The EU institutions closed critical points on the legislative proposal for a European Digital Identity framework in a negotiating session on Wednesday evening (28 June), but more political discussions will be needed to finalise the file.
The draft law is meant to provide the legal framework for establishing a system of national digital wallets interoperable across the EU where people will be able to store all sorts of personal documents like driving licenses and birth certificates.
Wednesday’s interinstitutional negotiation between the EU Council, Parliament and Commission, the so-called trilogue, marked significant progress in closing some of the most contentious points of the file. Still, entire parts of the text are yet to be discussed.
“We have a political agreement on the key elements of the proposal,” said European Parliament’s lead negotiator Romana Jerković. “More work remains to be done, but we are very close to finding a final agreement on the whole package.”
Wallet certification
The wallets will have to follow the dedicated European cybersecurity certification scheme. An open question was whether they would also have to comply with certification concerning the EU General Data Protection Regulation.
EU countries managed to maintain the data protection certification voluntarily. In turn, the European Parliament, which pushed for a mandatory measure, obtained that the Commission will have to review the effectiveness of this provision.
Penalties
EU countries will have to set administrative fines that can be imposed by competent national courts or other bodies, depending on the legal system. For trust service providers, the maximum fine should be at least half a million euros or 1% of the total worldwide annual turnover.
Access of wallet issuers
The initial draft introduced a reference to the Digital Markets Act, a landmark EU regulation introducing obligations to Big Tech companies, which mandates ensuring access of wallet issuers to hardware and software features.
A reference to the fact that access should be provided in fair, reasonable and non-discriminatory conditions will be added to the text’s preamble.
Extended Wallet Functionalities
MEPs wanted to introduce a prescriptive list of additional functionalities for the wallet. The principle that the wallet should allow secure issuing and revoking of electronic attestation of attributes, a system to verify a person’s identity online while maintaining privacy, made it into the deal.
Pseudonyms
The Parliament introduced the principle that the wallets should also be able to generate pseudonyms and store them locally on the device.
Wallet-to-wallet
MEP also obtained a provision that wallets should be able to securely authenticate another person’s wallet or electronic attestation of attributes that should be securely communicated between wallets.
Dashboard
The Parliament introduced a dashboard where users will be able to see all the log activity and data exchanged via the wallet, request deletion of personal data as per the EU privacy legislation, report suspicious activity to authorities, and download and port data.
Wallet e-signatures
EU lawmakers and member states were divided over the business model for using the wallet and e-signatories. The issuance, use for authentication and revocation of the wallet was kept free for natural persons, meaning that organisations might be charged.
For qualified e-signatures, EU countries might introduce a paid service above a threshold of transactions.
e-Ledgers
The European Commission’s original proposal introduced new trust services for electronic ledgers, a system to take tabs on account transactions. Despite complaints from the Parliament that this technology is not mature yet, the e-ledgers were maintained in the text.
Governance
Members states will have to designate one or more competent national authorities to enforce the Digital Identity framework. The EU Parliament obtained the introduction of Single Points of Contact to improve cross-border coordination.
The specific tasks of the national authority are still up for discussion based on a text put forth by the EU Commission. MEPs introduced the European Digital Identity Framework Board, which will have a coordination and advisory role.
Qualified Website Authentication Certificate
A sensitive issue in the negotiations related to Qualified Website Authentication Certificates (QWACs), recognised systems to authenticate the identity of the person or organisation behind a website to avoid possible scams.
Web browser providers like Firefox’s Mozilla opposed a mandatory imposition of QWACs, which they saw as potentially introducing elements of state control over the internet. MEPs managed to introduce the possibility for web browsers to take preventive actions over possible breaches of user privacy.
Unique and persistent identifier
The concept of a unique and persistent identifier was changed to a more privacy-friendly record-matching, which allows verification of a person’s identity based on several personal details, by which member states will have to ensure the unequivocal identity of a person in another EU country.
Onboarding
The EU Council introduced wording that onboarding EU citizens and residents to the European wallet should be facilitated by relying on electronic identification systems with the highest level of assurance.
Timeline
The timeline for the issuance of the wallets was set at two years, starting from the entry into force of the implementing act that will define the wallets’ technical features.
[Edited by Zoran Radosavljevic]
