NewsfeedPlannerPipelinePeopleInstitutionsCommunity
RegisterLog in
PlannerGo back to the event
03 Feb 2022

Public Hearing on the European Digital Identity Wallet and Trust Services (*)

Public hearing

Wojciech Wiewiórowski, European Data Protection Supervisor

  • he welcomed this opportunity to exchange views on the European digital identity;
  • he supported the idea of a European digital identity wallet (eID wallet) and Trust Services;
  • the eID wallet would give users better transparency and give them control over the data they shared, with whom and for which purposes;
    • it would solve the issues related to excessive data processing and allow the data subject to share only the data that was strictly necessary to achieve the purpose;
    • for instance, in the case of age verification, the user could submit only their birth date without disclosing any other information;
  • with the right implementation, the eID wallet could be privacy-friendlier than existing analogous solutions;
  • he took into account the Commission’s Common Union Toolbox for a coordinated approach towards a European Digital Identity Framework;
  • however, he believed that the data protection, privacy-friendly functionalities and self-sovereignty provided by the digital identity should be better communicated;
  • he demanded further insights on the expected implementation in the Member States;
    • the technical implementation would determine whether additional data protection safeguards should be included in the regulation and whether its design would comply with the GDPR;
    • he regretted that the information would only be available following the implementation of the 28 Commission Implementing Acts;
    • this prevented the full assessment of the technical architecture;
    • this also highlighted the issue of delegation and sub-delegation concerning the legal norms that should be adopted in the Parliament;
  • he believed that citizens could make full use of the public and private online services across the EU with the eID wallet, however, the possibilities of identification that currently existed on the platforms represented a challenge in terms of data protection;
  • he demanded clearly defined responsibilities for each actor involved (i.e. trust services providers, public and private services providers) as either controllers or joint controllers to avoid uncertainties;
  • he did not dwell on the cybersecurity issues as the other experts would cover the topic;
  • the regulation contained provisions regulating the behaviour of the trust services providers and the issuing authorities, but the provisions regarding the relying parties were more tacit;
  • some people had argued that the eID could be the first towards the end of anonymity on the internet;
    • he warned the Parliament that the eID was a good thing for Europe, it could be misused. In the current debate on mandatory identification of the internet user, the eID wallet might be the “missing puzzle” to achieve this goal, especially with its ‘unique identifier’;
  • regarding Article 6b, while the unique identifier was not mandatory, it could create issues in certain MS where they were either forbidden by law or by the constitution;
  • the regulation should also ensure that the relying parties implementing the safeguards and the MS would comply with the requirements;
  • he demanded further specification concerning the categories of data that could be requested from wallet users;
  • he stressed that without the implementation of data protection by default, the digital experience would not differ from an analogue one;
  • in conclusion, the eID wallet could be used to ensure better privacy protection, but whether it would achieve its potential would depend on the regulation and its implementation;
  • the EDPS and the national supervisory authorities would ensure that the implementation contained the necessary safeguards;
  • he invited the Commission to keep the EDPS on the development of the eID wallet and the Union toolbox.

Alban Feraud, President of EUROSMART

  • Eurosmart had been advocating for high-security digital interactions;
  • they considered eID as a major major initiative for EU citizens, MS and businesses;
  • the proposal should shape a trustworthy digital identity ecosystem and become of European success;
  • he would focus on data protection, security, open and transparent ecosystems as the main issues for Eurosmart;
  • first, on data protection, Eurosmart welcomed the provisions in Article 6c (2) which mandated a data protection certification for wallets, even if the methodology remained to be defined;
  • however, regarding the electronic attestation providers in Article 45f(4), they recommended a mandatory GDPR certification for electronic attestation providers;
  • several provisions should be clarified:
    • the territory of data: data should be stored and processed exclusively on EU soil;
    • the scope of activities of the separate legal entity set in Article 45 (f);
  • moreover, he noted that also in Article 45 (f), the level of protection for data of legal entities and legal persons was not ensured;
  • second, on security, he called for a methodology and criteria to assess the security of the wallets to ensure a high level of security for the wallets;
  • this security should be further tested with ethical hacking by highly-skilled experts;
  • he found it surprising that security had not been explicitly stated as a key feature of the wallet and called on the MEPs to add this provision in Article 6a;
  • he also recommended having a mandatory security certification based on the European Cybersecurity Certification Scheme;
  • the highest level of confidentiality was necessary;
  • third, on open and transparent systems, on the one hand, he noted that the infrastructure would rely on mobile phones, however, this ecosystem would be dependent on the gatekeepers. On the other hand, he stressed the importance of fostering competition to encourage innovation and the emergence of new technologies and uses for better inclusivity and accessibility;
  • he stressed that competition should be virtuous, fair and controlled;
  • in that regard, he believed the DMA would play a key role in allowing technology providers and services providers to fully access key components of mobile phones (e.g. hardware, software or OS);
    • more specifically, technology providers would be able to access secure hardware and use it to store sensitive credentials such as personal data or authentication keys, as well as access the biometric sensor the mobile phone;
  • therefore, the success of eID would largely depend on the success of the DMA;
  • in conclusion, security and data protection were key conditions to ensure citizens’ trust in the digital identity ecosystem and to ensure EU sovereignty with the control of data based on EU laws;
  • moreover, the mandatory cybersecurity certification scheme would shape a robust cybersecurity ecosystem and the open and transparent systems would ensure a fairer level of competition and promote innovation, inclusivity and accessibility.

Kai Rannenberg, Chair of Mobile Business and Multilateral Security, Goethe University Frankfurt

  • View the presentation.
  • he welcomed the establishment of European Digital Identity Wallets as a great opportunity for Europe as regard to data protection, providing more control for users, strengthening EU digital sovereignty, however, it should be done thoroughly;
  • he stressed that “Full Control by Users” was an “important paradigm” in digital identity management, however, the implementation of this aspect was key;
  • using a case example whether users could authenticate using a single attribute (e.g. “over 18”), based on Articles 1(7) and 3 (5), he noted that the definition of “authentication” had to be clarified, especially as regards to the ‘unlinkability’ aspect;
  • there had been no explicit decision on the technology of the wallets to ensure technological neutrality;
  • the overall impression was that the wallet model would be a storage space provided by cloud providers or ledgers and accessed by users via a smartphone;
  • he explained the different scenarios of users’ control:
    • with cloud providers, there would ve a contract-based customer relationship, however, this might not mean “Full control by the user”;
    • with ledgers, who were decentralised, there might be issues in removing an (old) attribute out of a ledger;
    • therefore, he called for a thorough checking on the control options for users, the security properties and the functioning of decentralised storage in user devices;
  • on users’ control over their devices, he noted that smartphones had many functionalities and interfaces, they were very complex and were dependent on two main operating systems providers. This caused inherent problems for security and for control by users;
    • he acknowledged the call for certification and called for further action, as well as a discussion on the architecture of the system;
  • moreover, he noted that the upcoming Legislation to effectively tackle child sexual abuse online might also affect the foundations on which the wallet and trust service infrastructure were built;
    • the proposal might include restrictions on encryption that could ​​severely limit the trustworthy protection of the identity information between e.g. cloud and device, as well as “Client side scanning” on user devices;
  • he also evaluated several platform options:
    • smart cards and dedicated smartcard readers had limited complexity, better security but could be inconvenient;
    • enhanced smartphones had additional hardware and improved system and encryption software such as split key encryption, and could be further assessed;
    • existing popular smartphones with apps were well established, convenient but had limited security;
  • he stressed the importance of ensuring transparency both on the technology and on the decision-making process;
  • he suggested considering and budgeting for Open Source solutions;
  • regarding the economic challenges, he pointed out that appropriately protected ICT required further support in the market to ensure a level-playing field with 'free' ICT that was often convenient but insecure;
  • he also highlighted the market dominance regarding the Operating systems;
  • he believed that the proposed €31 million investment was too limited and the 6-12 period for the Commission and the MS to operationalise the proposal was too hurried;
  • the relationship with sector-specific legislation such as the Payment Services Directive (PSD2) should also be taken into account;
  • in conclusion, he stressed the importance of preserving users’ trust, involving all communities, including independent experts and civil society, having transparency on the decisions and reservicing sufficient resources.

Thomas Lohninger, Executive Director of the digital rights NGO epicenter.works and Vice-President of EDRi

  • View the presentation.
  • View the policy paper.
  • he agreed with the previous speakers and stressed the importance of this file;
  • as this important architecture would become a widespread technology in all aspects of daily life, it was very important for the Parliament to introduce all the necessary safeguards;
  • he was concerned about Article 11(a) which mandated a unique persistent identifier. He believed that this provision was unlawful and unconstitutional in several countries and would limit anonymity. It also raised the question of how free consent could be given to share information;
  • he also highlighted the legal hurdles concerning selective disclosures and data minimisation in Article 6a(4)(d) and 3(5);
  • he believed that the 28 delegated and implementing acts also included very important feature safeguards and architectural principles that should be included in the main text;
  • moreover, Artice 6(a) provided a separation of the data collected by the digital wallet when using the wallet while acknowledging that this data would be available to the provider of the wallet. He believed that it was unnecessary and called on the Parliament to act on this issue;
    • he called for technical standards to guarantee unobservability and suggested choosing an infrastructure that would not allow for essential observations;
  • one of the main aspects of the eIDAS reform was the introduction of the private sector. He called for proper safeguards for private companies to prevent them from abusing the system, such as advertising purposes, especially considering the current lack of GDPR enforcement;
    • he suggested the possibility of creating blacklists for services for which the system should not be used as well as a mechanism to revoke access to the system;
  • he noted the concerns of the web browser sector concerning the introduction of qualified web authentication certificates in Article 45;
  • he noted that certain households might face challenges in obtaining a smartphone and might lack digital literacy and regretted that these aspects had not been addressed in the proposal;
    • moreover, the digital divide might become problematic as people deciding not to use the system would be disadvantaged, for example with higher fees for non-digital solutions;
    • he called for an anti-discrimination provision to ensure the legitimate option for citizens not to use digital solutions in government services;
  • he questioned whether the proposal would be beneficial for privacy considering the consequences on anonymity and called for the creation of an alternative that would uphold EU rights and values;
  • he hoped that the EU would not end up strengthening the tracking industry.

Catalina Dodu, Board Member ANIS Romania - Employers' Association of the Software and Services Industry

  • View the presentation.
  • it was important to simplify trust by providing user-friendly solutions for citizens and businesses and to provide control for users over their personal data;
  • the eID wallet was a step in the right direction and the use of secure and user-friendly digital identities should be accelerated;
  • the ​​eID wallet should be based on high security and certification to protect the cybersecurity and personal data of European citizens;
  • on privacy, she stressed the need to focus on private use cases to ensure the adoption and use of digital identities for the establishment of meaningful cross-border use cases;
  • she believed that EU had the experience and the competences to overcome the challenges;
  • however, she stressed the importance of including all EU citizens. For instance, several MS did not have an electronic ID;
  • the proposal should therefore provide clear legal and technical specifications and requirements as well as support the MS in the implementation of the system, going beyond recommendations;
  • it was crucial to ensure that protect the citizens’ data and protect the citizens against identity fraud and crimes;
  • moreover, the use of eID wallets should be accepted by the public and private entities to ensure widespread use;
  • the experience of the private sector alongside the public sector should be taken into account to support the development of the system;
  • she stressed the importance of investing in a value chain and technological innovation that can support such development.

Rapporteur Romana Jerković (S&D, Croatia)

  • Europe had developed a leading digital identity ecosystem but this progress shoud be accelerated to respond to the technological changes, market realities and users’ demands;
  • 60% of users wanted a secure single digital ID for all online services, where they could control their data, and 72% demanded information on how their data was processed when using social media;
  • she cited several issues that should be addressed: the architecture of the certifications, the implementing acts, the terminology, thecross-border usage and the unique and personal identifier;
  • she fully agreed with Mr Feraud and Ms Dodu that the digital wallet required the highest level of security and a mandatory certification system;
  • she also agreed with Mr Wiewiórowski that the digital wallet had the potential to address issues related to excessive processing of personal data;
  • referring to Mr Rannenberg, she stated that trust, transparency and user control over their personal data were essential to ensure a broad usage of the eID system;
  • moreover, the Digital Services Act, the Digital Markets Act, the Cybersecurity Act and the upcoming Data Act should be carefully considered to ensure legislative coherence, avoid overlaps and minimise risks of possible exemptions for big platforms;
  • she questioned whether the proposal included sufficient safeguards to guarantee a harmonised level of trust in the EU;
  • despite these challenges, she called on the EU to be ambitious and bold in its vision.

Shadow Rapporteurs

Pascal Arimont (EPP, Belgium) on behalf of Riho Terras (EPP, Estonia)

  • he questioned whether wallets should be public goods, issued by the state;
  • on cross-border interoperability of eID data, he questioned the feasibility of transferring eID data from (e.g.) a Belgian wallet to a German wallet;
  • in technical and legal terms, he questioned how to ensure that a person truly had an attribute in order to avoid false attributes, for instance, with someone using another person’s vaccine pass.

Alin Mituța (RE, Romania)

  • if regulated correctly, he believed that eID was a major opportunity for EU citizens and businesses;
  • he asked about the role of stakeholders in the private sector in bridging the gap between the MS in the development and the roll-out of the wallets;
  • he asked about the ‘right’ balance between the EU framework and the specific infrastructure developed at the national level to ensure a high level of harmonisation and interoperability;
  • he asked for the experts’ position on website authentication and the measures to be taken to ensure a more inclusive procedure for the IT community, such as IT experts, browsers and users;
  • he questioned how the browser community could comply with the EU requirements on the recognition of verified certificates for website authentication.

Mikuláš Peksa (Greens/EFA, Czechia)

  • he asked the experts one single measure to improve the proposal to increase individual security and data privacy.

Dace Melbārde (ECR, Latvia)

  • she asked about the interplay between the public and private sectors;
    • if the aim of the eID was to prevent the private sector from using sensitive private data, she stated that the EU had already “missed the train” as eIDAS relied on authentication solutions developed by the private sector and successfully implemented in some MS;
  • she questioned whether there was a difference between small regional private companies and companies such as Apple in ensuring trust and security;
  • she was concerned that the proposed approach might risk stopping or even reversing the technological innovation and solutions regarding online authentication;
  • she questioned how the private sector could be brought on board instead of alienating it;
  • moreover, with the proposed approach, governments may end up having more information on citizens’ actions. She noted that many constituents would prefer sharing information with private companies instead of their government and asked for the experts’ views.

Andrus Ansip (RE, Estonia), IMCO Rapporteur

  • he asked about technological neutrality;
  • he noted that software-based solutions relying on cryptography technology certified for digital identity such as SplitKey, were already established in some MS and functioned well;
  • he questioned whether software-based solutions should be equally promoted alongside hardware solutions.

Cristian Terheş (ECR, Romania), LIBE Rapporteur

  • he noted that several MS had ruled that unique identifiers as unconstitutional and questioned how the eID systems could be implemented across Europe;
  • regarding criminal cases, he noted that currently, getting evidence regarding a crime required a decision from a judge. He questioned how a national law enforcement agency would be granted rights to get the evidence in the future;
  • concerning the security certificates, he noted that several browser companies including Google, Mozilla, Apple and Microsoft had raised serious concerns on risks for national security and surveillance from third countries;
  • he noted the lack of transparency regarding the Toolbox.

Alban Feraud, President of EUROSMART

  • based on the current text, MS would decide on the governance model, whether they would establish it by themselves or mandate a third party under their supervision. This issue of public/private good was therefore under the MS remit;
  • he agreed on the importance of ensuring that the attribute was well-bound to the holder;
  • he noted issues related to the governance of the trust services in charge of the attestation of attributes;
    • he called for a clear technical requirement followed by a certification scheme that should be under the supervision and control of the EU MS;
    • this would ensure that the procedures would be harmoniously enforced across all the MS;
    • this would therefore require a clear technical standard that still had to be developed;
    • it was essential to ensure identity proofing and to assess the quality of the attribute used to generate the attestation;
  • he believed that the text should be tech-neutral to foster technical innovation, however, the legislators and the Commission should explain in an objective manner the security goals and the importance of the security certification;
  • he called for a mandatory pan-European security certification scheme for secure software, something that was currently not mandated in the Cybersecurity Act;
    • moreover, side technologies (e.g. biometric identification on a phone) should also be considered.

Wojciech Wiewiórowski, European Data Protection Supervisor

  • in his view, a clear definition of the responsibilities of involved parties would be the most important item in the eID proposal;
  • he also demanded answers on the unique and persistent electronic identifier being implemented in MS where it had been ruled unlawful;
    • he acknowledged that a unique identifier would not be mandatory, however, the use of the electronic service would require such a solution;
  • on tech neutrality, he fully agreed with the fact that the software solution may be as secure as hardware solutions. However, the EDPS had not assessed any of the existing national solutions;
  • he agreed that the decisions on what was allowed should be issued according to the certification schemes, both for security and for data protection reasons.

Kai Rannenberg, Chair of Mobile Business and Multilateral Security, Goethe University Frankfurt

  • from the user’s perspective, he believed that the wallet should be a public good where the State provide a minimum degree of services, available for all, with reasonable quality and at an affordable price, similar to postal services and telecommunication services;
  • nevertheless, there should also be a possibility for the private sector to offer parallel services, such as public and private broadband services. While this parallelism might be considered as ‘redundant’, it was very important to have multiple approaches at this stage;
  • on the security of attributes, he would analyse the proposed protocols once they would be made available;
  • he agreed that hardware and software solutions could be equivalent, however, hardware solutions had a higher complexity and manageability for users;
  • the hardware solutions should be considered in more detail;
  • it would be up to the MS to decide on whether they would rely on small providers. He believed that a parallel infrastructure would be useful.

Thomas Lohninger, Executive Director of the digital rights NGO epicenter.works and Vice-President of EDRi

  • in his opinion, the eID wallet should aspire to be a public good, especially to ensure citizens’ trust;
  • concerning the architecture, he stressed the importance of ensuring interoperability between the MS;
  • he called on the EU to establish principle-based safeguards within the proposal to ensure that the system would “deserve citizens’ trust” following the implementation of the legislation or of the delegated acts in all MS;
    • his examples included the protection against user tracking, area-specific personal identifier or company-specific identifier;
  • in his views, the most important safeguard would be the unobservability of the system to prevent a central entity from observing the transactions;
  • he called for a balance concerning the eID provisions and the MS national privacy provisions;
  • he noted a strong industry interest in using government systems to optimise speed, efficiency and trust. He believed that the system could be a powerful general-purpose technology;
  • on browser security, he questioned the legitimacy of Article 45 and suggested removing it.

Catalina Dodu, Board Member ANIS Romania - Employers' Association of the Software and Services Industry

  • considering the technical aspects and the complexity of the project, she called for strong, concrete and common recommendations to guarantee a high level of protection and reliability of the system across the MS;
    • this would avoid the MS from implementing the system in an “extreme” way;
  • doing ‘too little’ would lead to security and personal data issues while doing ‘too much’ would limit the access to the system and slow down its implementation;
  • in her view, security measures should be considered as the main priority, including limited access to data to protect it from attacks. She noted that such a system in every MS and at the EU level might be a visible target and should therefore be protected.

Second round of questions

Angelika Niebler (EPP, Germany)

  • she stated that it was good that the Committee was taking the time to discuss the topic;
  • she believed that they needed to consider best practices. The COVID vaccination certificates that had been designed and implemented in a matter of months were a ‘great success story’ for the EU. She asked what lessons could be learned from the COVID vaccine certificates;
  • there was also already a lot of experience in the Scandinavian countries;
  • she stated that a cybersecurity scheme for the wallet was necessary and also that there should be an agency that would be able to provide guidance. She wondered if ENISA and the cooperation mechanisms within there might be able to produce the digital wallet quickly and roll it out.

Josianne Cutajar (S&D, Malta)

  • trusted and secure digital identity for all Europeans was a crucial step forward for the European digital decade. Most importantly, it would simplify access to digital services for European citizens and enterprises and protect their data in a way that they deemed suitable for their needs;
  • she noted that she was working on the 2030 digital policy programme that established, among others, concrete targets on the digitalisation of public services;
    • the ambition was that by 2030 80% of European citizens would use digital IDs;
  • she asked if this target was achievable;
  • concerning data control, she noted that the Commission had assured that the digital identity would give European citizens and businesses full control over the data that they wanted to share;
  • she questioned what was the best way to simplify the user experience as much as possible to empower citizens.

Nicola Beer (RE, Germany)

  • she noted the complexity of the subject and the opportunities it represented to fight fraud, money laundering or to improve access to digital services;
  • she stated that the regulation for a digital identity needed to be approached sensibly, which was what several experts had said;
  • she emphasised the differentiation between the different fields of application which may present different requirements, whether in terms of security or personal data protection;
    • for example, she was dealing with the financial services platforms in the city of Frankfurt and noted that the stakeholders faced higher requirements and would have difficulties in meeting the European requirements as well;
    • she questioned how the European ambitions could be reconciled with these specific requirements, particularly in terms of the responsibility of the actors, especially for those who used pre-existing systems;
  • she asked about possible abuses with multiple identifications;
  • she asked about the mandatory offline access, for instance, to retrieve documents;
  • regarding payments for services, she questioned how they could ensure the authenticity of the receiver of the payment;
  • she stressed that there were currently higher requirements in certain sectors that should also be taken into account.

Tsvetelina Penkova (S&D, Bulgaria)

  • she stated that the proposal addressed some of the shortcomings of eIDAS and would improve effectiveness;
  • the framework was also extending the benefits to the private sector;
  • the digital wallets would allow consumers and businesses across the EU to have control over the personal data shared and this would be a major improvement;
  • she asked the experts how they believed that the neutrality of the technologies used could be ensured;
  • she also questioned whether interoperability could be guaranteed;
  • she asked whether there was a better way to manage the choices for consumers i.e. if there would be one wallet or multiple wallets. She stated that it was about user experience and consumer trust.

Robert Roos (ECR, Netherlands)

  • he was happy with the criticisms about the European digital identity wallet because they were necessary;
  • he emphasised that he only wanted solutions that would serve European citizens;
    • he asked how and why the wallet would serve EU citizens. He saw that there were opportunities for the public sector and industry, but he questioned what the added value was for people, in comparison to the current situation;
    • he questioned whether the advantages would outweigh the enormous amount of data that would be collected and stored. There were potential dangers in this;
  • he also questioned how voluntary the digital wallet would be, and even more importantly, how voluntary it would remain in the future. He stated that the EU always came up with “nice plans” that were eventually abused to create more control. A recent example of this was the Green Pass.

Carlos Zorrinho (S&D, Portugal)

  • he stated that the digital identity wallet was a crucial issue to consider, particularly in the context of the EU’s sovereignty in the digital transition;
  • the principles of the single application and authentication should be integrated and he asked for the experts’ views on this.

Miapetra Kumpula-Natri (S&D, Finland)

  • she stated that it was extremely important to consider the technical details to ensure that the digital wallet was secure and future-proof;
  • the systems should be opened up for testing;
  • even with the GDPR, it was still clear that data was used for tracking and personalised advertisements;
  • she stated that digital identities should be identifiable online;
  • she noted that the Digital Governance Act provided some suggestions on how to govern the data, and she also mentioned the data innovation portal;
  • she suggested more inclusion of stakeholders and NGOs when developing the standards for the wallet.

Francesca Donato (NI, Italy)

  • she mentioned the issue of full control by the users of their data. There was the potential risk of the abuse of the system due to a lack of the necessary safeguards;
  • there was also the issue of the risk of possible discrimination against people not using the digital ID services;
  • she stated that the EU was not ready for a “dramatic innovation” such as the digital identity wallet without first establishing a solid framework for the individual private property of personal data with a strong set of safeguards against any possible breaches or misuses.

Catch-the-eye

Bronis Ropė (Greens/EFA, Lithuania)

  • he stated that there had been several incidents over the past several years regarding the theft of personal data and that nothing had been done about it;
  • he stated that the internet was open for criminal activities and that citizens were not being protected;
  • new banking apps and programmes were being introduced, and he stated that the security standards of these were ‘not that high’. People were not able to carry out their transactions in a way that ensured that they were safe on the internet and he noted that banks could not be held responsible;
  • he stated that they needed to step up their actions to ensure that people could carry out their transactions safely and also so that there was responsibility.

Adriana Maldonado López (S&D, Spain)

  • she recalled the comment that there were many European countries who were not yet legally equipped to implement the digital identity wallet;
  • she asked what they could do to ensure that European consumers would actually use the wallet. It needed to be based on trust;
  • she also mentioned the importance of evaluating the system.

Wojciech Wiewiórowski, European Data Protection Supervisor

  • he agreed that there were both good and bad past experiences associated with the use of electronic identity services;
  • the experience of the Green Passes should not be overestimated;
    • he stated that there were positive elements, such as their interoperability and that most of the standards were public. There had also been a good consultation process with the EDPS from the Commission;
    • at the same time, he emphasised that it was a very specific project that had the single goal of restoring the freedom of movement. There were problems with the reuse of the passes for other purposes and he noted that the MS had not hidden their intentions to use the passes for other purposes;
  • as the EDPS, he called for high standards and a high level of protection;
  • he recalled the 1999 Electronic Signatures Directive in which the standards were “organisationally a good solution” but the thresholds for those who would use those services were too high;
  • concerning the added value for European citizens, he mentioned the interoperability of the solutions. He stated that given the huge numbers of European citizens who lived and travelled in different countries, the idea of having an electronic identification system for each individual MS was “simply outdated”;
  • he stated that he was surprised that there had been no questions about the blockchain parts of the proposal, but stated that the EDPS was ready to discuss these issues as well.

Alban Feraud, President of EUROSMART

  • regarding cybersecurity certification, he stated that ENISA could “help bridge the gap” on this;
  • he noted that standardisation activities were already ongoing at CEN and the results could potentially be used in future European cybersecurity schemes;
  • he believed that the objective of 80% of European citizens using digital IDs by 2030 was achievable;
    • it would be easy to develop solutions for mobile phones and he stated that it would be possible to leverage the security hardware components of phones to ensure a high level of security;
  • he stated that it would not be possible to only rely on the consent of the consumers for data protection;
    • he pointed out the issue of the electronic attestation providers for which there were no requirements for data protection certification and stated that it should be made mandatory;
    • there were also issues concerning the territoriality of data and the data of legal persons;
  • although it was a step forward, he stated that methodologies were necessary for data protection certification. He stated that the EDPB should provide support in this regard;
  • he did not have an answer to whether there should be one wallet or several and believed that it was within the remit of the MS to decide. He noted that there was not a consensus among the MS and that there were different perspectives on the provision of the services;
    • from the industry perspective, it was important to ensure that both elements of the wallet (the user device and the server) were secure through mutual authentication. They should be paired in order to ensure the security of the whole system. He suggested that there should be provisions in the text to secure the pairing between two pieces of the wallet.

Kai Rannenberg, Chair of Mobile Business and Multilateral Security, Goethe University Frankfurt

  • he stated that the questions illustrated that there were a number of conflicting requirements;
  • learning lessons from the Green Passes was difficult as already pointed out by the EDPS. The Green Passes were a very specific application, which meant that a “very concrete” risk assessment could be carried out;
  • he stated that it would be useful to have more examples of concrete applications in order to gain experience, but emphasised that it would not be too useful for general solutions;
  • for general solutions, he suggested that it would be useful to examine the history of the development of wallets and how internet communications had developed;
  • he stated that they should start with “light-weight solutions” that would allow users to move back and forth with the attributes as needed;
  • if there were higher requirements (for example banking had been mentioned), he suggested that it should be considered as extra infrastructure for specific purposes. He believed that in the future there would be several different wallets “in our pockets”;
  • he stated that they should not aim for full integration because that would create contradictions between the different necessary requirements;
    • he stated that there should be high security but a low collection of data, as well as very good unobservability and non-mandatory unique identification. On the basis of this a voluntary measure could be built;
  • working with ENISA was a good idea and he noted that they should also not forget the European standardisation organisations with which ENISA also worked. He stated that the Commission should collaborate with ENISA, particularly with regard to ENISA’s work with the private sector.

Thomas Lohninger, Executive Director of the digital rights NGO epicenter.works and Vice-President of EDRi

  • concerning the COVID-19 certificates, he noted that he had been involved in the work and that he was happy with the solutions that had been achieved;
  • he agreed that the certificates solved a very specific problem and that the European digital identity wallet would have a much broader scope and general purpose. However, he underlined that the system would include health attributes in the future and specifically mentioned medication and vaccination certificates in this regard;
    • he noted that if there was another health emergency on the scale of COVID-19 and the digital wallet system was already in place, then it would be one of the first measures looked at;
  • he questioned if they really wanted to adopt something that had lower privacy standards;
  • observability was one of the key elements in assessing how much the proposal respected privacy;
  • he pointed out that the Netherlands had extended the COVID-19 certificates for domestic uses and emphasised that they needed to consider what the final uses of the system would be;
  • for this reason, it was important to consider what the relying parties would be. For example, the banking sector was an interesting example because the know-your-customer requirements were very strong. It was understandable that companies wanted to know more and ensure that the information that they had was correct;
    • revocation (e.g. a name change) was an important issue for them but it was very tricky from a privacy perspective and he questioned whether the same systems were desirable for a credit scoring company for example;
    • he stressed the importance of considering whether a one-size-fits-all approach for all relying parties would be appropriate. If there were disagreements on this, then interoperability would become challenging;
  • he stressed that rushing the work on this proposal would be “very dangerous”;
  • it was very important to get it right and to have the trust of the European citizens;
  • the COVID-19 certificates were a system that created trust which contributed to them being so widely adopted;
  • he stated that if they wanted to have the users in control, then non-discrimination provisions needed to be included. Users needed to be free in the choices that they made.

Catalina Dodu, Board Member ANIS Romania - Employers' Association of the Software and Services Industry

  • concerning the question about the advantages for European citizens, she stated that there would be clear advantages in terms of the easy accessibility to different services (especially public services) and also for travelling;
  • she stated that the move towards an identity wallet was the “natural next step”. She noted that there was a willingness from European citizens to use it as long as it was trustworthy and safe;
  • while the system should be optional for European citizens to use, it should be mandatory for institutions to accept the wallet;
  • she stated that they should make use of previous experiences of wallets and electronic identities, even if they were less complex than what was proposed for the digital wallet.

Norbert Sagstetter, Deputy Head of Unit - eGovernment and Trust, DG CONNECT, European Commission

  • he stated that it had been a very important and substantial discussion for the Commission;
  • many of the issues that had been raised were at the core of the Commission’s concerns;
  • the Commission believed that the proposal would be a significant change for European citizens and would offer them a system that was voluntary, free to use and under full user control;
  • it would improve the availability of digital identity and it would also establish a system that could be used in both the private and public sectors. He stated that the system was also “fully geared towards data protection”;
  • it would also create opportunities for businesses;
  • the proposal also gave governments in Europe the opportunity to identify their citizens in the digital sphere;
  • regarding security and privacy, he stated that the Commission had invested a lot in this and believed that the proposal included very strong safeguards. There were data protection requirements that required the functional and structural separation for the issuers of the wallet;
    • for identity providers, it required registration for relying parties;
    • selective disclosure was a basic development feature;
    • data minimisation was a fundamental element of the GDPR. He stated that the wallet would be GDPR-certified and that the proposal also required the cybersecurity certification of the whole wallet;
  • the Commission strongly believed that the trust and security elements were key to the uptake by the citizens;
  • it was also clear from the debate that the implementation of the proposal was crucial. In this regard, he mentioned the parallel toolbox exercise, and he also mentioned the eIDAS expert group;
    • he noted that the Commission would be establishing a dedicated stakeholder platform in February 2022 where the Commission would publish the first major deliverable which was the outline of the future technical architecture and reference framework for stakeholder feedback;
  • he stated that the Commission had received very positive feedback from the financial sector. The Commission was not “intending to dominate the market” with the single wallet but was intending to provide a product that satisfied the highest levels of security and trust;
  • regarding qualified website authentication certificates, he stated that it was a possibility for transparency and security on the internet and enforced legislation that was in place since 2014;
  • he did not agree with the claims that it would challenge security.

Rapporteur Romana Jerković (S&D, Croatia)

  • she stated that the single market remained highly fragmented. The digital identity under eIDAS had not achieved its potential in terms of its effectiveness and ability to push the EU towards true digital citizenship where personal data, fundamental rights and freedoms were protected and respected in the online world the same way as in the physical world;
  • the protection of personal data was at the core of the proposal and she welcomed this;
  • she saw a lot of potential for using digital wallets as a tool for addressing the issue of excessive data processing and reducing people’s digital footprint online;
    • this was particularly relevant in relation to Big Tech platforms that aggregated and processed massive amounts of personal data with the end goal of monetising it;
  • she also mentioned public-private partnerships and stated that they would be an “essential enabler for this paradigm shift”;
  • she stated that the success of the proposal would rest on their ability to create a critical mass of users. To achieve this, the digital wallet would need to be secure and easy to use;
  • security would have to go hand-in-hand with the useability and accessibility of the wallet.

The simultaneous interpretation of debates provided by the EU institutions serves only to facilitate communication amongst the participants in the meeting. It does not constitute an authentic record of proceedings. One Policy Place uses these translations so this text is only a guide and should not be relied on as an official account of the meeting. Only the original speech or the revised written translation of that speech is authentic.

Related Procedure(s)

See all
European Digital Identity (eID Regulation)
 
Related posts
OPP Meeting Summary: E...
RELATED INFORMATION
people
Andrus Ansip
Nicola Beer
Josianne Cutajar
Francesca Donato
Romana Jerković
Miapetra Kumpula-Natri
Adriana Maldonado López
Dace Melbārde
Angelika Niebler
Mikuláš Peksa
Tsvetelina Penkova
Robert Roos
Bronis Ropė
Cristian Terheş
Riho Terras
Carlos Zorrinho
Alin Mituța
This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more.
DeHavilland
About us
Our services
What we do
Address
Rue du Commerce 31
1000 Brussels
Belgium
Contact
Email
LinkedIn
Twitter
© OPP Group
·Cookie policy
·Privacy
·Terms & Conditions