Last month, the European Commission unveiled its new digital strategy and a suite of strategy documents, including two communications on Shaping Europe’s Digital Future and A European Strategy for Data, as well as a Whitepaper on Artificial Intelligence. One sentence in Shaping Europe’s Digital Future immediately caught the attention of the identity community. It reads:
“A universally accepted public electronic identity (eID) is necessary for consumers to have access to their data and securely use the products and services they want without having to use unrelated platforms to do so and unnecessarily sharing personal data with them.”
This article examines this line-item in the broader context of the European identity framework and Europe’s digital future.
As outlined in its strategy communications, the Commission will spend the next five years focused on three key objectives:
(1) technology that works for people,
(2) a fair and competitive economy, and
(3) an open, democratic, and sustainable society.
Though you might expect identity to form part of the “technology that works for people” workstream, the discussion of eID in the Commission’s strategy actually falls under the third core objective—namely an open, democratic, and sustainable society. The rationale is that an open, democratic, and sustainable society in a digital age requires a trustworthy digital environment in which people can act and interact with confidence.
A core piece of establishing that trustworthiness in digital interactions is identity. Specifically, the Commission’s comments on eID are focused on the electronic authentication of consumers.
In this context, authentication is the process of establishing confidence in user identities presented in online environments, e.g., through user accounts and passwords. As the Commission notes, many authentication mechanisms require consumers to “unnecessarily” share personal data with “unrelated platforms” to access products or services online.
Services such as “login with Facebook” or “login with Google” create a bridge between the social media platform and the site or application that a consumer is trying to utilize, granting the platform access to a wide array of personal data about that consumer. This allows platforms to further correlate the consumer’s data points from around the digital ecosystem, making consumers more identifiable, targetable, and surveillable. It also further entrenches the dominance of large technology platforms, while eroding individual data protection and privacy rights.
This is squarely in line with the Commission’s broader objective of escaping the grip of large U.S. tech companies and establishing European “tech sovereignty.” As a key action towards establishing this eID, and taking back power from the platforms that currently mediate identity, the Commission identified the “revision of the eIDAS Regulation to improve its effectiveness, extend its benefits to the private sector and promote trusted digital identities for all Europeans by Q4 2020.”
Introduced in 2014, Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market, or eIDAS, was the first cross-border framework for trusted digital identities and trust services. Through interoperability and mutual legal recognition, it allows individuals and businesses to use their own national electronic identification schemes (eIDs) to authenticate when accessing public services in other EU Member States.
Businesses also benefit from a more secure commercial environment created by eIDAS as the trust services they use in their transactions (e.g., electronic seals to prove the authenticity of digital documents) are recognized EU-wide. Although the private sector is not directly impacted by the existing eID framework under eIDAS, services developed for the public sector will likely be extended to the private sector in the upcoming eIDAS reform.
What this “universally accepted” public eID will ultimately look like remains to be seen and will largely depend on the outcome of the eIDAS review. While some industry advocates speculate that Europe will adopt a decentralized or European self-sovereign identity framework, the Commission’s language is less clear, suggesting a singular eID on par with public eID schemes under eIDAS.
Moreover, “universal acceptance” will require a sophisticated supporting legal infrastructure along the lines of what eIDAS sets out for government-backed schemes. In line with the “open, democratic, and sustainable society” workstream, such an eID scheme should prioritize clear articulation of the rules for liability, enforcement, and governance.
The world has changed dramatically in the weeks since the Commission made its strategy announcements. The EU digital strategy—including initiatives like the eID scheme and eIDAS reform—is focused on European digital sovereignty, the creation of European data spaces, and maximizing data portability and interoperability across Member States. However, Europe is facing a very different reality today than it was when the announcements were first made.
Confronted with a pandemic like coronavirus, countries like Germany, Denmark, Poland, Hungary, and a growing number of others, are closing their borders to their European neighbors. The European Data Protection Supervisor has also recently issued a statement about the need to reassess the five-year strategy in light of this change in circumstances. At the same time, reliance on the digital realm is now more prominent than ever before. It may be too soon to say how this new emerging reality will impact Europe’s digital future and the role that identity will play in it, but it’s definitely worth keeping a collective eye on.