A recent Briefing paper titled Updating the European digital identity framework, authored by Mar Negreiro and Maria Niestadt (from the European Parliamentary Research Services), may be of interest to the readers of this blog.
It deals with the proposal of the European Commission, released in June 2021, to create a “European Digital Identity” (EDI) and a dedicated “Wallet” for citizens and businesses in the European Union (hereafter ‘EDI Regulation proposal’).
General Background of a ‘European Digital Identity’ and its Dedicated ‘Wallet’
The ‘European Digital Identity Wallet’ (EDIW) aims to allow people and companies based in the EU, to store person identification data (e.g. name, address, gender, civil status) and electronic attestations of attributes (e.g. bank account, birth certificate, diploma, company statute) for cross-border use. It should also allow users to authenticate and access online public or private services (Article 6a of the EDI Regulation proposal). According to the European Commission, by means of this digital wallet, proving your identity and sharing electronic official documents across the EU Member States will be possible with ‘one click’ on your smartphone!
This legislative proposal surely is a coherent and necessary continuum of the digitalisation momentum in the Union, both in its economic (i.e. internal market policy) and judicial (i.e. judicial cooperation in civil and criminal) dimension. One of its main political objective is for the Member States and the Union to regain control over the identity of European citizens in the digital ecosystem. Indeed, the dominant tech platforms have been developing private forms of ‘digital ID’, competing with national legal identification schemes. Under the EDI Regulation proposal, the digital wallet should only be issued under the supervision of Member States (i.e. directly by the State or based on a mandate/recognition requirements from the State). The project also aims to support the empowerments of ‘EU digital citizens’ in the same vein as the Declaration on European Digital Rights and Principles recently put forward by the European Commission to ensure a human-centred digital transformation in the Union. Users should be “in full control” of the wallet (Article 6a (7) of the EDI Regulation proposal) based on the key-principles of the GDPR, such as the requirement of data minimisation.
However, the proposal also raises several concerns about, inter alia, the effectivity of data protection, the risk of exclusion of parts of European society, the system’s vulnerability to fraud and data loss. I propose to add to that list uncertainties with regard to private international law rules and their implementation in ‘EDIW context’. The first question that occurs to me is as follows: what will be the legal scope of the cross-border portability of the information contained in this digital wallet?
Legal Outlines of the European Digital Identity Wallet
The Acquis based on the eDIAS Regulation
The EDIW proposal builds on the acquis of the eIDAS Regulation on electronic identification and trust services for electronic transactions in the internal market. This latter lays down the conditions for the mutual recognition, between EU Member States, of electronic identification means of natural and legal persons, based on national notified electronic identification schemes (Article 6). By consequence, the identity – unique by essence – of citizens and businesses based in a Member State can be established throughout the Union (or, at least, in the other Member States that have notified such schemes). Concretely, it should for instance allow a person, domiciled in one Member State, to open a bank account in another Member State remotely, via an electronic identification (eID). The bank should be able to verify the age and the legal identity of the client, his/her financial records and the paperwork could be signed online using e-signatures (see here for other ‘promotional’ examples).
For the proper functioning of the mutual recognition principle, the eIDAS Regulation provides for three “assurance levels” applicable to the electronic identification schemes; they characterise “the degree of confidence in electronic identification means in establishing the identity of a person” (see Recital 16 and Article 8). Against this background, mutual recognition of electronic identification means – used for authentication for an online service – is mandatory for the ‘host State’ only when the public body of the ‘home State’ uses the “substantial” or “high” assurance levels for accessing that service online (Article 6).
‘European Digital Identity Wallet’: What Does It Mean?
The EDI Regulation proposal goes further than the current eIDAS Regulation in making mandatory for all Member States to provide electronic identification means and to recognise the notified electronic identification schemes (eDIs) of other Member States. In that respect, it lays down common requirements for the issuing of European Digital Identity Wallets (EDIW) by Member States (Article 6a of the EDI Regulation proposal). These wallets are understood as “electronic identification means […] containing person identification data and which is used for authentication for an online or offline service” (see Article 1, (3) (a) (2) of the proposal, with the understanding that ‘authentication’ enables the electronic identification as well as the origin and integrity of data in electronic form to be confirmed).
By comparison with a more familiar concept, ID cards issued by EU Member States (following the implementation of Regulation 2019/1157 on strengthening the security of identity cards of Union citizens) are also characterised as ‘electronic identification means’ under the eIDAS Regulation and the EDI Regulation proposal. But the future EDIW is much more than a mere digital ID card. It is both “a product and service” that allows the user “to store identity data, credentials and attributes linked to her/his identity, to provide them to relying parties on request and to use them for authentication, online and offline, for a service […] and to create qualified electronic signatures and seals” (Article 1, (3) (i) point 42 of the proposal).
Legal Scope of the European Digital Identity Wallet
The digital wallet should, inter alia, allow the “validation” of person identification data and electronic attestations of attributes by relying parties. More widely, Member States should provide “validation mechanisms” to ensure that the “authenticity and validity” of the digital wallet can be verified. In that respect, the EDIW should meet the “high level of assurance”, by reference to the eIDAS Regulation (see above), in particular with regard to “identity proofing and verification” requirements. The high level of assurance is based on technical specifications, standards and procedures “the purpose of which is to prevent misuse or alteration of the identity” (Article 8, (2), c).
It is also worth mentioning that the EDI Regulation proposal lays down a minimum list of attributes (e.g. address, age, civil status, family composition, financial and company data), the authenticity of which should be verifiable electronically, at the request of the user, by qualified providers of electronic attestations of attributes, against the relevant authentic source at national level (Article 45d and Annex VI).
Eventually, the proposed EDIW framework does not appear very clear about the normative scope of trans-European data flows via the digital wallet, between (presumption of) authenticity and validity.
Some Private International Law Issues Raised by the EDIW
The Legal Implication of the Mutual Recognition Technique
Beyond the strengthening of a common ‘technological infrastructure’, the ultimate goal of the ‘European Digital Identity Wallet’ (EDIW) is to ensure the cross-border recognition of Europeans’ legal identity and additional information about them (i.e. attestation of attributes such as certificates of birth or diplomas). This brings us to more familiar territory, starting with the core question of the legal significance of the mutual recognition technique in this specific context.
Mutual recognition should provide for a cross-border portability of the data stored within the digital wallet, such as age, gender, nationality or company data. In that respect, the relevant methodology may be based on the international circulation of foreign public documents that have consolidated a legal situation in a first Member State and whose legal consequences are expected in the host Member State (cf. the inspiring work of Professor Ch. Pamboukis). In the case of ‘non-decisional’ public documents (e.g. a professional qualification or a driving licence, ‘crystallised’ in the digital wallet issued by the State of origin), these documents should produce non-normative procedural effects of an evidentiary nature. The data stored in the digital wallet may also be presumed to be formally valid, which allows them to flow across legal borders: the person concerned may use them in the ‘host State digital jurisdiction’ in the same way as in his/her State of origin.
When the data contained in the digital wallet are no longer related to administrative/public aspects (e.g. diploma or driving licence mentioned above) but to personal status and individuality (e.g. name, domicile, civil status, family composition), the mutual recognition technique could take on a different meaning. Indeed, the public documents in question are no longer limited to ‘establishing’ a situation certified by a public authority but are of a ‘receptive’ type. The public authority issuing the public document has ‘received’ the private will expressed by the parties in order to authenticate it. In this context, it could be argued that the digital circulation of such a public document (e.g. a marriage or a name certificate) carries a presumption of validity of the legal situation (i.e. negotium) contained in it (i.e. instrumentum). This distinction is well-known among private international law experts and the suggested reasoning should be the same whether the information is ‘digitised’ or formalised in a paper document. Indeed, electronic attestation of attributes should have “the equivalent legal effect of lawfully issued attestations in paper form”, pursuant to the EDI Regulation proposal (Recital 27).
The future ‘European Digital Identity Wallet’ could have a real impact on the international recognition of personal and family status in the Union. The same could be said for the status of legal persons. For citizens and businesses, intra-European free movement would be strengthened and, in practice, greatly simplified.
The main methodological consequence from the private international law perspective should be the ‘eviction’ of the conflict-of-laws rules and reasoning. This is understandable insofar as, in practice, the presumption of probative value of a foreign public document, on the basis of mutual recognition, implies, in our view, a presumption of validity of the legal situation it contains (cf. here).
In the European context, this statement should be even more accurate, because of the remarkable influence of EU citizenship and fundamental rights (such as the right to privacy which applies to the identity of individuals) on conflict-of-laws. Several examples may be found in the caselaw of the CJEU, such as the recent Pancharevo judgment (commented on the blog) raising exactly this issue. For part of scholars and many Member States, this is however the pitfall to be avoided. But actually, the intra-European digital flow of personal data, via this European digital wallet, should instead reinforce this trend.
The Interplay Between the EDIW and Other Legal Instruments
It is important to note that the EDI Regulation proposal, like the current eIDAS Regulation, gives priority to other rules of EU and national law on specific sectors. In that respect, the proposal lays down that the (future) regulation “does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to sector specific requirements as regards form with underlying legal effects” (Article 2, §3). The issue of normative interplay between the EDIW framework and other important instruments will be crucial. This will be the case, inter alia, in the field of personal status, regarding Regulation 2019/1191 on Public Documents but probably also some ICCS conventions (such as Convention n°34 recently entered into force), as well as national rules on the international legal effects of public documents. This is also true for EU instruments which support the cross-border cooperation between public national authorities and the free movement of citizens and businesses, i.e. the IMI System and the Single Digital Gateway.
The ‘One-click EU Recognition’ is not yet ready to be the revolutionary new tool for private international law partitioners, but the European Digital Identity Wallet is definitively a topic for us!