eIDAS: One Step Forward – Two Steps Back
epicenter.works
We are constantly fighting for user rights and protection in the upcoming eID Wallet. But the latest draft of implementing acts leaves us torn once again. On the one side the commission adapted important safeguards that we recently demanded in an open letter but at the same time bringing back privacy hostile relics.

Download the analysis here (pdf)

The implementation of the regulation for a European electronic identity (EUid) based on digital wallets faces new criticism by digital rights groups. One of them, Austria-based Epic, recently published an open letter, and urged the European Commission to close certain loopholes that would lead to severe privacy and transparency problems.

Soon after the letter, the updated implementing acts seemed like a step in the right direction – “until we discovered completely new weak spots that not only endanger user privacy but also contradict the European Parliament’s agreement,” Epicenter says in an analysis.

The Commission’s new draft contains “privacy and transparency shortcomings [that] undermine trust in the eIDAS ecosystem and the democratic process as a whole. They must be fixed immediately,” Epicenter adds.

A core pillar of trust in the eIDAS ecosystem is the public relying party registry. This registry is essential to enable oversight by public watchdogs and to ensure transparency. However, the current system makes it nearly impossible to obtain a meaningful overview of how relying parties are using digital identities – undermining the sole purpose of a transparency register.

The current draft of implementing acts fails to clearly distinguish between cases where a relying party is legally required to identify wallet users and other scenarios where such identification is optional. Practically speaking, the Wallet doesn’t know if it interacts with a bank that has a legal obligation to know who their customers are or Facebook that have no right to identify or track us.

Since the right to use pseudonyms depends on this distinction, it is critical that relying parties explicitly state whether a legal identification obligation applies to them and based on which law in particular. This lack of clarity cancels out the right to pseudonymity and makes the enforcement nearly impossible.

Even more concerning are the controversial changes made behind closed doors, after the public consultation process had already concluded, and at the explicit request of powerful industry players. These changes reintroduce a unique, persistent identifier and extend its scope towards the private sector – assigning users a lifelong, unchangeable digital identity number.

This proposal clearly contradicts the eIDAS regulation. The European Parliament had already drawn a clear red line against such an identifier – and now, it is being reintroduced in an undemocratic manner through an implementing act.