After the European health pass that entered into force on 1st July, the European Commission is planning to set up a European digital identity wallet for the 27 Member States of the European Union as early as next year. According to the first elements revealed on June 3rd, this wallet will be accessible to all citizens as well as residents and businesses in the EU.
It will enable people to identify themselves and securely access public and private online services that require strong authentication. A citizen located in another country will be able to open a bank account, rent an apartment (by presenting their tax declaration), or enroll in a university more easily.
This digital identity will be provided by the country of origin with the guarantee that it has been handed over personally; it will be in the form of a wallet stored on a cellphone or other personal device.
Within this digital safe, the citizen can upload, store, and use their personal data such as their driver’s license, a diploma, bank card, or medical prescription.
The examples provided by the Commission of what the wallet will enable include not only the possibility to check in faster at the airport, but also to avoid queuing at the car rental counter. The customer will have to have previously provided all the elements requested such as their passport, driver’s license, and bank card, then all they have to do is pick up the key from the car park and start the car with their smartphone.
“Citizens will have control of their data”
With this identification that is recognized across the whole European Union, businesses should gain new market opportunities by offering a wide range of new services based on this authentication building block, according to EU Commissioner for Internal Market, Thierry Breton.
As for privacy, Brussels states that “citizens will have control of their data”. They will be able to “choose which aspects of their identity, data and certificates they share with third parties, and to keep track of such sharing”. What’s more, the wallet will be able to prove a specific attribute of a person, such as their age, without revealing their identity or other personal data.
In terms of dates, the Commission has invited all Member States to immediately start preparatory work in order to set up a shared “toolbox” by September 2022. This toolbox should include the technical architecture, standards, and guidelines for best practices.
The Commission will propose “the standards, technical specifications, and operational aspects capable of guaranteeing that Member States’ digital identity wallets will have the highest levels of security”. According to an article in the Financial Times, the application would require a biometric check such as a fingerprint or retina scanning. Once the technical framework has been agreed, it can be tested in pilot projects.
The challenge of interoperability
The European Union is however not starting from scratch. It can rely on the existing legal and technical framework of the eIDAS regulation, dedicated to electronic identification, trust services, and electronic documents.
Adopted in 2014, this regulation aims to establish “an interoperability framework for the different systems implemented in Member States in order to promote the development of a digital trust market”, as is explained by the French National Cybersecurity Agency (ANSSI). On the technical side, ANSSI has brought together the different standards used by the regulation into a documentary database.
The eIDAS framework enables the issuing of qualified certificates for electronic signatures, electronic seals, and website authentication. However, “there is no requirement for Member States to develop a national digital ID and to make it interoperable with the ones of other Member States, which leads to high discrepancies between countries”, deplores the Commission.
The regulation does not contain provisions relating to the use of such an identification for private services or for mobile terminals, which leads to differences between countries.
Today, 19 digital identification systems are used by 14 countries, covering nearly 60 % of the EU population, “but the uptake rate of this systems is low, their use is cumbersome, and their commercial use limited”.
In France it is called FranceConnect. Launched in 2016, this online authentication system guarantees user identity based on existing accounts (for which identity has already been verified); these include France’s tax website impots.gouv.fr, its healthcare system ameli.fr, postal service L’Identité Numérique La Poste, and MobileConnect et moi, Orange’s authentication solution.
Although 26 million French people have already created an account on FranceConnect enabling them to access over 900 public service websites, the system is being ignored by businesses, according to “Les Echos”.
Deployment of the future wallet and its associated legislation should harmonize practices and facilitate the adoption of a universal digital identity. The Commission thus hopes to meet the objectives of its digital compass, which stipulates that by 2030 all key public services are to be available online, all citizens are to have access to their digital medical records, and 80 % of citizens should be using digital ID.
With this initiative, the Commission is also trying to pull the rug from under GAFA’s feet. The digital giants offer “social login” modules, such as Facebook Connect, to register on other websites with a user account.
With Apple Wallet and Google Pay, they also offer virtual wallets for storing bank cards, loyalty cards, and any other personal documents, with the risk that the associated data be used for marketing or commercial purposes.
As an answer to the issue of sovereignty, the European wallet, which would necessarily comply with GDPR requirements, would enable citizens to take back control of part of their personal data. It could nevertheless be subject to an appeal by civil society, like that of French association La Quadrature du Net, which filed proceedings against the French health pass, proceedings that have since been rejected by the French Council of State.