Sign up for our newsletter
Policy / Privacy and data protection

The EU digital ID scheme could be a boon for SMEs but a security nightmare

The EU's plans for a bloc-wide digital ID scheme could be great for businesses and consumers, but may fall down on privacy and security.

Today, the EU announced plans for a bloc-wide digital identity scheme that will allow citizens to use public and private services online. The digital wallet would store payment details, passwords and digital ID cards, and be interoperable across the 27 EU member countries. But the scheme is yet to settle on technical standards, and could be besieged by privacy and security concerns before it gets off the ground.

European Commission executive vice-president Margrethe Vestager and internal market commissioner Thierry Breton. (Photo by Kenzo TRIBOUILLARD/POOL/AFP)

“The European Digital Identity wallets offer a new possibility for [EU citizens] to store and use data for all sorts of services, from checking in at the airport to renting a car,” said European commissioner for internal market Thierry Breton in a statement. “It is about giving a choice to consumers, a European choice. Our European companies, large and small, will also benefit from this digital identity. They will be able to offer a wide range of new services since the proposal offers a solution for secure and trusted identification services.”

The wallet, set to be accessible through fingerprint and retina scanning among other means, would allow citizens to log into local government websites, authenticate their credentials and share electronic documents using a single identity. The EU has pegged the announcement to its vision of post-pandemic life, and the increasing digitalisation the Covid-19 crisis has hastened. Cross-border interoperability of digital services is seen by the EU as a cornerstone of bolstering the digital single market.

“The idea of trying to create this at European level makes absolute sense,” says J Scott Marcus, senior fellow at the Brussels-based economics think tank Bruegel. “And the idea of trying to start with government services […] also makes sense.” The EU is likely trying to emulate Estonia, he says, which has become a pioneer for e-government services in Europe. “One of the first things [Estonia] did [was to] create the electronic ID services – so that is the starting point [and] seems rational.”

White papers from our partners

The EU Commission will now work with member states and the private sector on developing the technical aspects of the European Digital Identity. The scheme is envisaged to help the EU meet targets set out in the Commission’s 2030 Digital Compass plan, including all key public services to be available online, all citizens to be able to access electronic medical records, and 80% of citizens to use a digital identity solution.

European Digital Identity: The story so far

The EU has an already-existing cross-border legal framework for digital identity (eIDAS Regulation), which was set up in 2014. However, only 19 countries introduced it, and many of the schemes are incompatible. The current proposal is the result of a European Commission consultation on the existing regulatory framework that ran between July and October 2020 to identify why the previous scheme failed to take off.

Speaking about the consultation, European commissioner for internal market Thierry Breton said: “Activity of citizens and businesses increased during the pandemic. The revision of these rules will answer their growing need for a simple, trusted and secure way to identify themselves online. Improving these rules will also provide the framework for offering competitive, convenient and trustworthy digital identity services.”

If the new scheme is successful at luring citizens, it will have to be sufficiently useful and user-friendly. “Compatibility of such applications and its relative advantage over existing alternatives would play a critical role,” says Yogesh K Dwivedi, director of Emerging Markets Research Centre at Swansea University. “For example, mobile-based payment systems have been available for the last ten years but they are yet to be adopted by [the] masses.”

The EU will reportedly force a structural separation preventing companies that use the system from repurposing customer data for other commercial activities, such as marketing. It also stressed that users of the digital identity solution will be in control of their data. But the melding of public and private services could pose privacy concerns in future. Privacy advocates have repeatedly warned about the potential for digital ID cards to erode civil liberties – particularly when data collected by the scheme ends up being used for immigration control or policing purposes.

Data sensitivity

On the security side, “This puts an awful lot of sensitive data in one place,” says Marcus. Cybersecurity threats have been growing over the years both from commercial and government-sponsored hackers, which could threaten the digital ID scheme. “This is a high-value target, both for criminal gangs and for governments. If this data gets out in the wild, it would be bad.”

To ease the transition to an increasingly digital society, strong information security standards should be followed, says Gabriele Lenzini, associate professor in the Interdisciplinary Centre for Security Reliability and Trust at the University of Luxembourg. These include using open source code that can be inspected for back doors and bugs by auditors and expert security research communities; privacy by design and data minimalisation (for example, collecting as little data as possible to prevent overreach and mission creep); building in accountability and auditability with respect to the law; and interoperability in both the technical and legal planes.

But while the scheme will have to offer sufficient temptation to get residents of the bloc to sign up, it could prove useful to businesses in the future. “If it succeeds, it will produce economies of scale for businesses, especially for small and medium enterprises,” says Marcus. He points out that while customers typically don’t mind entering their details for big companies they use frequently such as Amazon, the barriers are higher for smaller companies, which cannot afford the infrastructure and security that bigger companies can.

However, there is a chance that the EU is overestimating to what extent the digital shift spurred on by Covid-19 will become permanent. A similar initiative called DigiLocker was launched in India in 2017 but is yet to be widely adopted, despite India seeing a surge in the usage of digital payment methods at the beginning of the pandemic, says Dwivedi. As the pandemic receded, digital payments declined again, “So it should be noted that various digital tools may be used more widely for now, but usage frequency and intensity are likely to reduce with improvement in the pandemic situation,” he says.

Laurie Clarke

Senior reporter

Laurie is a senior reporter at Tech Monitor.