The EU is rolling out the EU Digital Identity Wallet under eIDAS2 to standardize digital identity management. Recent changes removed plans for a universal public identifier due to privacy concerns. Sweden's "personnummer" system highlights both benefits and risks of persistent identifiers. Balancing efficient identity workflows with robust privacy protections is essential for the wallet's success. Private sector solutions, like Truid, aim to fill gaps left by regulatory frameworks, despite high risks and costs.
TL;DR
-
What's Happening: The EU is rolling out the EU Digital Identity Wallet under eIDAS2 to standardize digital identity management across member states.
-
Recent Changes: Plans for a universal public identifier were scrapped due to privacy issues raised by member states, like Germany's integrity laws.
-
Sweden's Example: Sweden's "personnummer" system illustrates benefits (enhanced digitalization) and challenges (identity theft risks) of persistent identifiers.
-
Current Challenge: Balancing efficient identity workflows with robust privacy protections remains crucial for the digital wallet's success.
-
Future Outlook: Private sector solutions like Truid aim to address gaps left by regulatory frameworks, albeit with high risks and costs associated with driving technological change through legislation.
eIDAS2 and the EU Digital Identity Wallet
Insights into the Proposed Regulations and Challenges
The EU Commission is currently preparing a major upgrade of the existing Electronic Identification and Trust Services regulation (eIDAS), which for simplicity is often referred to as eIDAS2. The proposed regulation covers several areas, but from a digital identity perspective the most important proposal is for the creation of EU Digital Identity Wallets.
There is no set date for when the proposal will become regulation, but a good current estimate is that it will happen in mid 2024 at the earliest. This will then be followed by an implementation time for Member states.
The digital wallet is intended to allow individuals to collect electronic versions of their important identity documents and to share them with counterparties. The Commission will set some guidelines for technology and design to allow interoperability, and the wallet is intended to allow all the requirements of the GDPR to be realized.
The proposal stipulates that each Member state becomes responsible for either offering a wallet to the public in their country, or for establishing a process for letting private companies certifying their product as a regulation-approved wallet.
Recently, a very important part of the proposal was struck down. The Commission, in its original proposal, called for an EU-wide, public, unique, persistent identifier that would be used to identify people across services, use cases and transactions.
However, as could be expected, this proposal ran afoul of integrity legislation in several member states (it would be unconstitutional in Germany). At the same time, other countries, such as e.g. Sweden and Belgium, already use this kind of identifier on a national level.
Why is a generally available unique identifier a problem for integrity? If you can track a person across all different interactions and transactions with the same number, it means that you could, in principle, completely map all digital behavior of this person.
Monitoring is already a major challenge since many people use a small number of services to authenticate themselves online, and the specific purpose of eIDAS2 is to make this more difficult, not easier.
Why then would the Commission have included this in their original proposal? For the simple reason that if you do not use a persistent identifier, it becomes difficult to impossible to build simple and effective workflows across time and counterparties. You will end up in a situation where each counterparty that a person interacts with will have to manage their ongoing relationship with a technology outside of the actual wallet.
Sweden's Unique Approach
Sweden offers a real-world example of the advantages and challenges of a persistent identifier. Their "person number" system, based on birth date and additional digits, serves as a public identifier for all residents. This system has significantly boosted digitalization, with the national BankID service widely used for online identification in both public and private sectors. However, concerns about identity theft and a lack of integrity remain.
A Closer Look at the Challenges and Solutions of the Digital ID Wallets
What a proper digital identity wallet must do is to overcome the current challenge of a public, unique, persistent identifier. It must allow tracking over time per contact, otherwise it cannot be used to automate identification and authentication workflows.
And it must ensure that these identifiers are not freely available to third parties. At this stage it looks uncertain whether the EU Commission will actually put these twin requirements into the new, proposed regulation. If so, eIDAS2 will likely not deliver what is planned.
Of course, there is nothing stopping private initiatives from building and marketing this technology to the public. As in many other instances, driving technological change through legislation is a high-cost, high-risk effort. And yes, you guessed it, we think we have got a very good workable solution to this problem with Truid.