Analysis of Privacy-by-Design EU Legislation on Digital Public Infrastructures

This report analyses the human safeguards developed for Digital Public Infrastructure (DPI) systems in EU law. We detail mechanisms that aim to foster trust and inclusion in these systems and provide for state of the art privacy-by-design. Nine key recommendations to mitigate concrete harm are exemplified in their effect and detailed with legal text:

  1. Every citizen or resident of a country has a right to obtain digital identity free of charge. Use of the DPI is voluntary and horizontal obligations protect persons that are not using the system from being excluded, denied goods or services or disadvantaged in the private or public sector.

  2. A user interacting on a DPI system always knows the identity of the other party before personal information is exchanged. Who is asking makes a difference. Any information category asked from a user must be in a public registry of all DPI use cases. Users can file complaints and companies can be excluded from the DPI ecosystem.

  3. No personal information is shared without the users consent. A user can choose to comply with a request for information fully, not at all or partially by only selectively disclosing parts of the information they have been asked for.

  4. A privacy-by-design architecture prevents the operating authority of the DPI to obtain information about concrete user behaviour, without that users consent. Daily interactions on the DPI are invisible for the government and connected companies.

  5. A user interacting via the DPI with other parties is protected from tracking and profiling by privacy-enhancing technologies like pairwise-pseudonymous identifiers, zero-knoweldge proofs and unlinkability. A user cannot be identified with just one unique and persistent identifier.

  6. Users have a right to use freely chosen Pseudonyms not linked to their real identity whenever there is no legal obligation that they have to identify themselves.

  7. All DPI components must at be available open source for public scrutiny. Tax-payer funded DPI must be available under a free software licence.

  8. A full list of transactions has to be available to the user of the DPI. This includes the identity of all parties the user interacted with, any information shared and means to request deletion.

  9. Biometric authentication shall not be a precondition for using DPI. There must be a way to obtain a digital identity and use DPI without handing over biometrical information. Storage of biometrical information on a central server requires prior explicit consent from the user. Biometrical information has to be specially protected.