In June 2021, the European Commission published a proposed revision of the existing eIDAS regulation aimed at increasing availability and adoption of digital identity, curbing the increasingly dominant role of platforms, and meeting changing user expectations. While the revision is still at the draft stage and the specifics are currently being discussed, the potential impact on citizens, businesses and digital identity in Europe cannot be overlooked. This article provides an overview of some key eIDAS developments and their potential impact on the private sector.
THE ORIGINAL EIDAS FALLS SHORT
Currently, only 14 EU member states have made their national digital identity solutions available for cross-border use within the EU through a process called ‘notification’, covering roughly 59% of the EU population. With the annual number of cross-border authentications only in the thousands, compared to millions at domestic level, the cross-border usage of the national solutions has been low. In addition, the role of platforms in online authentication has grown substantially in recent years. With the eIDAS revision, the EU aims to mitigate the risk of further market dominance of large online platforms, user lock-in and loss of control over data. The European Commission also acknowledges that the existing user-friendliness is poor. The lack of a common user interface, redirections in the authentication process and denial of service situations are all examples of a service that does not meet high user expectations on security and convenience.
MANDATED AVAILABILITY AND ACCEPTANCE OF WALLETS SHOULD DRIVE THE USE OF DIGITAL IDENTITY
The most significant change in the proposed eIDAS revision is the introduction of EU Digital Identity Wallets, which must be made available for all EU citizens. In contrast to the current situation under eIDAS, in which notification of an eID scheme by member states is voluntary, it will become mandatory for member states to provide EU Digital Identity Wallets to their citizens free of charge. Not only does the draft revision contain such a measure for providing EU Digital Identity Wallets, but it also extends mandated acceptance of such wallets beyond the public sector to private sector relying parties:
“Where private relying parties providing services are required by national or Union law to use strong user authentication for online identification, or where strong user authentication is required by contractual obligation, including in the areas of transport, energy, banking and financial services, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications, private relying parties shall also accept the use of European Digital Identity Wallets issued in accordance with Article 6a”.
(proposed new article 12b pt. 2 in eIDAS revision)
In addition, the draft mentions that very large online platforms – i.e. online platforms that reach at least 45 million monthly active users in the European Union (which represents 10% of the 450 million consumers in the EU market) – will be mandated to accept the wallets at the user’s request. They will also have to respect the minimum attributes necessary for the specific online service for which authentication is requested, such as proof of age. Very large online platforms include marketplaces like eBay, Amazon and Zalando, and social media such as Facebook, YouTube, Twitter and Reddit, to name but a few.
PRIVATE SECTOR MAY FACE MAJOR CHANGES IN DIGITAL IDENTITY IMPLEMENTATION
If the above aspects of the draft revision proposal remain unchanged and the EU succeeds in realising its ambitions with the EU Digital Identity Wallet:
- All of the 27 member states will have to offer at least one wallet to their citizens
- Government-issued attributes (such as name, date of birth or a unique identifier) will be available for these wallets
- Mandated acceptance means that many public and private sector services will be accessible using these wallets.
Needless to say, this will create both opportunities and challenges for the private sector. The full impact for private sector is not yet entirely clear but relying parties should be aware of a number of points, as outlined below.
STANDARDISATION EFFORTS IN THE EU WILL DETERMINE THE COMPLEXITY OF RELYING PARTIES INTEGRATING WITH ALL WALLETS
Each member state is required to notify wallets. Three options exist: they can decide to do so by providing a wallet issued by the member state’s government, by the private sector or both. To foster competition and freedom of choice for citizens, it is likely that some member states will notify multiple wallets from private-sector providers. This means there will be multiple wallets (more than 27) available in the EU for relying parties to accept. To prevent a heavy integration burden for private sector relying parties, it is likely that current EU discussions on technical architecture will result in a single connection interface for relying parties. It remains to be seen how complex this connection interface is and how it will affect the integration efforts for private sector relying parties.
WITHOUT EU HARMONISED LEGAL CONDITIONS, CONTRACTING BETWEEN WALLETS AND RELYING PARTIES WILL BE CUMBERSOME
The second big obstacle for acceptance of wallets by private sector relying parties is contracting. Will numerous bilateral contracts be required between wallet providers and relying parties, or will the EU converge to a single or standardised legal contract that covers acceptance of all wallets? This is an important point to watch out for in further publications.
EXACT SCOPE OF IMPACTED RELYING PARTIES IS STILL UNCERTAIN AS LEGISLATIVE WORDING LEAVES ROOM FOR INTERPRETATION
It is still unclear which private relying parties will ultimately be subject to the mandated EU Digital Identity Wallet acceptance, since the scope of the revision refers only to relying parties that are required by national or Union law or have a “contractual obligation” to use “strong user authentication”. While legal obligations that follow on from existing EU laws and regulations like GDPR and PSD2 are usually pretty straightforward for those parties involved, the scope of the term “contractual obligation” still requires clarification. For example, does a SaaS accounting product that applies strong user authentication than is contractually agreed with the client need to accept all EU Digital Identity Wallets for authentication? Such an interpretation would mean that a huge number of businesses would be impacted by the eIDAS revision.
Read more here.