At a recent discussion organised by the e-Estonia Briefing Centre, different experts discussed the new version of the EU’s regulation on electronic identification and trust services (eIDAS) and what can be learned from Estonia’s 20+ year-long experience with digital identity.
Europe catches up with Estonia
Estonia’s acclaimed digital ecosystem was established already in the 1990s, and the digital identity based on this has become a seamless part of its public services. Based on interoperable databases, secure authentication through x-road and personal identifier number allows access with the same identifier and linkability of medical records, banking, driving licence etc.
However, cross-border use of eID-s has been lacking, and to that end, current efforts of the EU to develop eIDAS are a step in the right direction. Even if billions in financial benefits are exaggerated, the true value of digital transactions has become evident because of COVID. An opportunity to continue life more-or-less as before, even without physical access to government (or other) offices, is more alluring than ever. Also, the proposed cross-border identification and sharing of records is a push toward creating a true single market in Europe.
In addition, the process of adapting digital identity in Europe can be seen as improving over existing approaches combined with technological progress, which in political science literature is known as policy learning. As such, it can only be applauded.
The curves and bumps of rapid policy learning
Yet, every policy process has its bumps and curves. The first version of eIDAS was ready in 2014 and implemented in 2016. Now, the Commission is already working on an updated version. This accelerating speed of policy updates may seem good, but it is not without its discontents.
The official explanation behind updating the regulation so quickly is that the older version of digital identities was not obligatory for EU countries. As a result, only 14 of them completed their eID schemes which were all different. The new policy will be mandatory for countries, which punishes those who have already achieved more and makes finding a common solution difficult.
Madis Ehastu, Estonian Seconded National Expert at the European Commission who is actively developing the new eIDAS policy, said that one of the key difficulties lies in finding common approaches considering substantial variations in legislations and cultures.
“For instance, eID-s depend on their surrounding ecosystem. If it has been decided that two banks or ministries should not use the same identifier for customers, exchanging data about them is seriously more difficult than in Estonia where a common personal identifier is used across organisations and domains,” he commented.
Second, technological development processes’ logic may not match quick policy development. According to Laura Kask, CEO of Proud Engineers, a consultancy for digital development, the full adaptation of new technologies takes 7-8 years. The policy process of elections is much faster, and politicians may lose patience.
“As an example, also Estonian ID-card took several years until it could be used for the variety of services we see today. We need enough time to allow people and businesses to get used to new solutions,” she said.
Thirdly, rapid policy change is detrimental to investments and development. According to Kalev Pihl, CEO at SK ID Solutions, the company behind much of the technology used in Estonian digital identity, the sales of digital identity solutions in Europe have virtually halted in anticipation of the new regulation.
“The new policy is promising an “EU wallet” and “EU identity” to be available for everyone and mandatory to issue and use for service providers. It is such a large shift in mindset and no real data on what it involves that it is hard to prepare for it practically. There are many questions in the air and leaders in public and private sectors are reluctant to make decisions until they are answered,” says Mr Pihl.
Identity management: state vs business
At the same time, tech giants like Apple and Google are developing their own digital identity solutions. This is not bad. But some voices advocate for relying more on existing technological solutions instead of developing state-centred ones. According to the discussants, this may be a mistake, but as much of the mistake would be to ignore that or go against it.
The main issue boils down to privacy vs comfort. People may be willing to forgo a bit of their privacy for services (such as personalised medical treatment), but the governments have to assure that this trade-off is a fair one. At the same time, the discussants pointed out that in many countries trust in the government’s handling of personal data is low. Still, we can justly ask, how much of this trust exists in tech giants?
“States and tech giants have completely different aims for identifying their “clients”, “says Mr Pihl. “Tech giants are not so much interested in data integrity, in making sure that the single person is connected to a single account or that they know everyone, but more about profiling, so that they can raise the sales value of their user base. This is well displayed to the public in the debate in Twitter valuation and interpretation of the user amounts there.”
Currently, the European Commission aims to develop its own eID solutions, which will compete with the tech giants’. In doing so, EC should learn from the tech companies’ successes, such as user comfort, and develop their own accordingly. Otherwise, the clients will not start using the app the European Commission is providing.
“In addition to developing an interoperable Wallet solution, we also depend on other policy domains,” says Mr Ehastu. “For example, the authorities in charge of driving licences in all EU countries should mutually recognise digital licences from other countries, even when they are presented on a mobile phone.”
What to learn from Estonian experience?
Since Estonia has successfully used digital identity for three decades, the country can offer some suggestions. According to Ms Kask, there are two main ones.
First, identity, it’s handling, authentication, and technical solution should be centralised within countries. Without it, the adaptation of any digital solution suffers. Also, without one responsible entity in charge of maintaining accurate data of individuals, the responsibility will windle, and data quality will suffer.
Second, there should be a multitude of carriers and tools for identification. In this, Estonia offers a crucial example from the ID-card crisis of 2017. Back then, the ID-card chips were under potential attack and Estonia had to suspend the certificates of 750 000 ID-cards, but this did little to disturb transactions because mobile-ID identification functioned well. Now, there are at least four ways of using digital identification (ID-car, Smart-ID, mobile-ID, and PIN-calculator for banks), all following the same framework and principles. This offers high resilience and is user-friendly.
We wish goodspeed for the new digital identity regulation and hope these lessons can smooth the way for new policy development and adaptation.