16.07.2021

European Commission proposes changes to e-signature regulation

Łukasz Wieczorek
Gabriela Kocurek

The pandemic situation has led to an increased demand for secure remote identification of individuals. Due to the limitation of contacts concluding full-fledged contracts with customers remotely in many companies has become a regular procedure. This has also been noticed by the European Commission, which has analyzed how the so-called eIDAS regulation works in practice so far. As a result, it proposed several changes to the eIDAS regulation.

Evaluation of current solutions

The process of evaluation of the regulation has shown, among other things, that the current regulations are not adapted to market requirements and needs. Reasons are given included too many restrictions for the public sector. A common reason is the complexity of the procedure. High requirements for private service providers to connect to eIDAS are also a big problem. At the same time, the European Commission notes that there are solutions on the market that are not subject to eIDAS regulations. They are offered e.g. by social media providers or financial institutions. These solutions, according to the Commission, often raise concerns about privacy and proper data protection.

EC research showed that in September 2018, only 59% of EU residents had access to trusted and secure EU identity proofing systems. At the same time, very few online public services available in a country could be used across borders through the eIDAS network.

As a result, the EC took the position that the current regulations do not effectively respond to new market needs. Additionally, they lack cross-border coverage, making it impossible to meet specific sectoral needs where identification requires a high degree of certainty and confidentiality.

European Digital Identity Portfolio

In response to the identified market needs, the draft regulation proposed by the EC obliges member states to issue a so-called European Digital Identity Portfolio. This instrument will have to comply with common technical standards established at the EU level.

Thanks to this solution, natural and legal persons will gain new possibilities of secure online and offline authentication. To do so, they can request and obtain, store, combine and use personally identifiable data or electronic identity credentials.

Durable and unique identifier

Under the draft, Member States undertake to ensure that the European Digital Identity Wallet can use a unique and persistent identifier to confirm the identity of individuals. This will make it possible to identify the user on request in cases where the identification of the natural person is required by law. Member States will also be required to include a unique and persistent identifier in the minimum set of data identifying a person.

Countries will use this solution in areas that require extremely strong authentication – such as the judiciary, healthcare, or identification for anti-money laundering obligations.

Cross-border solutions

To make more EIDs available for cross-border use and to improve the efficiency of the mutual recognition process of notified EID schemes, each Member State is obliged to notify one or more EID schemes to eIDAS.

Scope of the European Digital Identity Wallet

The European Digital Identity Wallet issued following the Regulation will be compulsorily accepted by the Member States in specific cases. Especially when these will require electronic identity identification. The wallet is to be used for authentication within public administration services.

Apart from that, the proposed changes to the regulation indicate that the European Digital Identity Wallet should also be widely accepted in private relationships. This is the case when parties are obliged by national or EU law to use strong authentication for online identification or when strong user authentication is required by contractual obligation, including in the areas of transport, energy, banking, financial services, health, or postal services, among others.

The Commission also plans to impose additional obligations on web browser vendors. Among their obligations will be the use of qualified certificates for website authentication. The aim is to ensure that users can identify the owner of a domain.

Legal effects of the electronic certification of identity

Under the EC proposal, electronic certification will not be denied legal effect or admissibility as evidence in legal proceedings solely on the basis that it is in electronic form. Each member state will have to adapt its legislation to these principles.

A qualified electronic certificate will have the same legal effect as a legally issued paper certificate. And if issued in one member state, it will be considered a qualified electronic credential in any other member state.

Regulations on personal data security

The EC proposals also regulate many other issues related to electronic certification of identity. Including those that ensure an adequate level of personal data security for identity proofing services.

It is worth mentioning here an important issue from the point of view of qualified and non-qualified providers of electronic identity proofing services. Among other things, they will not be able to combine personal data related to the provision of these services with personal data from other services they offer.

Personal data related to the provision of services of the electronic certification of identity must also be logically separated from other data held. In turn, personal data related to the provision of qualified electronic identity certification services should be physically and logically separated from any other data held. Providers of qualified electronic identity certification services undertake to provide such services under a separate legal entity.

 

eIDAS Regulation: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014. It concerns electronic identification and trust services for electronic transactions in the internal market. The regulation also repeals Directive 1999/93/EC.
The Foundation conducts legal publishing activities free of charge

Do you want to be up to date? Sign up for our newsletter

By subscribing to our newsletter, you consent to the sending of information by e-mail on important events in the field of law, legislative changes and the activities of the Law Firm.

read more

The administrator of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with headquarters in Krakow, ul. Kącik 4, 30-549 Krakow. Your data will be processed for the purpose of sending our newsletter. You have the right to request access to your personal data, their copies, rectification, deletion or limitation of processing, as well as the right to object to the processing and to lodge a complaint with the supervisory authority. More details can be found in our Privacy Policy.

Contact

KWKR Konieczny Wierzbicki and Partners Law Firm
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Administratorem Twoich danych osobowych jest KWKR Konieczny Wierzbicki i Partnerzy S.K.A. z siedzibą w Krakowie, ul. Kącik 4, 30-549 Kraków.
Przetwarzamy Twoje dane wyłącznie w celu udzielenia odpowiedzi na wiadomość przesłaną przez formularz kontaktowy i dalszej komunikacji (co stanowi nasz prawnie uzasadniony interes) – przez czas nie dłuższy niż konieczny do udzielenia Ci odpowiedzi, a potem przez okres przedawnienia ewentualnych roszczeń. Masz prawo do żądania dostępu do swoich danych osobowych, ich kopii, sprostowania, usunięcia lub ograniczenia przetwarzania, a także prawo wniesienia sprzeciwu wobec przetwarzania oraz wniesienia skargi do organu nadzorczego. Więcej szczegółów znajdziesz w naszej Polityce Prywatności.
Warszawa

Rondo ONZ 1,

00-124 Warszawa

+48 12 3957161

kontakt@kwkr.pl

Chcesz być na bieżąco? Zapisz się do naszego newslettera

Zapisując się do naszego newslettera wyrażasz zgodę na przesyłanie drogą e-mail informacji na temat istotnych wydarzeń z dziedziny prawa, zmian legislacyjnych oraz działalności Kancelarii.

czytaj więcej

Administratorem Twoich danych osobowych jest KWKR Konieczny Wierzbicki i Partnerzy S.K.A. z siedzibą w Krakowie, ul. Kącik 4, 30-549 Kraków. Twoje dane będą przetwarzane w celu wysyłki naszego newslettera. Masz prawo do żądania dostępu do swoich danych osobowych, ich kopii, sprostowania, usunięcia lub ograniczenia przetwarzania, a także prawo wniesienia sprzeciwu wobec przetwarzania oraz wniesienia skargi do organu nadzorczego. Więcej szczegółów znajdziesz w naszej Polityce Prywatności.

 

Do you want to be up to date? Sign up for our newsletter

By subscribing to our newsletter, you consent to the sending of information by e-mail on important events in the field of law, legislative changes and the activities of the Law Firm.

read more

The administrator of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with headquarters in Krakow, ul. Kącik 4, 30-549 Krakow. Your data will be processed for the purpose of sending our newsletter. You have the right to request access to your personal data, their copies, rectification, deletion or limitation of processing, as well as the right to object to the processing and to lodge a complaint with the supervisory authority. More details can be found in our Privacy Policy.