thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Saturday, June 02, 2012

EU Commission to present regulation on electronic identity cards (Update)

EU information society commissioner Neelie Kroes will present a new regulation on the mutual recognition of national e-ID systems on Monday (4th June), according to news reports. There will for sure be a number of data protection issues related to this.

This is from the Commission Work Programme 2012:
Pan European framework for electronic identification, authentication and signature - Legislative

The proposal will present legislation to boost trust and facilitate electronic transactions notably by ensuring the mutual recognition of electronic identification and authentication across the EU, and of Electronic Signatures. (2nd quarter 2012)
Electronic identification and authentication schemes have a number of data protection issues. EurActiv.com has seen an internal Commission paper which shows that EU Justice Commissioner Viviane Reding (in charge of data protection) seems to only focus on breach notifications.
Link
But I am not sure anyone is addressing the inherent data protection issues related to functioning and non-breached e-ID schemes, such as the problem that the issuing authority ("identity provider" in technical jargon) may be notified every time one uses his or her eID card. I hope that someone reminds the Commission of e.g. the recommendations on "Identity Management and Reputation" from Civil Society to the OECD ministerial meeting "The Future of the Internet Economy" in Seoul in June 2008.

What does not seem to be the case is an EU-wide obligation for member states to introduce eID schemes or even use a harmonised European standard, as had been reported by more europsceptic, right-wing and conspiracy-driven news websites.

Update: Here is the draft regulation, here is an FAQ from the Commission.