Out-Law / Your Daily Need-To-Know

Government would be liable for faults with individuals' data under new cross-border electronic identification proposals

Out-Law News | 06 Jun 2012 | 3:35 pm | 3 min. read

Individuals will be able to sue their Government if their privacy is violated, under a new draft system for the 'mutual recognition' of electronic identities in Europe.

The European Commission has published a draft new Regulation (56-page / 339KB PDF) on electronic identification (e-ID) and trust services which aims to make it easier to verify identities online. Under the plans electronic signatures will have "the equivalent legal effect of a handwritten signature" and a new optional framework for authenticating e-IDs across national borders will be established.

The plans on e-IDs would allow EU member states to "opt in" so that their e-ID schemes will be "mutually recognised" by other EU countries. In return for doing so those countries would be obliged to mutually recognise the schemes operated by the others who sign up to the scheme.

Currently a number of EU countries, not including the UK, operate a range of different e-ID schemes that allow individuals within those countries to complete transactions or access services online, rather than via traditional face-to-face or paper systems.

Under the proposals EU governments operating schemes would have to make sure that personal data is "attributed unambiguously to the natural or legal person" using the e-ID system.

If a person's e-ID has been used by someone else or in error those individuals will be able to sue the government, as the draft Regulation requires that the "notifying member state" assume "liability" for attributing e-IDs to the right people.

The Commission said that the proposed measure, together with the fact that data would not be centralised under its plans, could help enhance individuals' privacy, and that the mutual recognition framework would make it more "convenient and cost-effective" to verify their identity. It added that only relevant e-ID data necessary to complete a service would be used by certified trust providers under the framework.

"Under these proposals no unnecessary data is revealed or exchanged," the Commission said. "The proposals are designed to avoid the centralisation of information. There is no aggregation of information, beyond the aggregation that already takes place in national systems. However there is one key additional safeguard."

"Data protection regimes already apply to national eID schemes. In addition, Member States assume liability for their participating systems. That means you will have the right to sue your government if there is a problem with your data or access to services. This new right, to make one’s government liable, is a clear incentive against lax behaviour; it will provide an effective lock on the ‘door’ of your data file," it said.

Measures have also been drafted to improve the security of individuals' information when using online services. Plans to strengthen the supervision of trust marks which enable individuals to submit electronic documents complete with electronic seals, which confirm the origin and integrity of electronic documents, as well as with electronic time stamps, have been proposed in addition to the strengthening of rights around e-signatures.

"The proposals provide for clear and unambiguous identification and proof of identity," the Commission said. "For many public services, users and administrations alike prefer higher levels of security than is necessary, say, for online shopping. For example, using an electronic token with an access code to complete a tax declaration online."

"Other security services include electronic signatures, electronic seals or time stamping. These enable online transactions to be concluded with the same legal validity as in the physical world. Such use of the Internet can speed up enormously the time it takes for small companies to carry out their business," it said.

The new e-ID mutual recognition framework would be particularly useful for individuals looking to use public services in other EU countries online where their identity needs to be verified, the Commission added. This ability is hindered at the moment because of the "divergent" nature of the e-ID schemes in operation.

"While hundreds of millions of Europeans are now able to use electronic identification for services like online shopping, and have received better services as a result, these benefits are much less commonly achieved with public services, and especially not outside one's home country," the Commission said. "Citizens can rarely, if ever, use their e-ID to interact online with public administrations of other EU Member States."

"This undermines our rights as Europeans, and causes inconvenience and extra costs associated with time delays and the hassle of maintaining multiple identity documents."

"The absence of common EU rules on legal recognition of e-ID acts as a brake on those citizens who need to be mobile or undertake business or work activity outside their home country. Equally, the lack of an EU legal framework for essential trust services like time stamping (legally proving the time), electronic documents (legal effect and acceptance), registered electronic delivery (legal proof of a communication channel), and electronic seals (which legally link a person or a company to a document) also means lots of companies divert resources from their key functions to standing in queues, waiting for forms and stamps," the Commission said.