The road to a user-friendly and secure European eID remains bumpy. After we secured several safeguards in the eIDAS regulation itself, we now see the Commission trying to work around them in its technical implementation.

Last week we published an open letter, and urged the Commission to close certain loopholes that would lead to severe privacy and transparency problems.

Soon after our letter, the updated implementing acts reached us. At first, the latest draft seemed like a step in the right direction – until we discovered completely new weak spots that not only endanger user privacy but also contradict the European Parliament’s agreement.
 

A Step Towards Privacy...

The good news – Our open letter had an impact! After reaching out together with 14 other organisations, the Commission adopted crucial safeguards. Our biggest achievement: registration certificates are now mandatory across all EU member states. This allows the wallet to verify who is authorised to request which information from users.

This means every relying party (company, state or whoever is asking information from you through the wallet) will have to register the data categories (name, birth date, health data, ...) they want to request. Only like this the wallet will be able to reliably warn users against overreaching requests – providing clarity and assurance for a trusted eIDAS ecosystem.

Check out our blog post to find out more: 

Civil Society Demands: EU Commission Must Close e-ID Loopholes!
 

…Followed by Two Steps Back

As we have come to expect by now, every victory for privacy in the eIDAS implementing acts process seems to be followed by the emergence of a new loophole. And this time is no different.

The latest draft is:

Undermining Transparency

A core pillar of trust in the eIDAS ecosystem is the public relying party registry. This registry is essential to enable oversight by public watchdogs and to ensure transparency. However, the current system makes it nearly impossible to obtain a meaningful overview of how relying parties are using digital identities – undermining the sole purpose of a transparency register.

Hindering the Right to Pseudonyms

The current draft of implementing acts fails to clearly distinguish between cases where a relying party is legally required to identify wallet users and other scenarios where such identification is optional. Practically speaking, the Wallet doesn’t know if it interacts with a bank that has a legal obligation to know who their customers are or Facebook that have no right to identify or track us. 

Since the right to use pseudonyms depends on this distinction, it is critical that relying parties explicitly state whether a legal identification obligation applies to them and based on which law in particular. This lack of clarity cancels out the right to pseudonymity and makes the enforcement nearly impossible.

Re-introducing a Unique Identifier

Even more concerning are the controversial changes made behind closed doors, after the public consultation process had already concluded, and at the explicit request of powerful industry players. These changes reintroduce a unique, persistent identifier and extend its scope towards the private sector – assigning users a lifelong, unchangeable digital identity number.

This proposal clearly contradicts the eIDAS regulation. The European Parliament had already drawn a clear red line against such an identifier – and now, it is being reintroduced in an undemocratic manner through an implementing act.

These privacy and transparency shortcomings undermine trust in the eIDAS ecosystem and the democratic process as a whole. They must be fixed immediately.
 

Loopholes Must be Closed: Concrete Solutions

To close these loopholes and ensure the highest security standards for the eIDAS wallet, we have submitted a detailed statement to the European Commission, outlining our concerns and proposing specific solutions.

Read full analysis