Out-Law News 2 min. read
16 May 2013, 1:17 pm
Jens Rohde has put together a draft opinion on the European Commission's draft Regulation electronic identification (e-ID) and trust services (24-page / 227KB PDF) for the Civil Liberties, Justice and Home Affairs (LIBE) committee in the European Parliament. Rohde is the rapporteur to LIBE on the plans. The Regulation is aimed at making it easier to verify the identities of individuals by giving recognition to individuals' e-IDs when making online transactions.
The Commission has previously said that "common EU rules on legal recognition of e-ID" and for trust services would help facilitate more online, cross-border, trade within the EU.
However, Rohde said that he has concerns with the plans. He said that security requirements around the verification of e-ID should be prescribed within the text of the Regulation
"The rapporteur supports the Commissions efforts to combine the largely differentiated use of electronic identification schemes in the various Member States with a strong mutual recognition mechanism," Rohde's draft opinion said. "However, the regulation fails to provide a model that can ensure an adequate level of security building on existing experience. The rapporteur therefore suggests introducing and defining the security levels within the regulation in order to settle any ambiguities and ensure that the regulation works in practice."
The European Commission had suggested that security requirements could be set out in future delegated or implementing acts, which can be used by the Commission to flesh out in more detail what is meant by legislative provisions, but Rohde said this approach should be rejected.
Currently a number of EU countries operate a range of different e-ID schemes that allow individuals within those countries to complete transactions or access services online, rather than via traditional face-to-face or paper systems.
The draft Regulation would allow EU member states to "opt in" so that their e-ID schemes will be "mutually recognised" by other EU countries. In return for doing so those countries would be obliged to mutually recognise the schemes operated by the others who sign up to the scheme.
EU governments operating schemes would have to make sure that personal data is "attributed unambiguously to the natural or legal person" using the e-ID system, as the draft Regulation requires that the "notifying member state" assume "liability" for attributing e-IDs to the right people and where a person's e-ID has been used by someone in error or fraudulently.
Rohde said, though, that the draft Regulation should be amended to allow EU member states to pass on the liability for security breaches to the providers of digital identity management schemes, unless those identity providers can show that they have "not acted negligently".
The Commission's draft Regulation also contains other measures to improve the security of individuals' information when using online services. Plans to strengthen the supervision of trust marks, which enable individuals to submit electronic documents complete with electronic seals, which confirm the origin and integrity of electronic documents, as well as with electronic time stamps, have been proposed, as has the strengthening of rights around electronic signatures.
The European Data Protection Supervisor (EDPS) previously raised some privacy concerns relating to the Commission's e-ID and electronic trust services proposals.