Digital Identity framework

The new European Digital Identity (EDI) will enable all Europeans to access services online without having to use private identification methods or unnecessarily sharing personal data. The Commission said individuals would have full control over the data they shared.

The Commission said at present, only 14% of key service providers across all 27 member states allowed cross-border authentication with an e-identity system – for example, proving an online identity without a password.

It said the EDI could be used to prove someone’s identity when opening a bank account, filing tax returns, proving your age, renting a car or checking into a hotel. It will sit in an electronic wallet accessible through any type of mobile device or laptop. Tools such as e-signatures, electronic timestamps, and electronic registered delivery services could also be integrated into the wallet.

The EDI would enable an individual to prove something about themselves, for example their age when buying alcohol, without revealing any other personal information.

The framework would be introduced through the form of a regulation, which the commission has published in draft form.

Technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law, said making the European Digital Identity a reality would not be easy.

“The European Commission is regulating for pan-EU, interoperable, public and private sector use case enabled, secure digital IDs to be issued and recognised by each member state – a huge step forward and a hugely challenging ambition to deliver upon,” McFayden said.

McFadyen said even for the minority of member states which already had domestic digital identity solutions in place, expanding on these would not be without difficulty. He said the implementation of the Payment Services Directive II, which was aimed at making electronic payment more secure, had shown that ensuring compatibility across borders was a challenge, although the use of open standards and collaboration between regulators and industry could resolve this.

Intellectual property law expert Nils Rauer of Pinsent Masons said, despite the challenges, both users and service providers would benefit from a digital identification system.

“As always, the devil is in the details. Obtaining, administration and use of the EDI must not be over-engineered. Transparency and security are crucial in order to allow the wallets and the IDs stored in them to become popular in practice. The right balance is required,” Rauer said.

Rauer said users would need the choice to reveal only part of the information stored in their wallets, as not every service would require the same range of information or documents.

“The core principles set out in the General Data Protection Regulation must be adhered to, notably data economy, data privacy by design and by default, and requirement of adequate justification,” Rauer said.
“We recommend giving fresh thought to what details should be stored in the European Digital Identity. Simply transferring the information printed on a physical ID does not seem to be the right way. For instance, electronic contact details do make sense in terms of information commonly required online,” said technology law expert Paloma Bru of Pinsent Masons.

While the introduction of the EDI is aimed at enabling all citizens to have a European ID in digital format accepted across the EU, there would be no obligation for this.

The commission said that it hoped to have agreed on a toolbox to implement the European Digital Identity framework by September 2022, with the toolbox published in October 2022. The technical framework would then be tested in pilot projects.