After almost three years of negotiations, the EU reform on digital identity (eIDAS) was adopted in the European Parliament on Thursday, 29 February 2024. While this milestone is celebrated, it is also important to take a critical look at the implications of the regulation. The widespread availability of eID systems also creates new potential for abuse and surveillance. If the EU's plans are implemented and around 80% of the population use these systems by 2030 and all areas of life from doctor's appointments and Google logins to public transport are interconnected, we will come ever closer to a panopticon of digital surveillance. The eIDAS will also bring state-certified, cryptographically signed personal data into circulation, reducing the cost of identifying a person from several euros to zero.

Although the eIDAS Regulation contains many important safeguards, it is crucial that nobody is forced to use this digital identity. This is also guaranteed in the law for state services, the economy and the labour market. Practice will show whether these guarantees are honoured in reality. All use cases for the eID are listed in a publicly accessible list to ensure transparency as to which data can be requested from users. Users can also use an app to request the deletion of their own data and complain about misuse of the system. Companies can be kicked out of the eID system as a result. What we are missing in the law, however, is a ban on making biometrics mandatory in eID systems.

What's next?

First of all, the technical implementation of the system will be interesting. The EU Commission must present guidelines for the technical design in the summer. In a detailed report, we have analysed which safeguards should be implemented in this context. Find a more detailed summary of the outcome of the negotiations here:

READ THE BLOGPOST

However, the debate about digital identity does not end with the eIDAS Regulation. As part of a new project, the United Nations is working on minimum standards for the use of eID systems at a global level. Given past violations of human rights standards in such systems, it is crucial that the highest possible safeguards are implemented. However, the term "Digital Public Infrastructure" covers not only the eID, but also other digital systems such as the digital euro and the exchange of data on a much larger scale. Thomas Lohninger has been appointed as Chair of the Governance Group for this United Nations initiative and will advocate for the highest possible safeguards and speak up for civil society.

Conclusion

Overall, 29 February 2024 marks an important step towards a digital identity in Europe. The EU's technical guidelines and the efforts of the United Nations will show the direction in which the digital public infrastructure is developing. It is crucial that progress is made with a sense of proportion and in compliance with highest data protection standards. Only then will we be able to ensure that digital identity becomes an instrument of freedom and not of surveillance.

Update 26 March 2024

Today, the member states in the Council of the EU adopted the law too, meaning it can come into force in a few weeks. The regulation is to be fully implemented by 2026.