Digital identification is an essential additional component to the well-established paper variety across industries. This is relevant whether you’re in finance, telecom, healthcare, transport, retail, education, or the government sector. Furthermore, as the digital world evolves at a rapid pace, enhancing digital identification and privacy becomes increasingly important. For both public and private sectors, as well as consumers.
Logically, that brings along questions of its own. First, what does the European Digital Identity Wallet mean for the Netherlands, and what is the potential added value? What does the road to the European Digital Identity look like, and how to navigate the ethics involved? Moreover, what would a responsible Digital Identity solution look like? And how do the newest digital identity advancements impact our privacy and digital security? Follow these blogs and explore these waters with us.
The European Digital Identity aims to offer residents of European countries an alternative to identification solutions provided by large tech companies. It is, in essence, a privacy-friendly, secure, and reliable national solution for online identification, accepted by governments and businesses in various sectors across the EU. Notably, it is not an all-encompassing database of your online behaviour and location history. Citizens have the choice, and alternatives remain available. It is a national solution, not a European passport or identity.
Why a digital identification solution? And why at the European level?
The European Union (EU) recognizes that its citizens frequently use services, apps, and social media from large tech companies. What’s more, they realize that citizens do this without realizing their role as a ‘product.’ Meaning, they are often unaware that their behavioural data is used for increasingly targeted marketing messages (sometimes bordering on manipulation) and that this compromises their autonomy and privacy.
Generally, these threats are linked to your digital identity, your social media login or account, or how you log in with large tech companies. A login like that can also be used elsewhere (e.g., your Facebook login for other internet services). Subsequently, this allows for more extensive tracking of citizens and poses a greater threat to privacy. Which, in turn, raises significant concerns about the digital society.
In response, the EU said: we want a reliable alternative. Firstly, this alternative should allow our citizens to log in. Secondly, citizens using this alternative should be able to decide for themselves which data to share. No more logging in with a large tech company’s solution and no more mandatory data disclosure before proceeding (to use a service).
Learning from previous attempts to improve digital identification
What can we use for this? Well, there is European legislation on the matter. It states that a secure national (not European!) digital login method in one country (e.g., DigiD in the Netherlands) should be accepted in other EU countries. In this context, we mean EU countries in the European Economic Area, the EEA. For example, you only need to apply for your DigiD in the Netherlands, and you can use it elsewhere. Three issues emerged:
- A country must go through complex procedures to have its national digital identification tool ‘accepted’ at the European level (called ‘notification’).
- You can only use it for government services. So no commercial services, for which you still fall back on … big tech. That would mean no longer achieving the goal of protecting citizens.
- As a result, there was no market for these identification solutions. It didn’t take off.
This legislation, eIDAS 1.0, was launched in 2014 and encompasses electronic identification and trust services for electronic transactions in the internal market. However, too few national identification solutions were submitted.
eIDAS 2.0: European Digital Identity, in a Wallet
As a result, we now have the eIDAS 2.0 legislation. With it, the EU essentially says: we make a reliable alternative possible and learn from our previous attempts. The first thing this legislation does is provide a legal framework. In doing to, it ensures that when a new solution comes, it is legally sound in all EU countries. That’s important because when there is fraud in identification or misuse, you want to know how to address it (legally).
Moreover, the EU said: we want to make something safe and free for citizens, but not at the European level. Countries are sovereign and responsible for their citizens (not the European Parliament or the EU). Thus, each country must create or designate a solution by the end of 2024, with which citizens can identify themselves from 2025 onwards. The EU explicitly believes that this must be a wallet with current technology. All major tech companies are already working on this. It’s a good solution in the current technical landscape, and this solution enables several things we didn’t have working well before.
Such as derived attributes. How this works is that for proving you’re over 18, for instance, you don’t have to share your birthdate anymore – rather, an attribute linked to the solution says ‘yes, this person is over 18’. This enhances privacy because you share fewer data about yourself (data minimisation).
Another advantage of wallet technology is that, if properly set up, it cannot collect information about where you have been. Altogether, no profile of your (online) behaviour, and you cannot be tracked online. More technically: the wallet also enables ‘zero-knowledge proof’ and sharing of ‘verified credentials’. Additionally, it can work both offline and online.
Also interesting: State of the EU Digital Identity Wallet – Expert Survey
What does this mean for people?
From the wallet, the user (the citizen of an EU country, not the citizen of Europe, as that doesn’t exist) determines when they share which data. So, suppose an insurer asks for your medical history, birthdate, and first and last names. In that case, the citizen gets a pop-up in the wallet asking, ‘do you want to share that data?’ (per data element). The citizen can then say: this is not health insurance but home insurance, so I won’t share medical data, but maybe the rest. Yet, this is one of the major concerns of privacy experts. Because how do we help citizens make the right choice? And how do we ensure that they don’t share all their data when they see a pop-up offering a 5% discount if they do? See, for example, articles in Follow the Money and Nederlands Dagblad, both from February 2023.
What does this mean for businesses?
The EU has included in its eIDAS 2.0 that not only government services should accept this wallet, but every critical and vital industry where strong authentication is required (under local legislation). This currently applies to banks, insurers, and others. The EU also mentions sectors such as transport, energy, education, and others. It’s not that you’ll only be able to log in with a wallet in the future. Rather, these sectors must also allow login with a wallet (and not just your social accounts or other logins). What didn’t happen with eIDAS 1.0 is now enforced here: a market where the citizen can actually do something with their identification. Specifically, logging in and using services. Now, how can you accommodate that with your business in the future? Stay tuned to this blog series and join us in further exploring this domain!