Imagine someone hands you a beautifully wrapped gift, only for you to open it and find the box is empty. That’s what the Commission’s promise to protect users in the European eID Wallet felt like. It seemed real at first – carefully presented to build trust – but just as quickly, it’s been taken away, leaving nothing but disappointment. This sleight of hand doesn’t just feel deceptive, it undermines the trust that there had been a genuine commitment in the first place.

Only mid of November we were celebrating an important milestone regarding the coming European eID. This is crucial, as we’re now in the hot phase of defining the inner workings and technical safeguards of the wallet through implementing acts. The first batch of these implementing acts was already adopted in 21. November 2024. After extensive debates with Member States and the EU Commission, several analyses and proposed amendments, the negotiators followed our recommendation regarding the first batch: Citizens finally got the guarantee to be warned when a service is illegally trying to obtain excessive data from their wallet. Only two weeks later, however, the Commission rendered this important improvement meaningless with a legal sleight of hand.

A Major Improvement for Citizens’ Protection...

Imagine this: Your favourite social media platform suddenly requests access to your health data every time you log in – information that is clearly not necessary for providing their services. If per its registration certificate the platform is only eligible to access your name and email address, such an overreaching request is illegal. In case of such unlawful attempts to access your data – according to the first batch of technical implementation rules for the wallet – you would be warned about the social media platform’s illegal behaviour. This warning at least gives you the chance to exercise your rights and decline such illegal information requests.

So far so good – but before we go into how the EU-Commission makes this important safeguard meaningless we would like to at least acknowledge another important step in the direction of a safe digital ID that came with this first batch of rules. Its official publication on 28 November 2024 marks the start of the two-year implementation period – meaning EU member states must provide at least one eIDAS Wallet for their citizens until 28 November 2026.

The information about how and where you use the wallet – at the doctor, for your online logins, to use public transport, whenever you prove your identity etc. – will stay on your device. Importantly, this prevents the wallet operator from spying on citizens’ every-day life where information is not necessary for the wallet to function or the user hasn’t given their explicit consent.

Moreover, the Commission listened to us in enabling citizens to deny or answer information requests only selectively. For instance: When a service demands your complete ID information, you can disclose e.g. only your name, without your birthdate and other data or you can deny the request all together.

There are however severe shortcomings in the implementation of the right to use a pseudonym. Besides, the Commission suddenly added two more optional unique identifiers to the wallet without a clear need (E-mail and phone number). Find out more about wins and shortcomings in the first batch of rules for Europe’s digital ID here:

Read Our Quick Analysis

… Taken Away by the Commission’s Sleight of Hand

And now on to the frustrating part: Only two weeks after the EU Commission had committed to protect citizen from excessive data requests, it renders this important improvement meaningless with a legal sleight of hand.

Obviously, in order to know whether your favourite social media platform is asking for excessive data, the wallet must know what kind of data it is eligible to ask from us in the first place. That’s where the so-called “registration certificates” come in. These certificates, issued by the EU member states, allow your wallet to automatically check what information a particular service (e.g. an online platform, public transport company, your doctor, etc.) is allowed to access – i.e. only your name or perhaps also your address and birthdate, or your education certificates. Like this the wallet can check whether a certain request is illegal.

Alarmingly, in the current second batch of rules for the digital wallet, the Commission suddenly makes those registration certificates optional. This means each member state can decide whether companies, governments, and other entities within their jurisdiction are even required to provide the information which data categories they intend to request from users. The Commission is thus essentially removing the mandatory automatic check for illegal data requests. Therefore you wouldn’t be able to tell whether “no warning” means that e.g. a request for your birthdate by some online shop is lawful or whether it just means that the country where the company is located simply doesn’t require registration certificates.

Loop Holes to Escape Automatic Checks

This also means, companies that want to access your data can escape this automatic check. Perhaps your country of residence has implemented the certificates necessary for the wallet to warn you about illegal data requests or maybe even filter them out automatically. Your favourite social media platform however may be located in another country which chose not to issue such registration certificates and making it impossible for your wallet to protect you.

There is no doubt that a country like Ireland – that is infamous for not enforcing EU law against international cooperations – would allow Facebook Ireland to ask users everything, by simply making use of this loophole. This would enable the social network to easily obtain whatever data it wants. No country could protect their citizens from illegal information requests from other EU countries. This undermines trust in cross-border interactions and even the whole eIDAS ecosystem, rendering it dead on arrival.

Registration Certificates must be Mandatory

As we can see, the EU Commission is rendering our hard-won safeguard from the first batch of implementing acts completely obsolet, just two weeks later with the second batch. This isn’t just frustrating for privacy advocates – it actually puts users at risk and directly contradicts the core goal of the eIDAS regulation: fostering unified trust in the EU digital identity system. If the EU Commission continues to act in this manner, it risks eroding users’ trust in the digital ID, rendering the wallet itself redundant.

We therefore strongly advise against the adoption of the Commission’s proposal and argue in favor of making the relying party registration certificates mandatory in all EU member states.

Read Our Full Analysis