The European Commission, Parliament, and Council have made progress towards an agreement on the European Digital Identity Wallet Act on June 28, 2023. This day of inter-institutional negotiations, nicknamed “trilogues“, resolved certain disagreements but failed to finalize the text.
“We have reached political agreement on the key elements of the proposal. There is still work to be done, but we are very close to reaching a final agreement on the whole package,” commented Romana Jerković, the European Parliament’s chief negotiator.
As a preamble to the text, the three institutions have added a guarantee that these wallets will be deployed under “fair, reasonable, and non-discriminatory conditions“. They have also removed the contentious concept of a “unique and persistent identifier”, deemed to be less respectful of privacy. They replaced it with a verification of identity based on a number of personal data.
Parliament also succeeded in imposing new wallet functionalities on its partners:
- issuance and revision of “electronic attribute attestation” directly by users ;
- generation and local storage of pseudonyms;
- ability to authenticate another third-party wallet, and exchange attribute attestations from wallet to wallet;
- creation of a dashboard providing access to essential functionalities (such as deleting personal data or reporting suspicious activity).
A few points of disagreement remain, however. For example, wallets will have to comply with a European cybersecurity certification system. But the Council and Parliament were unable to agree on RGPD compliance. The former wants to limit it to a voluntary basis, the latter wants to make it mandatory.
Similarly, no complete agreement was reached on the monetization of certain wallet functionalities. The text now guarantees that the issuance, use for authentication purposes, and revocation of the wallet will be free of charge for natural individuals. This means, however, that organizations may be invoiced, particularly for electronic signatures above a certain threshold.
For the time being, despite opposition from the European Parliament, negotiations have retained the introduction of a trusted service for tracking stock market prices. The European institutions have yet to define precisely the responsibilities of the national authorities charged with implementing the digital identity framework.
There is no consensus either on “qualified website authentication certificates” (QWACs). These are intended to authenticate the identity of the person or organization behind a website in order to avoid potential scams. Parliament has added restrictive measures in the event of QWACs infringing privacy, but the issue remains controversial.