The pandemic situation has led to an increased demand for secure remote identification of individuals. Due to the limitation of contacts concluding full-fledged contracts with customers remotely in many companies has become a regular procedure. This has also been noticed by the European Commission, which has analyzed how the so-called eIDAS regulation works in practice so far. As a result, it proposed several changes to the eIDAS regulation.
Evaluation of current solutions
The process of evaluation of the regulation has shown, among other things, that the current regulations are not adapted to market requirements and needs. Reasons are given included too many restrictions for the public sector. A common reason is the complexity of the procedure. High requirements for private service providers to connect to eIDAS are also a big problem. At the same time, the European Commission notes that there are solutions on the market that are not subject to eIDAS regulations. They are offered e.g. by social media providers or financial institutions. These solutions, according to the Commission, often raise concerns about privacy and proper data protection.
EC research showed that in September 2018, only 59% of EU residents had access to trusted and secure EU identity proofing systems. At the same time, very few online public services available in a country could be used across borders through the eIDAS network.
As a result, the EC took the position that the current regulations do not effectively respond to new market needs. Additionally, they lack cross-border coverage, making it impossible to meet specific sectoral needs where identification requires a high degree of certainty and confidentiality.
European Digital Identity Portfolio
In response to the identified market needs, the draft regulation proposed by the EC obliges member states to issue a so-called European Digital Identity Portfolio. This instrument will have to comply with common technical standards established at the EU level.
Thanks to this solution, natural and legal persons will gain new possibilities of secure online and offline authentication. To do so, they can request and obtain, store, combine and use personally identifiable data or electronic identity credentials.
Durable and unique identifier
Under the draft, Member States undertake to ensure that the European Digital Identity Wallet can use a unique and persistent identifier to confirm the identity of individuals. This will make it possible to identify the user on request in cases where the identification of the natural person is required by law. Member States will also be required to include a unique and persistent identifier in the minimum set of data identifying a person.
Countries will use this solution in areas that require extremely strong authentication – such as the judiciary, healthcare, or identification for anti-money laundering obligations.
Cross-border solutions
To make more EIDs available for cross-border use and to improve the efficiency of the mutual recognition process of notified EID schemes, each Member State is obliged to notify one or more EID schemes to eIDAS.
Scope of the European Digital Identity Wallet
The European Digital Identity Wallet issued following the Regulation will be compulsorily accepted by the Member States in specific cases. Especially when these will require electronic identity identification. The wallet is to be used for authentication within public administration services.
Apart from that, the proposed changes to the regulation indicate that the European Digital Identity Wallet should also be widely accepted in private relationships. This is the case when parties are obliged by national or EU law to use strong authentication for online identification or when strong user authentication is required by contractual obligation, including in the areas of transport, energy, banking, financial services, health, or postal services, among others.
The Commission also plans to impose additional obligations on web browser vendors. Among their obligations will be the use of qualified certificates for website authentication. The aim is to ensure that users can identify the owner of a domain.
Legal effects of the electronic certification of identity
Under the EC proposal, electronic certification will not be denied legal effect or admissibility as evidence in legal proceedings solely on the basis that it is in electronic form. Each member state will have to adapt its legislation to these principles.
A qualified electronic certificate will have the same legal effect as a legally issued paper certificate. And if issued in one member state, it will be considered a qualified electronic credential in any other member state.
Regulations on personal data security
The EC proposals also regulate many other issues related to electronic certification of identity. Including those that ensure an adequate level of personal data security for identity proofing services.
It is worth mentioning here an important issue from the point of view of qualified and non-qualified providers of electronic identity proofing services. Among other things, they will not be able to combine personal data related to the provision of these services with personal data from other services they offer.
Personal data related to the provision of services of the electronic certification of identity must also be logically separated from other data held. In turn, personal data related to the provision of qualified electronic identity certification services should be physically and logically separated from any other data held. Providers of qualified electronic identity certification services undertake to provide such services under a separate legal entity.