The EAPIL blog

The European Digital Identity Wallet: Towards One-Click Recognition of Personal Status and Beyond

, , ,
Marion Ho-Dac
by

Regulation (EU) 2024/1183 establishing the European Digital Identity Framework entered into force on 20 May 2024.

As reported on this blog (at the time of the Commission’s proposal), the major contribution of this Regulation is the creation of a “European Digital Identity Wallet” (EUDIW). It aims to allow citizens and companies based in the European Union, to store person identification data (e.g. name, address, gender, civil status) and electronic attestations of attributes (e.g. bank account, birth certificate, diploma, company statute) for cross-border use (see Article 5a of the Regulation). It should also allow users to authenticate and access online public or private services.

Compared to the Commission’s proposal, the final version of the EUDI Regulation reinforces and expands the provisions on the European digital identity wallet to make it more secure, trustworthy and pratical for users. In particular, numerous provisions now deal with personal data protection issues based on GDPR.

Main Provisions of the EUDI Regulation

As summarised in the updated version of the Briefing paper from the EP Research Services on European Digital Identity, the main provisions of the Regulation are as follows:

Member States have to provide citizens and businesses with a European digital identity wallet that allows users to digitally identify themselves, store and manage identity data and official documents (such as driving licences, university diplomas, medical prescriptions) in digital form in all EU countries. The wallet can also be used to digitally sign documents. The European digital identity wallets can be provided either by the Member State itself or by a private-sector provider.

The wallet is voluntary and free of charge for individuals, while businesses may incur costs. It does not replace existing identification and authentication means but complements them.

The wallet contains a dashboard of all transactions and offers the possibility to report alleged violations of data protection. Users can also request that their data be deleted.

The wallet should ensure the highest level of data protection and implement advanced security features such as state-of-the-art encryption and storage methods.

Whenever there is no legal requirement for users to have a legal identity for authentication, they will be able to use freely chosen pseudonyms.

Very large online platforms will have to accept the European digital identity wallet when users wish to log in on them.

Member States have to disclose the source code of the user application software components of the wallet to enable members of the public to understand its operation and to be able to audit and review its code. The disclosure of the source code may be limited for public security purposes.

The Commission has to establish a European Digital Identity Cooperation Group to support and facilitate cooperation among EU Member States.

Web browsers are required to recognise QWACs, so that users can verify the identity of persons or legal entities behind a website. This identity data has to be displayed in a user-friendly manner. In case of substantiated security concerns, web browsers are still allowed to take precautionary measures related to these certificates.

Private International Law Perspective

I propose to breifly present two provisions of the new Regulation in the light of private international law.

Article 5 f on Cross-border Reliance on European Digital Identity Wallets

This provision lays down the equivalent effect of European Digital Identity Wallets based on the Regulation with other means of electronic identification and authentication to access an online service provided by a public sector body in the Member States. The same applies for access to essential services (such as energy, banking, financial services, social security, health, drinking water, digital infrastructure or education) provided by private relying parties, and also for online services provided by very large online platforms and search engines (as defined by the Digital Services Act, Article 33).

This gives rise to two main comments. First, European digital identity based on the European Digital Identity Wallet is meant as a “renewed sovereign identity”, towards the “privatisation” of digital identity by major economic operators. In that respect, the European digital identity must be cross-border (i.e. across national borders) and even transnational (i.e. beyond states borders). In that respect, the European wallet will have to be accepted by private tech operators as an identifier for access to their service. On the other hand, the boundaries between domestic identity and European identity will necessarily blur. The European digital  wallet is, according to the Union’s competences, of a cross-border nature (cf. Article 114 TFEU); it aims at establishing equal access to cross-border services within the Member States. But when services are accessible online or digital per se, the difference between national and cross-border is much less clear. In this sense, the Regulation encourages Member States to integrate European Digital Wallets “with the ecosystem of public and private digital services already implemented at national, local or regional level […] including by enhanced interoperability with existing national electronic identification means” (Rec. 21). The development of a digital ecosystem at Union’s level plays a major role in European legal integration based on an area without internal borders. The same observation was recently made in the context of digitalisation of the European judicial cooperation in civil and penal matters.

Article 45 b on Legal Effects of Electronic Attestation of Attributes

Electronic attestations of attributes (e.g. bank account, birth certificate, diploma, company statutes) may be stored and managed within the European Digital Identity Wallet. These attestations cannot be deprived of legal effect simply because they are in electronic format. Furthermore, qualified electronic attestation of attributes (i.e. attributes provided by the qualified trust service providers, see Rec. 61 and Annex V of the Regulation) and attestations of attributes issued by (or on behalf of) a public sector body responsible for an authentic source (see Article 45 f and Annex VII; e.g. the civil registrar or the clerck of the commercial register) have the same legal effect as equivalent paper documents. Finally, attestations of attributes issued by (or on behalf of) a public sector body responsible for an authentic source (such as civil status documents or company statutes) benefit from the principle of mutual recognition within all Member States.

There is therefore a gradation of normative effects for the attributes contained in the European Digital Identity Wallet. In a cross-border context, these effects will have to be analysed through the lens of private international law. This is what my previous post on the draft regulation began to do. To limit myself here to the mutual recognition of electronic attestations of public documents (as mentionned above), this recognition should be equivalent to that applied to the documents themselves when they circulate from one Member States to another. The European Digital Identity Wallet will therefore have to be coordinated with the Public Document Regulation and the ICCS Conventions (and the circulation of digital public documents organised by these texts).

Fascinating work ahead!

Link to: Who we are

CONTACT US
Association Européenne de droit international privé
European Association of Private International Law
4 Rue Alphonse Weicker, L-2721 Luxembourg

THE SECRETARY GENERAL
secretary.general@eapil.org

THE EDITORS OF THE BLOG
blog@eapil.org

Discover more from EAPIL

Subscribe now to keep reading and get access to the full archive.

Continue reading