Before getting to the heart of the matter, it is essential to bring context to the European Commission’s (EC) proposal. As mentioned above, this upcoming European digital identity legal text will be inspired from the eIDAS regulation. The latter was adopted back in 2014 and aimed at providing the basis for cross-border electronic identification, authentication and website certification within the EU.
It represented the first legal text to regulate secure, trustworthy and easy-to-use electronic transitions encompassing electronic identification (eID), authentication and trust services.
The eIDAS Regulation does nevertheless present limitations, in the sense that there is no requirement for EU Member States to develop a national digital ID; and when it is the case, a given Member State has no obligation to make its eID interoperable with other EU countries. And this can lead to serious variations from one country to another.
As of today, there are 19 digital identification systems used by 14 Member States. Further, the existing regulation does not contain provisions regarding the use of such identification for private services or mobile terminals, which leads – once again – to differences between countries. The identification and authentication means developed so far by the private sector outside the eIDAS framework imply user-friendly third-party authentication services (for example relying on a Google account to log in to different services), to access unregulated private online services that do not require a high level of security.
These third-party services are also rather limited: they cannot offer the same level of legal certainty, data protection and privacy. As they are self-asserted, this is explained by the fact that they do not provide a link to a trusted and secure government eIDS.
Considering all of these limitations, the EC initiated an evaluation of the eIDAS Regulation, taking into account whether it remains fit for purpose, delivering the intended outcomes, results and impact. Based on the evaluation results, the Commission published its proposal on a European digital identity framework. The idea of the latter is notably to align with the objectives of the EU digital compass, which highlights that, by 2030, all key public services are to be available online, all citizens are to access their digital medical records, and 80% of citizens should be using a digital ID.
Besides, the idea is to guarantee both security and control to anyone possessing an eID, so they can assess who has access to their digital ID and to which specific piece of data. For this reason, the proposal focus on four main objectives being:
- To provide access to trusted and secure digital identity solutions that can be used across borders, meeting user expectations and market demand
- To ensure that both public and private services can count on trusted and secure digital identity solutions across borders
- To give citizens full control over their personal data and assure their security when using digital identity solutions
- To ensure equal conditions for the provision of qualified trust services in the EU and their acceptance
Following some stakeholders’ concerns, the rapporteur Romana Jerković published her draft report in May 2022, with changes and specifications on the structure of the European digital identity wallet, privacy and security, cross-border user identification, governance, among other points.
The European digital identity framework text proposition is to be discussed in the plenary occurring in mid-March, when the European Parliament will adopt its position on the matter.