The European Digital Identity Wallet: Insights from Spain's Data Protection Authority

The Spanish Data Protection Authority (AEPD) has published a series of articles on its blog examining the European Digital Identity Regulation (Regulation (EU) 2024/1183), commonly known as the eIDAS2 Regulation. These publications explore the critical data protection and privacy considerations surrounding the EU Digital Identity Wallet, a new framework designed to give European citizens secure control over their digital identities whilst safeguarding their fundamental rights.

Identity as a fundamental right, not a service

The shift towards treating identity as a service rather than a fundamental right raises significant concerns about individuals' control over their personal data, affecting citizens' rights and freedoms, social inclusion and equality. Identity is a fundamental right recognised in international law, with Article 6 of the Universal Declaration of Human Rights stating that "everyone has the right to recognition everywhere as a person before the law", including legal identity.

Having a legal identity is fundamental to human rights, as it allows individuals to be officially recognised as members of society and to access essential services and protections. Without legal identity, individuals face significant challenges in education, employment, healthcare, social protection, financial services and voting. There is a strong connection between legal identity and the right to privacy, which lies in controlling and using personal data linked to this identity, with the GDPR explicitly mentioning identity theft or fraud as one of the risks to the rights and freedoms of natural persons.

The risks of "identity as a service" models

Whilst the owner of identity is the individual and governments must guarantee this right whilst respecting fundamental freedoms, there is a trend to consider identity as a service by creating new identity schemes in particular application domains, where citizens often lose real control and rights over their own identity.

Examples of identity "as a service" include the World Bank Group's Identification for Development Initiative and federated schemes for identity management on the internet where large technology companies have become identity providers, with many experts highlighting how some deployed models focus more on "economic identity" delinked from the concept of legal identity as a right.

Several high-profile implementations have demonstrated the dangers of this approach. The struggles of the ID.me system in the USA and the Verify system in the UK can be attributed to generating inequality that makes individuals unable to access essential government services. When identity is interpreted as a service, the user is considered a client or consumer who must adapt to how it is offered, often by a private third party, and when citizens required help or manual/offline methods, under-resourced solutions were frequently overwhelmed and failed to provide expected service levels, causing exclusion.

India's Aadhaar scheme, the world's largest identity management system, demonstrates how implementation and governance flaws cause arbitrary exclusions, creating dramatic situations such as the impossibility of receiving financial aid or even starvation, with even a 2% exclusion rate affecting over 20 million people.

The eIDAS2 framework: A rights-based approach

Rather than reinventing the "identity wheel" for each sector or service, the "identity as a right" approach should rely on foundational, reusable elements that can be leveraged by individuals across their personal and professional spheres, with European legislative initiatives such as eIDAS2 following this approach.

eIDAS2 entered into force on 20 May 2024 as a significant update to the original eIDAS Regulation, with the primary goal of enhancing the security, usability and interoperability of electronic identification and trust services across the EU. The European Digital Identity Wallet is a cornerstone of the eIDAS2 framework, allowing EU citizens, residents and businesses to securely store and manage their digital identities in the form of electronic attestations of attributes, with each Member State providing at least one version of the wallet by the end of 2026.

The wallet is designed to preserve privacy, giving users control over their personal data and ensuring that only necessary information is shared in each transaction, and its use is voluntary and free of charge for citizens.

GDPR compliance and user rights

eIDAS2 is designed to align closely with the GDPR, ensuring that the processing of personal data within the context of electronic identification and trust services adheres to principles such as transparency, data minimisation, purpose limitation and data subject rights.

The eIDAS2 regulation requires the EUDI wallet to provide a common dashboard enabling users to view an up-to-date list of relying parties with which they have established a connection, all data exchanged, quickly request erasure of personal data under Article 17 of the GDPR, and easily report a relying party to the competent national Data Protection Authority where an allegedly unlawful or suspicious request for data is received.

These provisions ensure that individuals maintain meaningful control over their digital identities and can exercise their data protection rights effectively.

Outstanding privacy challenges

eIDAS2 requires ensuring the unlink ability property, making it impossible to associate different data items or actions to a specific data subject, which is crucial because it prevents the tracking and correlation of activities, avoiding profiling and surveillance. However, there is significant agreement among authorities, researchers and practitioners that the current version of the Architecture and Reference Framework still has significant gaps in relation to ensuring all requirements established by the regulation.

The best approach could be to rely on cryptographic techniques like randomised or blind signatures, zero-knowledge proofs, anonymous credentials or revocation mechanisms based on cryptographic accumulators, though there is a need for continuous research, development and collaboration to create privacy-preserving solutions that align with the goals of the eIDAS2 regulation.

Conclusion

The eIDAS2 Regulation represents a significant step forward in treating digital identity as a fundamental right rather than a commercial service. As the AEPD's analysis highlights, ongoing attention to implementation details — particularly regarding unlink ability and privacy-preserving technologies — will be essential to ensure the EU Digital Identity Wallet truly serves citizens' rights and freedoms in the digital age.