The European Digital Identity Wallet: a major change for individuals and companies

You coordinate the “Values and Politics of Personal Information” chair, working on the “European Digital Identity Wallet”. What exactly is this wallet?

C.L-B : It is the culmination of a long history. The construction of the European internal market provides for the free movement not only of people, but also of goods, services and capital. Hence the idea of creating a digital wallet, interoperable between EU member States, to act as a single window for various identity documents (ID card, passport, etc.). The aim is to enable everyone, whether an individual or a company, to have a digital identity for easy access to an ever-increasing number of dematerialized public and private services. Of course, all this requires reliable, practical identification, to which - and this is important - the data associated with that identification is added. Credentials can thus be stored and shared - driving license, European social security passport, disabled person's certificate, energy bills... But the multiplication of functionalities is quite problematic.

Practically, how will things look for the user? Will we have a single European identity?

C.L-B : Eventually, everyone will be able to have an application on their smartphone (or computer) that will enable them to prove their identity, electronically sign and thus enter into contracts, obtain supporting documents such as diplomas, voting proxies, even train tickets or hotel reservations... With these certificates, they will also be able to retrieve data linked to their identity - called “attributes” - and generate new supporting documents. 
What is notable is that the person will have to use his or her legal identity only when required to do so by law or contract. In other cases, they will be able to generate a pseudonym, enabling them to use several identities. Everyone will retain their freedom of choice and action, since it will not be compulsory to use the European digital identity wallet. This is a very important point. This wallet's approach is therefore in line with European values: it is about putting the user at the center, and allowing him to choose his attributes and the companies or organizations with which he communicates. The idea is, for example, to enable the user to retrieve data from his car insurer, and send it to another insurer to obtain a better commercial proposal.

What is the timetable?

C.L-B : In April 2024, the (EU) eIDAS2 regulation was published, providing a European framework for a digital identity. The horizon is now November 2026. By this date, each EU country will have to issue at least one wallet, with a minimum number of functionalities. France Identité will have to comply with European standards, and be interoperable with public services in other member States.

New practices and new businesses

What are the reasons behind this wallet?

C.L-B : First and foremost, there is an economic goal: to facilitate secure transactions throughout Europe, and to create an infrastructure that enables data sharing. Another strong argument was that of streamlining administrative procedures and reducing the burden of bureaucracy.

So, the entry into service of this wallet will create new habits for all users…

C.L-B : In many areas, the wallet will lead to new practices, for individuals as well as companies. It will be used offline, in a hospital in Italy for example, or to prove that you are over 18 when buying alcohol. The customer experience will also be transformed. It will be possible, for example, to book and rent a car with your smartphone, by presenting your driving license in a secure manner. And there is even talk of paying with digital euro.

As far as companies are concerned, will we see the emergence of new wallet-related businesses?

C.L-B : This will be of major benefit to companies. Their relations with the administration (whether French or from an EU country) should be simplified by facilitating the use of the single digital portal. The company will, of course, be able to sign contracts electronically and issue invoices in the form of electronic attribute attestations, with a certain level of reliability. Perhaps there is a new business to be developed here: issuing these documents in return for payment.
 

What is the role of the Values and Politics of Personal Information chair? How does it work?

C.L-B : This is a research chair created by the Institut Mines-Télécom in 2013 and supported by the institution. Its current sponsors include IN Groupe (ex-Imprimerie nationale), a specialist in identity and secure exchanges, telecom operator Orange, Clever Cloud, a Nantes-based SME, and the CNIL. The Chair combines four disciplines: law, economics, IT and, importantly, philosophy, with a specialist in trust issues. It has a permanent representative in Brussels, where many regulations are negotiated and implemented. France's digital ambassador, Henri Verdier, député Philippe Latombe, CNIL Commissioner, and Bernard Benhamoun, Secretary General of the Institut de la Souveraineté Numérique, all contribute to our discussions.

Since its creation, the Chair has focused on the issues raised by the use of personal data and digital identities. We work on business models, economic impact, issues related to pseudonyms or technical configurations that reveal as little personal data as possible, the strategies users adopt to protect their privacy... In short, everything to do with trust in data processing, including the issue of sovereignty. We are in contact with many players concerned by the application of the RGPD or the regulation on artificial intelligence, at both French and European level. The Chair is not just a forum for discussion: its work leads to texts that will have a very concrete impact on citizens' lives. We try to do our bit to help ensure that all these complex and fragile balances are properly respected, while remaining firmly focused on the goal of progress brought about by digital technology.

A challenge: trade security

Security issues are, therefore, paramount...

C.L-B : Exactly. All European digital identity wallets must offer the highest level of security, the high level, and be based on the principle of security by design. They must be certified for a maximum of 5 years, based on cybersecurity schemes established at a European level, to obtain the wallet trust mark. For their part, service providers (banks, telecom operators, etc.) will have to register at national level and provide a certain amount of information proving that they are trustworthy. They will then be able to appear on a public “trust list”. The company will have to use a specific, secure interface to communicate with its customers' wallet. As for the customer, he will have to provide certain data in his or her wallet, so that the company can rely on him or her. We still have a great deal of research to do on these subjects, and solutions to develop. For example, how can I prove that I am over the age of majority online, without entering any other unnecessary data, including my first and last names?

Does not the digital wallet also raise issues of sovereignty?

C.L-B : The question arises on three levels. First, user sovereignty, which is a priority: users must be able to keep control of their identity and data. That is why the wallet will include a dashboard enabling me to see who I have been in contact with and what data I have transmitted. If I have any doubts, I will be able to notify the Cnil. The sovereignty of member States is also at stake, as identity is a sovereign competence that can be called into question. And above all, there is the question of European sovereignty. The wallet must also be usable worldwide, based on standards defined by international bodies such as the ISO standard for driving licenses. Hence negotiations that raise a number of difficulties, to ensure that data is used in accordance with the RGPD. The chair is working precisely to translate personal data protection principles into technical standards.

Finally, some of the data stored on the smartphone must be stored in a secure area. To access this “secure element”, however, you need the agreement of the smartphone manufacturer, which in most cases is not European. Hence the tough negotiations with American giants such as Samsung and Apple. The same question also arose for data concerning the “TousAntiCovid” application. Plus, every country, every nation has its own relationship with sovereignty, with “its” sovereignty. We need to reconcile them all, both in spirit and in practice.

Where will personal data be stored?

C.L-B : Some will be stored in the smartphone itself, others in the cloud, or on the servers of the organizations with which the user communicates. There is no obligation to store data in the EU. Discussions on European cloud certification (EUCS) have so far led to no requirement for storage on European soil for the highest levels of security. However, at the end of December 2023, the scope of the Foreign Intelligence Surveillance Act (FISA), which authorizes US intelligence services to access the data of non-American companies and citizens, was extended in the name of national security. The risk is that, against the advice of France in particular, which has a high-level Cloud reference framework, the EU will not ensure a sufficient level of data security, sheltered from non-European legislation. We would then be depriving ourselves of the opportunity to remain autonomous and to develop clouds on the continent, reducing our economic dependence. Nevertheless, the aim is to regain control of our own data, whether it is personal or corporate.

A particularly complex project

Will it be possible for private companies to be wallet providers?

C.L-B : Yes, and that inevitably raises questions. In France, this is the responsibility of France Identité. But each country will be able to issue several digital wallets - and choose a private company like Itsme in Belgium to manage the digital identity of its citizens or nationals. By the way, Apple Wallet, Google Wallet and Samsung Wallet are used for security checks at American airports.

What is the main point of contention between European countries?

C.L-B : All countries agree on the level of security. In my opinion, the main problem lies in the implementation of the RGPD rules, in particular to prevent digital identifiers as meaningful as our national insurance number from circulating freely. The current provisions leave it up to each member State to decide whether or not to include such a number in the data used to identify me. France and Germany will not do so. Another point of discussion concerns proof of zero disclosure of knowledge. For example, on the basis of my date of birth, it is possible to construct a mathematical proof of the answer (yes/no) to a question such as “Are you over 18” without revealing at least my age, or even my date of birth.

Are there differences in approach or culture that might explain these differences?

C.L-B : Northern European countries, in particular, are far more digitized than France. For example, some countries no longer have any paper versions of personal documents. All data is digitized, with a back-up in another country.

Are there still many points to be settled before this wallet comes into service?

C.L-B : Its finalisation requires highly complex negotiations between the European Commission and the member States. It involves the adoption of 10 implementing regulations, of which only 5 were adopted by the end of November 2024, and 5 others are currently being negotiated... All of this will be accompanied by 63 standards and technical specifications (of which 33 exist to date). We still have a lot of work ahead of us! But once up and running, this European wallet will be a major change for companies and individuals alike.