Digital Identities and Trust Services
Whatever the current state of play, digital identities and trust services are set to become an integral part of our daily lives in the near future, underpinning everything from social interactions and dealings with various public authorities, to transactions and exchange of documents, both online and in person. As our reliance on digital platforms grows, so does the importance of trust in these digital identities and documents in digital form. This trust is the cornerstone that ensures the security and reliability of interactions in the digital realm.
What are digital identities?
Digital identities provide a method of asserting and verifying one’s identity or attributes (such as proof of education, driving licence or professional qualification) digitally, without the need for traditional paper-based documents. This data can include usernames, passwords, biometric information, and digital certificates. Digital identities permit individuals and representatives of organisations to prove who they are in both online and offline contexts, proving their eligibility to complete a transaction as a result of possessing certain attributes, such as their name or being over 18.
Building Trust in Digital Identities
Authentication and Verification: Robust authentication methods, such as multi-factor authentication (MFA) and biometric verification, are essential for establishing trust. These methods ensure that the person or entity accessing a system is who they claim to be. Advanced technologies like blockchain and decentralised identifiers (DIDs) are also being explored to enhance the security and reliability of digital identities.
The long-awaited Regulation (EU) 1183/2024 ("eIDAS 2.0"), reforms and revamps the provisions of Regulation (EU) 910/2014, better known as the "eIDAS Regulation". The new Regulation introduces the so-called “European Digital Identity Wallet” or “EUDI Wallet”. This new means of electronic identification allows users to identify and authenticate themselves electronically and to certify certain individual attributes, across borders, to access a wide range of public and private services. Additionally, individuals will be able to use it to sign documents with qualified electronic signatures and as part of strong customer authentication (SCA) systems.
In the UK, physical identity documents such as passports and driving licences are not centrally issued identity cards, and instead operate as proxies. In fact, the UK Government has not issued centralised forms of identification since 2011, when identity cards were scrapped following widespread opposition to their existence. Digital identities are not, therefore, a new identity document but a way to assert identity based upon existing documentation. This adds layers of complexity to the development of digital identities in the UK compared to Europe, where centrally issued identity cards exist. The UK is currently in the early stages of developing a framework for a private sector digital identity market.
Privacy and Data Protection: Protecting personal information is critical to maintaining trust in digital identities. Organisations must implement stringent data protection measures to prevent unauthorised access and data breaches. Regulations like the General Data Protection Regulation (GDPR) in the European Union provide a legal framework for safeguarding digital identities and ensuring that users' privacy is respected. The EUDI Wallet is shaped in such a way to provide control to its users over the scope of data they want to share. Furthermore, any entity asking for confirmation of identity or certain attributes of an individual using digital identities must also ensure compliance with data minimisation principles.
Transparency and Accountability: Trust is built through transparency and accountability. Users must be informed about how their data is being used and have control over their digital identities. Organisations should be transparent about their data practices and be held accountable for any misuse or breaches. Providing clear, accessible privacy policies and obtaining informed consent are key aspects of fostering trust.
The future of digital identities lies in developing more secure, user-friendly, and interoperable systems. Innovations in artificial intelligence, machine learning, and blockchain technology, hold promises for enhancing the security and trustworthiness of digital identities. Furthermore, international cooperation and the harmonisation of regulations will be essential in creating a trusted digital identity ecosystem that transcends borders.
As technology continues to evolve, so too must our approaches to managing and safeguarding digital identities, ensuring that trust remains at the forefront of our digital interactions.
Trust services
Digital identities do not exist in a vacuum. In fact, asserting or verifying someone’s identity is usually only the first step before some kind of digital transaction is done by that person. While electronic signatures have been with us for some time, a few important pieces of the digital ecosystem have still been missing on a European level. This will likely improve with some further additions introduced by eIDAS 2.0.
A long-known limitation of higher levels of electronic signatures, namely low penetration, will be addressed by the new service of remote management of e-signature certificates. This service will allow people to conclude digital transactions using qualified electronic signature without a need to carry a dedicated signature hardware. Presumably it will also provide a much more user-friendly way to complete transactions.
Another practical issue that needs to be tackled by many companies - the need to properly archive electronic documents - will be addressed by the new qualified electronic archiving services. This could help both enterprises and individuals to preserve reliability of electronic documents concluded by them over time.
An electronic ledger, on the other hand, could serve as an immutable book of records in relation to several use cases. Meanwhile the last newly introduced qualified trusted service of electronic attestation of attributes will directly complement the benefits of the EUDI Wallet.
Our digital identities and trust services practice comprises experts from many legal disciplines and supports clients across a range of sectors. We work equally with organisations who are looking to develop and offer compliant digital identity and trust services, as well as those who are looking to procure those services or use them in their own operations, for example for identity or age verification.
Here’s how we can help.
Many jurisdictions have recently introduced, or are in the process of introducing, new regulations that create the frameworks for the use of digital identity and trust services around the world. There is no one unified approach, and this can create challenges for organisations working to develop compliant, multi-jurisdictional offerings. There are also more emerging or changing regulations in sectors and industries where digital identities will be particularly relevant, including gambling and the sale of age restricted products. This means that those providing products and services in those industries will increasingly need to rely on digital identity and trust services, and likewise navigate the range of regulations.
Our extensive European, Middle East and Asia Pacific footprint, as well as our regulatory experts, make us particularly well-placed to help clients stay on top of key regulatory changes and navigate compliance with multiple regulatory regimes.
Data is essential to digital identity and trust services, and compliance with data protection legislation across jurisdictions is central to ensuring trust in those services. Where personal data is involved, our market leading data protection group works with organisations to apply data protection and privacy principles to both those providing digital identity and trust services, and those using those services with their customers. The wider field of emerging data regulation, from the EU’s Data Act to diverging data localisation laws, as well as contractual, competition and IP aspects of handling data, all have significant implications for the use of data in connection with digital identity and trust services.
As our clients develop and utilise digital identity systems, products and solutions, they are increasingly calling on our specialist commercial lawyers to help them craft contracting frameworks covering everything from scheme framework agreements, intra-scheme agreements and flow down provisions, to the development of product- and service-specific end-user terms and conditions. We understand the emerging market practice for managing intra-scheme liabilities, regulatory risks and data protection issues, and use this expertise to benefit our clients when contracting for digital identity and trust services.
Why Bird & Bird?
We respond proactively to the continuous business transformations driven by new technologies in all key sectors of the economy.
A snapshot of our recent experience
- Advising a major international bank on its e-signature services project, regarding compliance with data protection rules, in particular, transfer of data to a third country, data processing by electronic means and bank secrecy regulations.
- Advising a private hospital on digital archiving of corporate documents and use of electronic signatures.
- Advising an American multinational financial services corporation on digital identity services.
- Advising a leading global Internet company on enforceability of “click-to-accept” and e-signature in B2B and B2C online contracts.
- Advising a pension insurance company on the protection of personal data in KYC processes.
- Advising a system software company on the use of electronic signature to sign employment contracts
- Advising a manufacturing company on the validity of Docusign electronic signature solution for contracts with suppliers, customers and commercial partners.
If you want to learn more about how we can help you with digital identities & trust, get in touch with a member of our team of Lawyers.
