EU Debates Digital ID as New Regulation Looms

EU Debates Digital ID as New Regulation Looms

The European Union’s new electronic identification regulation is being criticized on multiple fronts.

Designed to supersede the 2014 electronic identification and trust services (eIDAS) regulation, the European Commission proposed a revised eIDAS (eIDAS 2) in 2021 with the goal to give internet users more control over their data.

It is also intended to create a cross-border framework for digital identity services and will pave the way for the introduction of a common digital ID wallet for all EU citizens.

After much debate, the European Council adopted its common position on the proposed legislation in December. But as the different parties negotiate the final text of the regulation, it has come under fire.

In an open letter published earlier this month, the Cloud Signature Consortium — a group of businesses and researchers representing the cloud signature industry — outlined what it referred to as “risks” stemming from changes to Article 24 of eIDAS 2.

In the commission’s initial proposal, there are two assurance levels that would qualify an eID scheme as compliant with eIDAS 2: “substantial” or “high.” However, as consortium noted in its letter, the council’s position removes reference to substantial assurance, ensuring that only the highest level of assurance will qualify.

While it acknowledged “the best intentions of policymakers,” the group argued that the higher standard proposed by the EU council will disqualify many eID schemes that already exist.

These include some of the most widely used schemes in Europe, including FranceConnect, which counts more than 41 million users, as well as other major identification systems, such as the Swedish BankID and SPID in Italy.

Security and Privacy Concerns

While the consortium argued that the removal of the “substantial” level of assurance will slow adoption and make digital ID schemes less user-friendly, others are making the case for stronger security and privacy provisions in the eIDAS 2 regulation.

Central to the debate is the notion of a “unique and persistent identifier” that was included in the commission’s proposal.

In its original form, the unique identifier was proposed as something akin to a Social Security number in the United States that would function as a single piece of information to identify citizens across databases.

However, following resistance from several member states, the council has replaced the section on unique identifiers with one on “record matching.”

While this does not eliminate unique personal identifiers from eIDAS 2, the council has clarified that they will function only in the context of wallets, writing that “the identifier may consist of a combination of several national and sectoral identifiers if it serves its purpose.”

Similar objections to compulsory unique personal identifiers have also been voiced in the United Kingdom. There, as the country embarks on its own legislative journey toward a digital identity framework, the government has insisted that no digital identity scheme will be mandatory.

In a consultation report published Friday (Feb. 3), the government acknowledged that “many of the individuals who responded to the consultation said they were against digital identities in principle.”

The report added that due to the complaints, the government has no plans to either “make the use of digital identities compulsory” or “introduce ID cards” in the U.K.

For all PYMNTS EMEA coverage, subscribe to the daily EMEA Newsletter.