The European Digital Identity is a proposal that will allow EU citizens, residents and businesses to identify themselves, access digital services and digitally sign documents through a Digital ID and store and share “attributes” such as personal information, diplomas and licenses safely and easily using a Digital Wallet. It will provide inter-operability across the union; with signatures and attributes recognised in all member states, making it easier to work, study and travel around the Union.
But the proposal is also plagued with problematic ideas: with so much personal data in play, there are insufficient safeguards for user privacy, and to make matters worse, the proposal also includes changes to the Commission’s existing rules on QWACs — a special type of web security certificate — that could allow governments to spy on citizens.
As An MEP who represent their political group in negotiations on a law with other MEPs. in the JURI committee, I worked hard to address these issues. Today our committee voted on the final version of our report on the file. The result is a set of changes that would significantly improve the privacy and security of the wallet for end users, and that protects privacy online.
The European Digital Identity: A Problem for Privacy?
One of our key concerns was the intent of the Commission to have the wallet adopted as widely as possible. While I do believe a not-for-profit privacy-first wallet system would be an excellent thing, I are concerned that Big Tech may take advantage of this system to force citizens to hand over data, or that worse still, governments might force citizens to use their wallet to sign up in a way that would impact their right to privacy. Finally, the Commission wanted to introduce a single unique and persistent identifier for each citizen, a move that would enable tracing across the EU.
To solve this, the JURI committee drastically rethought the proposal, banning platforms and authorities from forcing citizens to use the wallet or discriminating against users who don’t, and guaranteeing the right to use pseudonyms anywhere where their identity is not mandated by law. We also removed the single and persistent identifier, and replaced it by a system that prevents tracking, puts the user in control, and is used only in exceptional cross-border cases.
Finally, we made sure users have access to a simple dashboard that allows them to share information from their wallet, see with whom they have shared that information, and retract sharing at any time, because we feel that citizens must remain in control of their data, even when they share it, in line with the GDPR.
Accessible and Open for All
If we want the wallet to be a success, it has to be accessible for everyone, but unfortunately, the Commission’s proposal was lacking clarity on accessibility for people with disabilities, and contained limitations that may have prevented citizens with older mobile devices, or using alternative operating systems from using the wallet. In addition, there were no stipulations that the wallet should be open source. I believe that software developed with public money should be open source, and that we can’t expect citizens to trust a closed-source wallet.
Our changes ensure wallets developed with public money must be open source, and the wallet must be made available on a wide range of platforms. We also strengthened the accessibility of the wallet for people with disabilities, and specified rules for people under legal guardianship.
Keeping the Internet Private & Secure
Finally, the Commission’s proposal puts at risk encryption on the internet, by making changes to the security architecture of our web browsers.
Firstly, it would force browsers to display QWACs, an expensive, outdated and insecure way of proving that a website belongs to a particular person or organisation. This, just a few years after all major browsers decided to stopped showing QWACs because they are insecure.
Secondly, it would damage the system used to verify security of connections: browsers have a special list of Certificate Authorities, who are trusted organisations who help check that your connection to a website is secure and hasn’t been intercepted or redirected. Because this job is so important, Browsers have very strict rules over who gets to be in this list, but the Commission’s proposal would have let member states decide who gets to control the list. This would allow member states to create their own Authority and use it to spy on citizens, with no easy way for citizens to detect it.
We sent a strong message to the Commission and other European Parliament Committees by deleting these proposed changes from the text.
Our proposals have cleared the first hurdle: they are now the official position of the JURI committee. But there is lots more to do in the lead committee where the final decision will be made. I will continue to fight tooth and nail for a private digital wallet and a secure web for all Europeans!