eIDAS2, the EUDI wallet and the GDPR (I)

Photo of Dario in Unsplash. 

Central to this initiative is the European Digital Identity wallet, a user-friendly tool in the form of a mobile app designed to store, manage and present digital attestations. By integrating this wallet with public and private services, the EU seeks to empower its citizens with more secure identification and authentication, and with greater control over their personal data. The alignment the initiative with the GDPR principles and requirements is essential to foster trust in the new approach, and in general terms, in digital transactions.

Recital 7 of GDPR states that “Natural persons should have control of their own personal data”. Identity is the most important aspect that defines personal data (article 4(1) GDPR) and it is a fundamental right as laid down in Article 6 of the Universal Declaration of Human Rights, stating that "everyone has the right to recognition everywhere as a person before the law". In addition, identity is guaranteed in Spain in the regulation Ley Orgánica de Protección de la Seguridad Ciudadana.

The digital transformation of Europe is accelerating, and at the core of this transformation lies the need for secure, public electronic identification, including interoperable digital signatures, to provide people with control over their online identity and data as well as to enable access to public, private and cross-border digital services. The European Union (EU) has been at the forefront of this movement with the introduction of the eIDAS Regulation in 2014 (Regulation EU No 910/2014), which established a framework for electronic identification and trust services. However, as technology and citizens’ needs have evolved, so has the regulatory landscape. This has led to the development of eIDAS2.

The Regulation (EU) 2024/1183 of the European parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (eIDAS2) entered into force on 20 May 2024 as a significant update to the original eIDAS Regulation. The primary goal of eIDAS2 is to enhance the security, usability, and interoperability of electronic identification and trust services across the EU. This updated regulation aims to address the limitations of the original framework by introducing a trusted and user-friendly system for digital identification. One of the critical features of eIDAS2 is the mandatory acceptance of electronic identification means issued in one Member State by all other Member States, thereby fostering greater cross-border digital interactions.

The European Digital Identity (EUDI) Wallet is a cornerstone of the eIDAS2 framework. This digital wallet will allow EU citizens, residents, and businesses to securely store and manage their digital identities (in the form of electronic attestations of attributes). The EUDI Wallet will enable users to authenticate their identity, store digital credentials, and easily access a wide range of service providers (Relying Parties), relying on a mobile app. Each Member State will provide at least one version of the wallet by the end of 2026, ensuring interoperability and a consistent user experience across the EU. 

The wallet is designed to preserve privacy, giving users control over their personal data and ensuring that only necessary information is shared in each transaction. The wallet is intended to be suitable for transactions with both the public and private sectors, and its use is voluntary and free of charge for citizens. 

The Architecture and Reference Framework (ARF) is a critical component in developing and implementing the EUDI Wallet. The ARF provides a set of common standards, technical specifications, and best practices that Member States should follow to ensure the interoperability and security of the digital identity solutions. By adhering to the ARF, Member States can develop wallet solutions that are compatible with each other, facilitating seamless cross-border digital interactions. The ARF is designed to be flexible and adaptable, allowing for future technological advancements and innovations. The current one is its version 1.4.1 although at least one update is expected in 2025.

To ensure the successful implementation of eIDAS2 and the EUDI Wallet, the European Commission will adopt a series of Implementing acts. The first batch of them has been approved in November 2024. These acts provide detailed rules and guidelines on various aspects of the regulation, including technical specifications, security requirements, and interoperability standards. Implementing acts are essential for translating the high-level objectives of eIDAS2 into practical and actionable measures. The contents of the ARF have informed the content of the Implementing acts that will be adopted and will be legally mandatory for every Member State.

The interplay between the eIDAS2 Regulation and the General Data Protection Regulation (GDPR) should be also crucial for ensuring privacy-preserving Implementing acts that allow data subjects’ real control of their own personal data.

eIDAS2 is designed to align closely with the GDPR. This alignment ensures that the processing of personal data within the context of electronic identification and trust services adheres to the principles and requirements established by the GDPR such as transparency, data minimization, purpose limitation or data subject rights.

The eIDAS2 regulation requires Relying Parties to perform Data Protection Impact Assessments (DPIAs) and consulting the competent Data Protection Authorities prior to data processing where DPIAs indicate that the processing would result in a high risk (recital 17). 

The eIDAS2 regulation also requires users to be capable of tracking all transactions executed through the EUDI wallet with at least the following data: the time and date of the transaction, the counterpart identification, the personal data requested, and the data shared (recital 13). The regulation requires the EUDI wallet to support users’ full control over their data, selective disclosure of data, pseudonyms, the use of embedded disclosure policies, and logging all transactions (articles 5a.4 and 5a.5).

Concerning the full control of their data, the eIDAS2 regulation requires the EUDI wallet to provide a common dashboard enabling the user to view an up-to-date list of Relying parties with which the user has established a connection and, where applicable, all data exchanged, quickly request the erasure by a Relying party of personal data under Article 17 of the GDPR and easily report a Relying party to the competent national Data Protection Authority, where an allegedly unlawful or suspicious request for data is received (article 5a.4).

The eIDAS2 regulation requires that personal data relating to the provision of the EUDI wallet be kept logically separate from any other data held by the wallet provider (article 5a.14).

The eIDAS2 regulation requires the EUDI wallet not to provide any information to trust service providers of electronic attestations of attributes about the use of those electronic attestations (article 5a.5). Furthermore, this regulation requires unlikability properties (recital 14, article 5a.16) and revocation mechanisms for both, the wallet and attestations (articles 5a.13, 45d, 45f).

There is a significant degree of agreement among the entire community (authorities, researchers and practitioners) that the current version of the ARF still has significant gaps in relation to ensuring all these requirements established by the regulation. Data Protection Authorities should be vigilant to confirm that the measures listed in previous paragraphs are included in the Implementing acts and in the updated ARF, and that all this enables the development, and even certification, of GDPR-compliant wallet products.

The next post in this series will be dedicated to the implications that EUDI wallets may have for data protection in different use cases.

This post is related to some other materials published by the Innovation and Technology Division of the AEPD, such as:

• Identity as a right [june 2024]
• Trilogues and their importance in the EU legislative process [february 2024]