This still long 'game' being played is trying to achieve digital sovereignty so that it is not indebted to foreign-owned technology giants. And an autonomously operated 'own brand' of European digital identity certainly aligns with that strategic goal.
The EU already has a regulation on electronic authentication systems (eIDAS), which came into force in 2014, but the Commission's intention with the eID proposal is to expand this by addressing some of its limitations and inadequacies (such as low take-up and lack of mobile support).
In its latest ambitious digital policy announcement, the European Union has proposed the creation of a framework for a "trusted and secure European e-ID" (also known as digital identity) - which it said today it wants to be available to all citizens, residents and businesses to facilitate the use of a national digital identity to prove who they are, in order for the public to access sectorial or commercial services, regardless of their location in the bloc.
It is also desired that the e-ID framework incorporate digital wallets - meaning that the user may choose to download a wallet application to a mobile device where they can selectively store and share electronic documents that they may need for a specific identity verification transaction, such as when opening a bank account or applying for a loan. Other functions (such as e-signature) should also be supported by such e-ID digital wallets.
Other examples the Commission gives where it sees harmonised electronic identity being useful include renting a car or checking into a hotel. EU lawmakers also suggest full interoperability for authenticating national digital IDs could be useful for citizens who need to file a local tax return or enrol in a regional university.
Some Member States already offer national eIDs, but there is a problem of interoperability across borders, according to the Commission, which noted today that only 14% of major public service providers in all Member States allow cross-border authentication with an eID system, although authentications are also said to be increasing.
A universally accepted 'e-ID' could - in theory - help increase digital activity throughout the EU territory market, making it easier for Europeans to verify their identity and access commercial services or public services when travelling or living outside their home market.
EU lawmakers also seem to believe there is an opportunity to "own" a strategic piece of this digital puzzle if they can create a unifying framework for all European national digital IDs - offering consumers not just a more convenient alternative to carrying around a physical version of their national ID (at least in some situations) and/or other documents they may need to show when signing up to access specific services, but what commissioners bill today as a "European choice" - that is, against commercial digital ID systems that may not offer the same high-level promise of a "trusted and secure" ID system that allows the user entirely to control who sees and which bits of their data.
Of course, several tech giants already offer users the ability to log into third-party services' digital networks using the same credentials to access their own service. But in most cases, that means the user is opening a new channel for their personal data to flow back to the data-mining platform giant that controls the credential, allowing Facebook (etc) to give more details about what it knows about the user's Internet Activity.
"The new European digital identity cards will enable all Europeans to access online services without having to use private identification methods or unnecessarily share personal data. With this solution they will have full control over the data they share," is the Commission's alternative vision for the proposed eID framework.
It is also suggested that the scheme could create substantial advantages for European businesses - supporting them in offering "a wide range of new services" on the associated promise of a "secure and trusted identification service". And boosting public trust in digital services is a key element of the Commission's approach to Digital policymaking - arguing that it is an essential lever for increasing the uptake of online services. However, to say that this e-ID scheme is "ambitious" is a polite word for how feasible it appears to be.
Besides the complicated issue of adoption (i.e. getting Europeans A) aware of e-ID and B) actually using it, also C) getting enough platforms to support it, as well as D) putting the conditions on providers to create the necessary wallets for the planned functionality to scale up and be as robust as well as secure, as promised), they also - presumably - need to E) convince and/or force web browsers to integrate e-ID so that it can be accessible in a simplified way.
The alternative (not being embedded in browser UIs) would certainly make the other adoption steps more complicated. The Commission's press release is rather limited in such details, though - saying only that, "Many major platforms will be required to accept the use of European digital identity cards upon user request."
However, a whole part of the proposal is devoted to the discussion of "Qualified certificates for website authentication"- a trusted service provision, also expanding on the approach taken in eIDAS, which the Commission wants electronic identity to be incorporated in order to further enhance user trust by offering a certified assurance of who is behind a website (although the proposal says that it will be voluntary for websites to obtain certification).
The upshot of this component of the proposal is that web browsers would need to support and display these certificates in order for the intended trust to flow - which adds up to a lot of nuanced web infrastructure work, which needed to be done by third parties to interoperate with this EU requirement. (Work that browser makers already seem to have expressed serious doubts about.) "This regulation may force web browsers to accept additional types of 'trust certificates,'" said security and privacy researcher Dr. Lukasz Olejnik, discussing the Commission's proposal with TechCrunch.
"This comes with a requirement for web browsers to honor these certificates and change the browser utilzator interfaces to display this in some way. It's doubtful that such a thing will actually improve trust. If this was a mechanism to combat "fake-fake news," it would be tricky. On the other hand, we have an additional precedent here when web browser vendors are required to change their security and privacy models."
Another big question mark raised by the Commission's eID plan, is what exactly the envisaged certification will look like. Digital ID cards would store - and more importantly protect - user data . That remains very much to be determined, at this nascent stage.
There is discussion in the recitals of the regulation, for example, of Member States being encouraged to 'establish jointly, sandboxes to test innovative solutions in a controlled and secure environment, in particular to enhance the functionality 'protection of personal data, security and interoperability of the solutions' and inform future updates of technical references and legal requirements'.
And it seems that a number of approaches are being considered, with point 11 discussing the use of biometric authentication to access digital wallets (while noting the potential rights risks as well as the need to ensure adequate security). European digital identity cards should ensure the highest level of security for personal data used for authentication, regardless of whether such data is stored locally or in cloud-based solutions, taking into account the different levels of risk.
Using biometrics for authentication is one of the methods of identifications that provide a high level of trust, in particular when used in combination with other authentication elements. As biometrics represent a unique characteristic of a person, the use of biometrics requires organisational and security measures, proportionate to the risk that such processing may entail for the rights and freedoms of natural persons and in compliance with Regulation 2016/679.
In summary, it is clear that underlying the Commission's big, huge idea of a European (unifying) e-ID is a complex mass of requirements needed to fulfil the vision of a secure and trusted European Digital ID that is not simply ignored and not used by most web users - some requirements highly technical, and others (such as achieving the sought for widespread adoption) no less challenging.
The impediments to success here certainly seem daunting, yet lawmakers are forging ahead, arguing that the acceleration of digital service derived by the pandemic, and its adoption has shown the pressing need to address the shortcomings of eIDAS - and meet the goal of "effective and easy-to-use digital services across the EU". Alongside today's regulatory proposal, a recommendation was published, calling on Member States to "establish a common toolbox by September 2022 and to start the necessary preparatory work immediately"- with a target to publish the agreed toolbox in October 2022 and start pilot projects (based on the framework of the agreed technique) some time thereafter.
"This toolbox should include technical architecture, standards and best practice guidelines," the commission adds, omitting the big questions still open. Still, the timeline set for mass adoption - of about a decade - does a better job of illustrating the scale of the challenge, with the commission writing that it wants 80% of citizens to use an e-ID solution by 2030.