The European Commission has proposed a framework for a digital identity service for all EU citizens and organisations. What’s the European Digital Identity Wallet all about?
On the 3rd of June 2021, the European Commission announced plans to develop a European Digital Identity Framework. It’s an ambitious and broad plan to enable all EU citizens to share electronic identification and documentation across government and private sector services.
It includes a digital identity wallet which is effectively a digital equivalent to traditional identity documents, like passports and ID cards, but with even wider application across our digital lives.
It continues the spirit of EC initiatives which enable “people, companies (in particular SMEs) and public administrations to safely access services and do transactions online and across borders in one click”.
These are embodied in the “once-only principle” of reduced administrative burden on citizens and business. This is a goal that every citizen experiencing predominantly-paper-public administration can get behind, except maybe the companies making paper forms!
In its Identity Framework recommendations, the European Commission noted hugely increased demand from users and businesses when the COVID shutters came down. Demand was not only for means to identify online, but also for a means to exchange information in a protected and non-fraudulent way. Lack of this capability caught the UK napping, as it raced to band-aid legislation and technical solutions over creaking infrastructure of will witnessing and failed COVID reporting. Across the EU, member states struggled with the need to attest to COVID-19 test and vaccination, with notable exceptions from the likes of the mature and effective identity systems of Denmark and Estonia.
The EC sees amendment of the eIDAS regulation as a route to resilience and removal of economic friction to support the COVID recovery. The European ID and Wallet Framework also supports the EC’s drive to reduce power of outside-EU “tech titans”. If EU residents used (for example) one of the 420 million EU Facebook profiles to log across many apps and services, this might give corporations increasing profiling power, monopolistic access to data, and influence over citizens.
Enter the European Digital Identity Wallet
The European Digital Identity Framework proposes
“self-determined personal digital wallets that would allow for secure and easy access to different services, both public and private, under the user’s full control”.
The Wallet is a mobile application combined with online platforms. The digital ID wallet app is to be offered and promoted to all citizens, and though it won’t be a legal requirement for citizens to install and use it, companies may be mandated to support it.
The EC envision that the Wallet will be used to enable users to link national digital identities with proofs—of other personal attributes such as bank accounts, driving licenses, and qualifications. According to the eIDAS regulation from 2014, digital IDs and signatures offered by an EU state should be useable across borders. But the European ID and Wallet Framework goes further in the drive toward empowering citizen privacy and control. Citizens should be able to choose and track which attributes are shared—and with whom.
In understanding the role of a digital identity wallet in this context, it is important to understand that it is used by the citizen or business to share evidenced or verified attributes—in techno-speak these proveable attributes are called credentials. Anyone can assert that they hold a driving license, and may even be able to demonstrate that they had a license at some point. However, your insurance company is going to want to verify your current, clean driving license with the empowered authority in the UK—the DVLA.
If identity verification is about demonstrating that a claimed identity belongs to a person—giving them what used to be called “single sign on”—the key factor in empowering users with the balance of convenience and safety is how exchange and evidencing of these attributes works in the digital identity wallet framework.
The digital wallet concept is open to interpretation and application, but most would understand it as a “thing you keep important stuff in”. It’s a familiar digital concept—nowadays most of us have wallets on our phone, or at least apps that offer aspects of what a Digital Wallet will do. Apple Wallet and Google Pay hold payment cards and train tickets; Authenticator apps let us provide additional security; we have notes and receipts in different places; in China, WeChat Pay uses QR codes for payment.
In the cryptocurrency space, there are numerous single cryptocurrency or multi-currency wallet apps. Their role is to manage the cryptographic keys which control a Wallet address on a particular blockchain, to enable the transfer of tokens between these addresses. Though such crypto trading might seem obscure, surveys suggest that in 2021 50% of millennials own cryptocurrency.
We don’t yet have a consistent way to control all of these separate pieces, so most of the time we don’t know what the apps are doing with our information. The experience is disconnected. This broad scope defines the gaps that a unified European Digital ID wallet seeks to fulfill.
Technology-wise, digital wallets have a simple purpose—they provide storage for encryption keys and credentials, and software to allow external services to interact with them. It is these keys to data held elsewhere that digital wallets typically store—they are not usually used for the bulk storage of copies of personal data like health, financial records or email(1).
How will the Digital Identity Wallet be implemented?
In this space, standards and interoperability are key. Portable wallet standards promise to unify the world of digital currencies and credentials, and enable a simpler, more interoperable wallet/credential ecosystem. One such is the World Wide Web Consortium’s (W3C) Universal Wallet standard(2). The W3C is the international community of public and private organisations who collaborate to develop web standards. Likewise, the use of proveable attributes is becoming standardised and unified through the W3C’s recommendations around Verifiable Credentials.
It is proposed that the Digital Identity Wallet is to be implemented by each EU member state, with plans to ensure cross-border compatibility across these technical architectures by June 2022. The Commission’s framework leaves member states to decide on their wallet implementations, and the technical infrastructure around them. The implementation of distributed technologies—colloquially blockchain—is implicit in most existing realisations of the standards, and seems likely in member state implementation of the Digital Identity Wallet.
Meanwhile, the DCMS Digital Identity and Attributes Framework is the latest attempt to agree and align a standard approach of principles, policies, and procedures from a UK perspective. This follows the costly and time-consuming twenty-year journey since 2001 through UK Government Gateway, GOV.UK VERIFY, and devolved administrations projects such as Digital Identity Scotland. Despite best intentions, thus far these have failed to realise benefits of reduced costs, or consistency and convenience for the citizen.
However, the DCMS guidelines and standards-based framework approach follows extensive consultation throughout last year. It seems more likely to earn the support of public, private, and tech organisations which is required to get enough implementation to make a difference to consumers and citizens.
Wherever UK plans align, a toolbox for cross-EU implementation of European Digital Identity Wallet Framework is to be ready by October 2022. We should start to see pilot schemes shortly after this date.
What are the benefits and impact of the European Digital Identity Wallet?
The proposed regulation requires that the European ID Wallet is recognised by citizen and consumer online services throughout the EU, mandating that everything from Facebook and banks to local government and health services accept it.
Simply put, the potential benefits are safety, security, convenience and commerce. But all are dependent on widespread support and adoption.
Today there are significant costs and risks for many organisations who must perform due diligence around identity verification. Everyone understands the repetition and overheads around proving user identity. Those states with uniform state-issued digital identity systems, such as Estonia, report a significant benefit to users and companies—totting up to significant GDP impact.
Convenience and time saved will not be the only benefit—the security implications are also notable. In this decentralised approach, data remains in control of the individual. For example, instead of sharing salary details or an education certificate via email to a government service or prospective employer, an individual could instead demonstrate and grant access to existing attested details. This would minimise data duplication and disclosure because copies of documentation would not be sent out to third parties, reducing the risk of data breaches.
Clearly by the widespread support and adoption across such a large domain as the European Union, public and private organisations must respond to the Digital Identity and Wallet framework. The results will be an “upgrade” to security and trust, and a shift to decentralised technologies such as DLT.
There will be implications for the tech titans—such as Google and Facebook—who retain and leverage sensitive personal information and are criticised for their use of this data. Adoption of a European Digital ID may well be a watershed moment in global data security and governance.
What does the European Digital Identity Wallet mean to UK organisations?
Although the UK is no longer part of the European Union, alignment to the European ID and Wallet Framework is clearly essential for any organisation that reaches European customers, citizens or business partners. The UK Digital Identity and Attributes Framework seems to be aligned with this in terms of the goals of realising security and administrative benefits of decentralised digital identity.
However, it notes that UK balance of opinion is set against mandatory identity schemes, and the DCMS specifically decries “centralised identity card systems”, and states that use of digital identity must always be a choice.
Despite this aversion, UK citizens and organisations must be able to participate to avoid falling behind in economic growth and international trade. This means interoperability and alignment of national and international initiatives must be top priority. Fortunately, in 2021, open technology standards and post-COVID prioritisation of identity, trust and secure data sharing issues are better understood.
Organisations should prepare by following the coming twelve months’ developments in Identity, Wallet and Trust frameworks at a UK and European level, and preparing the appropriate technology capabilities accordingly.
Speak to SICCAR
SICCAR provides a shared trust platform for organisations’ secured and trustworthy data. SICCAR is used in solutions which need assured data, such as reliable carbon emissions reporting, trustworthy manufacturing supply chain records, or the evidencing of citizen entitlements and social value. In citizen identity and trust frameworks, SICCAR is used to orchestrate and evidence credentials, and to power up identity wallets.
If you want your organisation to reap the benefits of high-integrity data sharing, our SICCAR platform can help.
1 This central vault approach of a personal data store (PDS) has been discredited by risks of theft or data just becoming old and out of date—which Tim Berners Lee is addressing with the Solid Project.
2 SICCAR subscribe to the universal wallet standard in their organisational wallet implementations.
Speak with us to get started with SICCAR:
We respect your privacy.