Thomas Lohninger, Managing Director of the civil society organization epicenter.works from Austria, has sharply criticized the EU Commission’s draft regulation for a European digital identity (EUid). It is “unfortunately from a data protection point of view” a “highly problematic dossier,” he complained on Friday at an online event of the conference of the independent data protection supervisory authorities of the federal and state governments (DSK) on European Data Protection Day.
Lifetime unique identifier
According to the Commission’s proposal, EU countries will have to provide citizens and companies with digital wallets in the future. In these “e-wallets” they should be able to link their national electronic identity (eID) with proof of other personal attributes such as a driver’s license, diplomas, birth or marriage certificates and medical prescriptions.
Although there is a great need for such a solution for identification on the Internet, said Lohninger. The Commission’s announcement that users should retain control of their data is, however, lip service. Article 11a of the draft provides for a lifelong unique identifier “which should be assigned and checked for every person”. In this way, information from numerous areas of life could be brought together and citizens could become transparent.
“Invitation to Identity Theft”
The fact that these systems cannot be observed is extremely important, the activist explained: “Otherwise we’ll end up in the panopticon.” However, Article 6a also provides for a wide range of monitoring options. He opens the concept for the electronic wallet for the economy up to the media industry, which can take out subscriptions and place targeted advertising. The clause also undermines the selective disclosure of attributes, which is actually intended in the sense of data minimization. A corresponding check of such additions is therefore necessary before each authentication.
In addition, the subsequent withdrawal of authorizations is not intended, criticized Lohninger. The required informed consent to the release of attributes also poses the same problem as with the General Data Protection Regulation (GDPR) and the associated nodding off of cookie banners, for example. The security of smartphones, on which the EUid is primarily to be stored in a “wallet”, is doubtful: there are many Android devices and iPhones “that no longer receive updates”. It is an “invitation to identity theft”.
Self Sovereign Identity
The prerequisite for the acceptance of the EUid is “a high degree of trustworthiness”, emphasized the Saarland data protection officer Monika Grethel. The digital wallet must be “designed to be data-efficient and data-protection-friendly”, and the user must always be in control of his data and the options for passing it on to third parties in accordance with the concept of Self-Sovereign Identity (SSI).
A “unique, permanent identifier” must be limited to a few exceptional cases and be subject to a strict earmarking, demanded Grethel. She recalled the debate about the tax ID as a uniform personal identification number in the ongoing register modernization, against which data protectionists had stormed. The policy must ensure that service providers and identity providers “do not misuse sensitive information for commercial purposes or combine it with other data”.