Commission launches e-identity initiative

passport_visa.jpg

The European Commission will publish today (4 June) a proposal to encourage the take up of e-signatures and e-identities across Europe, gathering praise from companies but raising a controversial debate around the protection of privacy and the security of personal data.

A new draft regulation will update the existing e-Signatures Directive, extending its scope to include new services such as e-stamping or e-seals which are meant to guarantee the origin and the integrity of an electronic document.

The use of electronic identities across EU member states is set to be boosted by the initiative as the stated objective of the Commission is to maximise the cross-border potential of electronic identities held by EU citizens and companies.

If the proposed regulation is approved by lawmakers in the EU Parliament and Council of Ministers, citizens’ e-identities will be automatically recognised in other EU member countries without need of extra paper work.

"The proposed Regulation will ensure mutual acceptance of electronic identification schemes (eIDs), e-Signatures and related online trust services," said Ryan Heath, spokesperson for Digital Agenda Commissioner Neelie Kroes.

"The sorts of groups it will help include citizens moving or marrying abroad, students, small businesses, medical patients," Heath said.

"But it will not, for example, oblige EU member states to introduce national identity cards, nor would it introduce a European ID system or force individuals to obtain an ID card or passport," Heath said in response to privacy campaigners.

For companies operating across the EU's internal borders, the advantage would be to access tenders in other countries in a shorter time and with less red tape.

National authorities would be obliged to recognise electronic identities certified in other member states, shortening identification procedures for foreign citizens or businesses.

An EU project, called Stork, has already identified a common platform where the 17 member states which have participated to the initiative, can mutually recognise e-IDs.

No obligation to introduce national IDs

To allay critics coming from privacy protection groups, the Commission underlines that the new legislation would not oblige member states that do not have electronic IDs to introduce them. Many member states at the moment have no e-IDs, and some like Britain have no IDs at all.

Among the possible beneficiaries of the new rules are “students who could register for a foreign university online, rather than having to travel abroad to complete the paper work in person” or “patients needing medical assistance abroad who could securely check or authorise a doctor to access their online medical records,” the Commission says.

Brussels also ensures that “the proposals are designed to avoid the centralisation of information”. No new database will be created. “There is no aggregation of information, beyond the aggregation that already takes place in national systems,” according to a Commission document.

Moreover, the security of the electronic use of personal data in other countries will be protected with state-of-the-art technology and procedures, the Commission insists. Under the proposal, unnecessary data will not be revealed, it says.

“If a teenager wanted secure access to a chat room for 14-18 year olds, or gamblers needed to prove they were of legal age, the website should only check information about their age from the e-ID card. Other details such as nationality and address would not need to be revealed,” stresses the Commission paper to be published today.

The other side of the coin

The proposed legislation has been drafted with care to meet concerns of civil rights groups and normal citizens which feel threatened by a perceived invasion of their private life by public authorities.

Reactions to a EURACTIV story, which unveiled details of the Commission proposal two weeks ago, provide a snapshot of the most common worries expressed by citizens. "I will not accept that I need to have a card to produce to tell me and every one else who I am and where I come from," said Anne Palmer, a EURACTIV reader. "We fought to be free and we will again fight to be free," she said in response to another reader who wondered why British people were so vehemently opposed to ID cards.

Against such an emotional background, the Commission underlines that harmonisation of e-identities is not required by the proposed new European rules.

However, the eventual target is obviously to favour an increased take up of electronic identities across borders. And it is always better and more practical to have them harmonised across the EU.

Member states that refuse to use e-IDs will be cut off from the advantages of easier identification across borders. An incentive will be established for member states to equip themselves with e-IDs. Best practices will be exchanged and followed, leading to de facto harmonisation.

This outcome is not bad news as it would make the life of many citizens easier, the Commission argues. But it may create controversy in nations where concerns about privacy are higher, notably in the United Kingdom where citizens have long opposed the introduction of real world identity cards.

Data protection

Security is also a matter of concern. Data breaches are on the rise as more activities move online.

Current data protection systems are not always appropriate to face increasingly sophisticated techniques to steal data and identities in the electronic world. Without seriously beefing up security requirements for the public and private sector, eIDs could also provide new opportunities for internet fraudsters and criminals organisations to thrive on.

The fact is that increasing security also bears considerable economic and reputational costs. And private companies and governments have every interest in protecting themselves from such risk.

The EU Commissioner in charge of ICT, Neelie Kroes, said: “People and businesses should be able to transact within a borderless digital single market, that is the value of internet. Legal certainty and trust is also essential, so a more comprehensive e-Signatures and e-Identification Regulation is needed. This proposal will mean you can make the most of your e-ID, if you have one. With mutual recognition of national e-IDs and common standards for trust services and e-Signatures, we can prevent a national carve-up of the internet and online public services and make life easier for millions of businesses and even more citizens.”

Replying to a public consultation earlier launched by the European Commission on e-Identities, the French Pirate Party commented: “We would like to underline the fact that, while the help of the Europe is not imperative to such systems, the risks for rights like privacy and freedoms like freedom of expression makes it important to legislate and prevent any abuse.”

The Party called for avoiding the centralisation of data storage and to allow citizens to disclose the minimum of personal informal. Both requests seem to have been taken on board by the Commission proposal.

ChamberSign, the association of Chambers of commerce delivering e-Signature related services advised to “adopt a coordinate approach for the delivery of certificate to legal person, to the concept of secure signature creation devices, to the quality of mobile created esignature, to the security requirements for signature algorithm; and to simplify the use of e-Signatures by end users by the set up of a European central validation service, a single definition of e-Signatures, improved integration of e-signing functionalities in software and hardware.”

“We are glad that the Commission wants to take initiative in this area. SMEs in Europe will benefit from a harmonised system for e-signature as it facilitates transactions, especially across the border. The main conditions for e-signature to be a success for SMEs are to be simple and not costly. Also, e-signature must remain a free choice for companies that want to use it. If it becomes an obligation, then it will be just a new burden for our economy,” Sebastiano Toffaletti, secretary general of PIN-SME, the main association of SMEs active in the sector of information and communications technologies.

An electronic identity can be confirmed through certificates and e-signatures. In general terms, an electronic signature is any identification or signature in electronic form. This can range from a scanned signature to a PIN, in the most advanced options.

The e-signatures Directive states that an advanced electronic signature is an electronic signature “which uniquely links the signature to the signatory”. But so far, only certain digital signatures meet these requirements.

A digital signature consists of the use of a pair of two different but linked keys, a private and a public key. The private key (only known to the owner of the signature) is used to ‘sign’ a message. A recipient can verify the signature by using the sender’s public key (available to all). A certificate links the signature and the signatory and identifies the signatory. Certificates are issued by recognised certification authorities.

Subscribe to our newsletters

Subscribe

Want to know what's going on in the EU Capitals daily? Subscribe now to our new 9am newsletter.