On 6. December 2022 the Council of the European Union will adopt its General Approach to the reform of the eIDAS regulation. Epicenter.works has obtained the text and issues a strong warning about the unprecedented risk and shortcomings of the new electronic identity system of the EU. The member-states-version of this important reform creates a dangerous and uncontrolled environment for the sensitive health, financial and identity data of all Europeans.

Member states have refused to enshrine the necessary privacy safeguards to make this system safe for all users. A unique and persistent identifier will allow the tracking and profiling of user behaviour across interactions with different companies and government entities. Every user transaction is centrally observable for the member state, thereby creating a panoptical view spanning across all areas of life. Bad actors have nothing to fear, because there is no effective mechanism to address criminal or fraudulent abuses of the system – particularly in cross-border cases.

The whole eIDAS reform is in jeopardy. On the current trajectory, privacy groups will have to warn citizens to stay away from this new system. All hope now lies with the European Parliament where the industry committee under the leadership of rapporteur Romana Jerkovic is in the final stages of the negotiations. All three committee opinions on the eIDAS reform include the much needed privacy safeguards that civil society and academics have called for.

Our detailed analysis of the proposal can be found here.

Background on the eIDAS 2 reform

The Cornerstone of the eIDAS reform is the European Digital Identity Wallet. This is a powerful, general purpose technology for identification, authentication and attribute verification of natural and legal persons vis-à-vis public authorities and private companies, online and offline. In practice, every EU country will provide such a wallet as an App for Smartphones with which their citizens can prove their name, family status, financial situation, educational degrees or COVID-19 vaccination status to others in a legally binding way. It will also be mandatory to have this system supported by large online platforms like Facebook, Amazon or Google. E-Government services, banks, energy providers and public transport services will also be obliged to use it. The industry interest in this reform is huge with the Commission aiming to have 80% of citizens using the system by 2030. Every-day situations in which people so far have the option to do things anonymously or without giving their full legal name could soon vanish.

A general introduction into the eIDAS reform and the problems connected to it can be found in our position paper from February 2022. This talk from re:publica in German and the slides from the EDPS IPEN workshop also provide an overview. A decision in Parliament is expected in December / January with trilog beginning in the first half of 2023 under Swedish Council Presidency.