Over the past three years, we have been warning about pitfalls regarding users’ safety, security and privacy. We have been calling for crucial privacy safeguards to be included in the eIDAS regulation and urging the European Commission to pay full justice to the complexity of this system that will affect a large majority of Europeans in their daily lives.

Now, as the actual implementation of the Wallet is coming closer, the European Commission ignores key privacy safeguards mandated by the eIDAS regulation which was finalised April 2024 and on which the whole eID system will be based. This is possible because in addition to the regulation itself, a range of implementing acts are foreseen which define the Wallet in more technical detail. These implementing acts drafted by the Commission, however, almost seem to reflect the Commission’s original regulation proposal from June 2021, while turning a blind eye to core safeguards included by the European Parliament and Council.

We urge Member States to repair the problems identified in this analysis in their negotiations leading up to the scheduled adoption of the implementing acts by 21. November 2024.

READ FULL ANALYSIS

Trading European’s Protection for a Hasty, Undemocratic Implementation Process

While the Commission is chasing an unrealistic deadline, the whole process becomes more and more undemocratic. First of all, the implementing acts do not need to pass through the European Parliament, which excludes MEPs from oversight over the details of the European eID’s implementation. This is even more problematic in this case as the Commission essentially ignores the law that also the implementing acts must abide (i.e. the eIDAS regulation).

Secondly, the speed at which the Commission is pushing for the eID’s implementation does not even allow for a proper review process, let alone the time necessary to lay out the details of a safe and secure cross border eID system that citizens can trust. Nobody could review the feedback not only on one but five implementing acts in this extremely tight time frame – not to speak of actually integrating the crucial input of technical and fundamental rights experts from civil society and academia.

Tight Deadline & Serious Gaps

But it gets worse. There are also five implementing acts that are still completely missing from the public consultation. They are also scheduled to be adopted on 17. November and at least one of them concerns crucial safeguards against the risk of over-identification and over-sharing of personal information – i.e. the regulation of who may ask which information from users. Without the safeguards of this missing part, the Commission is repeating the “cookie banner situation” by which all burden is put on the users’ shoulders who have to constantly decide about their privacy without ever being given a meaningful choice.

Even the European Commission itself admits that the implementing acts governing the development of the European eID system will need to be reopened within one year’s time. This essentially means tax money will be spent on a large-scale software project, in the middle of which fundamental requirements are going to change (e.g. for interoperability of the Wallet between Member States). This will alter the whole course of the Wallet’s development half way through and result in a large-scale waste of money, time and software development resources – for the development of an eID system that IT and fundamental rights experts will have to warn the public about.

What We Need: A Major Change of Course

Since the success of the European Digital Identity Wallet highly depends on trust by citizens and robust protections against the abuse of personal information, we cannot understand the choices that have lead to the Commission’s draft. We urge the European Commission to pay full justice to this delicate project and not to trade Europeans’ safety and security for an unrealistically fast implementation of a fundamental-rights-threatening digital ID Wallet. Without a course correction, it would be better if Member States were to reject the draft implementing acts in their upcoming meeting in mid October.