The Internet Privacy Engineering Network, or IPEN, workshops bring together developers and data protection experts with a technical background from different areas in order to launch and support projects that build privacy into everyday tools and develop new tools that can protect and enhance our privacy effectively.
On 22 June 2022, the EDPS co-organised with the Cardinal Stefan Wyszyński University an IPEN workshop, titled “Digital Identity in data protection by design – current developments and future trends”, in Warsaw, Poland.
With a large portion of our lives managed and spent online, for example when using online banking, or carrying out other administrative steps, we leave a considerable amount of digital traces behind us which make up, more or less accurately, our digital identity - our identity online. We sometimes use this digital identity to demonstrate who we are when signing into our various online accounts to have an authorised access to specific services, such as access to a governmental interface to pay our taxes.
Having a digital identity may mean that a lot of our personal data may be used, or even sometimes misused, by different actors. There is therefore a continuous and strong need for online trust and accountability to protect individuals and society from the risks of generalised and targeted surveillance, to avoid undermining fundamental rights and freedoms, including democracy, which are at the heart of the EU construction. Data protection law, with its data minimisation principle to only process personal data that is necessary for a specific purpose, is an integral part of building and strengthening the protection of individuals online.
Indeed, a wide debate on organisational and technological choices to design digital identity schemes and portfolios of personal attributes for digital authorisation purposes that can fully respect the General Data Protection Regulation principle of data protection by design and by default is ongoing. An example in particular comes to mind, the discussions that the European co-legislators are currently having on an EU policy initiative establishing a European Digital Identity Framework, in which they plan, as a next step, the design of a set of technologies and tools to support the framework.
Against this background, participants of the IPEN workshop, including EU officials, representatives from national governments, academia and private sector specialists, gathered for in-depth discussions on the challenges and available options for compliant and privacy-enhancing solutions within existing and future digital identity initiatives.
The workshop was dedicated to exploring how compatible digital identity solutions can be in the context of data protection. Discussions were held on the possibilities and challenges of using a personal digital wallet. Participants provided examples of how such solutions should be put in place to respect human rights and dignity, how identity requests must abide by the GDPR principles of necessity and proportionality and integrate effective security measures, by default.
Participants exchanged views on the European Commission’s European Digital Identity Framework initiative. Available to any EU citizens, residents, and businesses, the European Digital Identity Framework aims to allow individuals to identify themselves or confirm some of their personal details to access certain services, both online and offline, across the EU. The initiative should enable individuals to selectively disclose their identity attributes, certificates and other credentials when requested. Its aim is also to enable the use of decentralised identity schemes, enabling more choices for individuals and avoiding its full centralisation and higher surveillance risks that this entails.
As a follow up to the European Digital Identity Framework initiative, the conversations then progressed to other digital identity solutions and initiatives put in place within the respective EU Member States, as well as outside the European continent, with a particular focus on the privacy aspects of these solutions. Delving deeper into the topic, some of the practitioners invited at the workshop also presented the different challenges and requirements to take into account when designing and deploying identification and authorisation schemes.
As different digital identity solutions and initiatives were presented throughout the workshop, our guests proposed a variety of perspectives and approaches on how to embed privacy and data protection principles into these solutions. On the one hand, an expert reported on an existing national identity scheme that uses a unique identifier for all kinds of transactions, which simplifies the architecture, yet poses serious risks in cases of misuse or security incidents. On the other hand, another proposed a framework which puts forward a strong pseudonymised architecture, featuring privacy enhancing technology for the user to keep full control over their data, yet it raises issues on how accountability can be fully put in place in the various implementation cases.
It is clear from the workshop that these types of discussions need to be further developed, especially in light of the multitude of digital identity solutions and initiatives that are emerging, which need to be analysed and understood in order to ensure that these include the necessary technological and privacy measures to protect individuals’ personal data and uphold EU data protection law.
We will continue to organise our IPEN workshops and webinars to explore the developments in the privacy engineering field. We will also continue to work with our colleagues from other data protection authorities, as well as researchers and developers, to monitor the state of the art of technology to make data protection by default and by design a reality.