On 3 June 2021, the European Commission issued a proposal for a European Digital Identity Regulation in the context of the review of the eIDAS Regulation. The European Digital Identity proposal seems to not have raised much discussion among legal scholars, even though the digital identity of persons can be an essential aspect of their (digital) lives, and raises several fundamental rights implications.
Despite many other interesting aspects in the proposal, this comment will focus on electronic identification, including the introduction of European Digital Identity Wallets and the issue of unique identification. I argue that the introduction of a unique and persistent identifier could be understandable from a practical point of view, but cannot be accepted due to its risks and the fact that it potentially infringes the German prohibition on general unique identifiers.
What are eIDAS and eIDAS2.0?
The eIDAS Regulation was adopted in 2014 and has been applicable since 2016, replacing the previous e-Signature Directive. The Regulation has two points of focus: electronic identification and trust services. After an evaluation of the eIDAS Regulation in 2021, it was concluded that, even though the trust service part was considered as relatively successful, the electronic identity part could be further improved. The Commission Work Programme for 2021 included proposing a new European digital identity, resulting in the proposal for a European Digital Identity Regulation. The proposal is not meant to replace the eIDAS Regulation, but to amend it (eIDAS2.0).
Interoperability across Member State borders
The eIDAS Regulation aimed to create a cross border solution, so that citizens from one Member State could use their national electronic identification means (e.g. the German nPA) to access the online public services of another Member State. This was done with a voluntary approach: Member States could notify their national electronic identification schemes. If the scheme was accepted, then other Member States were obliged to allow these notified electronic identification means for accessing their online public services. To be able to do this, an eIDAS interoperability framework was necessary. Part of the eIDAS interoperability framework is the exchange of a minimum set of person identification data.
The European Digital Identity Regulation seeks to introduce the concept of European Digital Identity Wallets into the eIDAS Regulation. The basic idea is that, similar to how people have physical wallets which contain their physical ID cards, membership cards, etc., they should also have a digital wallet with their digital identity information. And like it is possible, for example, to prove your name or age with an ID card, driver’s license or membership card, with a digital wallet this should be possible online. The objective is that the wallet enables the user to securely request, select, store, combine, delete and present person identification data and electronic attestations of attributes to relying parties (Art. 6a (3) (a) eIDAS2.0).
Person identification data is a set of data which allows to establish the identity of a natural or legal person, or a natural person representing a legal person. Issuing and validating attestations of attributes is a new trust service introduced by the European Digital Identity Regulation. An attribute is a feature, characteristic or quality of a person. This can be something like a person’s hair colour, nationality or diploma. The trust service is to provide attestations in electronic forms that allow the authentication of these kind of attributes. For example, a university could attest that somebody has a specific diploma. An aspect that remains unclear is that qualified trust service providers who issue qualified attestations of attributes should be able to verify attributes’ authenticity by electronic means, against the relevant authentic sources at national level, such as a national citizen registry (Art. 45d eIDAS2.0). How exactly that would be done is not clear yet, and raises data protection and security questions.
Finally, under the European Digital Identity Regulation, each Member States is required to issue a European Digital Identity Wallet. Such Wallets must be issued under a notified electronic identification scheme and, accordingly, the previously voluntary notification of national electronic identity schemes will become mandatory for Member States. The timelines vary – in the Commission proposal it’s within 12 month after entry into force of the Regulation, in the Council version within 24 months after entry into force of an implementation act. In any case, at some point of time in the future, each Member State is required to notify at least one electronic identification scheme.
Unique and persistent identifier
As mentioned before, a set of minimum person identification data, which is available from electronic identification schemes, is already required by the eIDAS Regulation (Art. 12 (4) (d) eIDAS). Its mandatory data include the current family name(s), current first name(s), date of birth and “a unique identifier […] which is as persistent as possible in time”. However, this seems to not have been enough. The impact assessment of the European Digital Identity Regulation proposal states that over 70% of Member States reported that this minimum dataset is not sufficient to match identity records.
Therefore, the European Digital Identity Regulation proposal introduces that the interoperability framework for electronic identification must include a reference to a minimum set of person identification data to uniquely and persistently represent a natural or legal person (Art. 12 (4) (d) eIDAS2.0). As the minimum data would have to be persistent, the possibility to change the unique identifier, which existed under the old eIDAS Regulation, would be lost. Individuals would have one unique identifier for a whole lifetime. The European Digital Identity Wallet must ensure that that this minimum set of person identification data uniquely and persistently represents the person who is associated with the wallet. Further, with Art. 11a eIDAS2.0, a provision on unique identification is included, requiring that, when notified electronic identification means and the European Digital Identity Wallets are used for authentication, Member States shall ensure unique identification. Member States are obliged to include the unique and persistent identifier in conformity with Union law in the minimum data set, for legally required identification of the user, for example, in health or finance.
Which reasons are given to include it in the proposal?
The evaluation states that Member States saw organizational interoperability as the main problem of cross-border interoperability of eIDs. It is supposedly difficult to match the identity to a record using automated means, in particular, when a person owns different notified eIDs. If the receiving Member State is unable to exclude duplication, it may lead to a denial of access. Another reason for denial of service is that some service providers require a national registration number, but not all Member States issue such a number, and obtaining a national registry number often requires physical presence. As the impact assessment states, the problem is predominantly linked to the cross border use of eIDs, since at national level citizens’ national identifiers and unique national datasets can be used to identify citizens.
Another aspect is the involvement of the private sector. At the moment, the electronic identification provisions of the eIDAS Regulation only apply to digital public sector services, and private sectors can only use the system if the Member State allows it. And while the notified electronic identification schemes can in principle also be issued by private parties, the Member State must endorse and notify them. Notification of an electronic identification scheme entails also that the Member State can, in cross-border situations, be held liable for the attribution of the person identification data to the person and the availability of the possibility for relying persons to confirm the person identification data. The impact assessment states accordingly that Member States will be reluctant to open services and agree to an extension of the system to the private sector, without full assurance on identity matching.
General: Advantages and risks of a unique and persistent identifier
A unique persistent identifier creates the possibility to link different information about a person together. This can be useful or harmful: useful for example, if citizens don’t need to provide the same information over and over again or request it from one public service to provide it to another public service,. The services can exchange the necessary information. It is still possible to identify a person and connect them to the information in the database if they, for example, changed their name or address.
For exactly the same reasons it can be harmful: all information about a person can be connected and a full profile can be made, without the knowledge of the person, which can be used to their disadvantage. And a unique persistent identifier means that all the information about a person can be connected throughout one’s whole life, even if, for example, somebody changed their name or moved to another country for good reasons and does not want to be linked to the old information anymore. Finally, a unique identifier consistently used across different contexts and sectors can facilitate unlawful data exchange, aggregation and profiling.
Prohibitions to use general unique identifiers
Art. 87 of the General Data Protection Regulation provides that Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general applications. However, the GDPR emphasizes the requirement of appropriate safeguards for the rights and freedoms of the data subject.
In Germany, the use of a general unique identification number is considered to be prohibited, based on judgements of the German Federal Constitutional Court; in particular, the population census decision of 15 December 1983. Regarding the discussion around a general unique identification number in Germany, see the analysis of the scientific service of the German Bundestag regarding the so-called ‘Registermodernisierungsgesetz’. To fulfil the eIDAS requirement for a unique identifier to be as persistent as possible, in Germany, the pseudonym created by the eID card was assigned as a unique identifier, which can change when the card changes (see eIDAS evaluation and the German notification). It is mentioned in the eIDAS evaluation that the legal implications of the German decision to use a unique (though not persistent) identifier has not yet been challenged in court.
On 6.12.2022, the Council of the European Union provided its general position, which forms the basis for the preparations for the negotiations with the European Parliament. On 7 February 2023, the ITRE committee adopted its position, which still needs to receive formal approval from the Members of the European Parliament during the next plenary session. In general, the Council and the Parliament changes of Art. 6a (4) (e) eIDAS2.0, Art. 11a eIDAS2.0 and Art. 12 (4) (d) eIDAS2.0 seem to go into the right direction, whereby the ITRE draft goes further and completely deletes the ‘persistent’ requirement.
The obligation for Member States to notify electronic identification schemes, together with the obligation to provide a minimum data set with a unique and persistent identifier, de facto means that every European Union citizen would be assigned a unique and persistent identifier – a number. This means that information about them could be linked together across borders and from different contexts. While this may be convenient, it also creates significant risks. The draft version of the Parliament gives hope that the European Digital Identity Regulation can get rid of the requirement of a persistent identifier. Even for a unique identifier, the risks of using it across different contexts and profiling persons should be addressed. In particular, it requires more than good intentions, but the inclusion of a clear requirement in the Regulation to create technical unlinkability, when linking the information is not a legal obligation.