Today was an important day in the fight against overreaching digital identity systems in the EU. The technical implementation of the European Digital Identity Wallet was rejected in the Council of the EU. Formally speaking there was no vote, but this is only because the Commission saw that they would not have a majority for their proposal among the Member States and therefore took the vote off the agenda. This is a blow to the attempts to withhold important privacy safeguards and water down protections enshrined by the EU legislator. Epicenter.works has worked tirelessly since 2021 on the underlying law (eIDAS regulation) and sees this a good day for the protection user’s autonomy over their digital identity.

The so-called implementing acts prescribe the technical specification and inner workings of the European Digital Identity Wallet. This Wallet is an app that should allow citizens to identify themselves and verify attributes about them vis-a-vis companies and government agencies, as well as logging into websites or sign documents. According to plans from the EU, the Wallet should become the ubiquitous platform for logging into social media, doctor visits, eGovernment, public transport, banking and age verification.

Today, our efforts to see these bad proposals fail could convince a blocking minority of EU Member States in the Comitology meeting that is required to pass the acts. To get here required from us many discussions with lawmakers, extensive legal analysis and proposals how to repair the text. Incoming Digital Commissioner Virkkunen will have to take responsibility to shepherd the European Digital Identity Wallet back to a place where it is deserving of users trust.

What this means for the timeline of the Wallet?

Today’s decision decision means that the original timeline to offer the Wallet to EU citizens no later than November 2026 will not hold. Previously the rejection of implementing acts led to postponements of around a year. In this case we expect a faster repair and maybe another vote in November based on an updated text. The additional time should be put to good use by improving the legal text. Diligence needs to be more important than speed.

Today only the five implementing acts were put to a vote that are necessary for starting the two year implementation deadline for Member States. The majority of the other acts are not up for public consultation even though they concern key parts of the law, like the registration of companies for the eIDAS ecosystem and the infamous QWACS (Article 45). We are awaiting their arrival.

UPDATE: Theoretically, if the amendments to the acts are accepted unanimously by Member States a vote earlier than the mandatory two week internal consultation period would be possible. This would allow for the November to still be met. 

What can we expect from the Wallet?

We want to give an overview what protections users can expect from the new European Digital Identity Wallet. This analysis is based on the most recent version of the implementing acts that were rejected today and that might change until the next vote.

The Good

First, the good news is that our call for unobservability was taken on board. Fully in line with the eIDAS legislation, the provider of the Wallet (often the government) will not be able to obtain knowledge about concrete user behavior or track activity where it is not absolutely necessary for the functioning of the Wallet or where the user has given explicit prior consent for functions like backup or complaints. Furthermore, thanks to our recommendation the transaction logs about everything a user does are only stored on the device of the user and not on any cloud.

Secondly, protections against tracking and profiling (unlinkability) aim to shield users from spying eyes of data brokers, credit scoring or big tech. The legal obligations in this respect are quite strong, but the technical standards the acts are prescribing can’t deliver on these promises. The legal text and the technical specifications are incompatible. This is an area where we’ll expect major hurdles in the future.

Thirdly, the European Commission wanted to limit the data protection rights of Europeans that use the Wallet and only allow them to launch complaints to their local data protection authority. Thankfully, they completely reverted course so that users have a choice to go to the Data Protection Authority of their choice.

The Bad

The biggest mistake by the European Commission was buckling to business interest by allowing illegal requests for personal information via the Wallet. The eIDAS regulation is clear that companies have to register their use cases of the Wallet and the information they intend to request from users. Going beyond that registration is illegal, but the Commission chose not to technically protect users from these illegal requests. They went so far, as to not harmonize or aggregate the registrations so to prevent privacy-friendly Member States to protect their citizens. This recreates the cookie-banner situation where users will be constantly asked to hand over their data without ever being given a meaningful choice.

Similarly bad is the failure to uphold the right to use pseudonyms. The eIDAS regulation would mandate that whenever a company doesn’t fall under a legal obligation to identify their customers, the user can choose to use a pseudonym. This is important since the Wallet will be used by Facebook, airlines, supermarkets and in many other daily situations. We always called the risk of “over-identification” and the loss of anonymity. Effectively this means in many situation the Wallet will not be a safe tool to use without massive privacy downsides. For example, age verification online is off-the-table if we don’t want our children to constantly hand-over their identity information to over-reaching companies. The Commission even cemented this problematic decision with a last minute change in the Article for pseudonyms that mandates that with any pseudonymous authentication the Wallet has to handover whichever identity information or other attributes the company requests. No option for the user to refuse handing over their data, if they don’t refrain from using the Wallet all together.

Lastly, the final acts have taken some of our ideas on board to ensure that revocation of attributes is not done by leaking personal information to third parties. But they neglected important privacy safeguards that the Commission itself has proposed in its previous technical specification. There was also a fierce battle between Member States about the re-introduction of a unique persistent identifier. Such a serial number for humans or a super-cookie that tracks people everywhere was re-inserted in a recital with the hopes that nobody would find it. This is highly undemocratic since it was a prime condition of the European Parliament to agree to the eIDAS reform.

Ugly Aspects

Weird things first, the European Digital Identity Wallet will have digital means to send complaints to data protection authorities and erasure requests to any company that obtained personal information. But the Commission failed to establish a backchannel and there is also no e-mail information in the minimum data set. We pointed out that without additional provisions companies and data protection authorities might end up in a situation where they have to send postal mail to users of the *Digital* Wallet because there is no other way to reach them.

The whole purpose of the acts was to ensure harmonized inter-operability of the Wallet. What was forgotten is that this should also apply to erasure requests and complaints. Since no technical standard was defined every national Wallet will implement their own procedure to communicate such requests. This will not only create a huge administrative burden for everyone who works cross-border, but also slow down GDPR enforcement and adherence to data subject rights.

We have seen a huge push from banking associations and other lobbying groups to mandate biometrics for the Wallet. This push was partly taken up with several amendments that don’t make biometrics mandatory, but strongly hint so Member States implement it. The minimum data set also contained facial images that changed to biometric images in the very last moment so as to prevent a public outcry during the consultation.

Privacy-Preserving technologies like Zero-Knowledge proofs are not mentioned once in the acts, similar to promising technologies like BBS+. The Commission promised in a new recital in all five acts that these documents will be regularly updated to reflect state of the art technology. We will certainly continue to pay close attention.