Identity as a right
In this post, we discuss the potential implications of treating identity as a service rather than a fundamental right and how the shift towards identity as a service impacts individuals' control over their personal data. The commodification of identity may affect citizens' rights and freedoms, social inclusion and equality and involves different ethical considerations. How can governments balance providing identity services with protecting citizens' fundamental rights and autonomy?
Image by poli_ from Pixabay.
Identity is a fundamental right recognised in international law through various declarations and conventions. Article 6 of the Universal Declaration of Human Rights states that "everyone has the right to recognition everywhere as a person before the law", including legal identity. In essence, having a legal identity is fundamental to human rights, as it allows individuals to be officially recognised as members of society and to access essential services and protections. Not having a legal identity can have significant implications for individuals, affecting various aspects of their lives such as education (enrolling in educational institutions and accessing educational services can be challenging without a legal identity), access to employment (securing a job in the formal economy may be impossible without a legal identity), healthcare (primary healthcare access can be severely limited), social protection (without a legal identity there is a reduced likelihood of benefiting from protection systems), financial services (banking, insurance, pension, and taxation schemes may be inaccessible) or voting (participating in electoral processes requires a legal identity). Individuals who lack legal identity often find themselves residing on the periphery of society, deprived of an official presence and experiencing social exclusion.
Therefore, the right to personal identity is crucial from birth, as it forms and preserves an individual's existence within society, allowing them to enjoy their rights and fulfil their obligations. The right to personal identity is also linked to self-expression, allowing individuals to develop their conscience and personality without interference.
Identity may encompass elements such as name, family name, date of birth, gender, or nationality (since legal identity is often tied to citizenship), although there is no universal standard or agreement. An individual's identity is usually recognised through documentation like birth certificates, identification cards, or passports.
Identity is guaranteed in Spain in the L.O. for the Protection of Citizen Security where, in Chapter III: Documentation and Personal Identification (DNI), it is established that:
- The identity of every person, through the issuance of the DNI, is a right.
- The DNI is the only document with sufficient value on its own for the accreditation, for all purposes, of its holder's identity and personal data, whether in the physical or digital world.
- No one can be deprived of a DNI, not even temporarily.
- The identity of individuals does not belong to the State or a third party but to the citizens.
Today, it is essential to keep in mind that legal identity or status must not only be developed in the analogue or physical world but also in the digital one, where most daily activity occurs.
There is also a strong connection between legal identity and the right to privacy, which lies in controlling and using the personal data linked to this identity. The processing of personal data related to legal identity is a critical aspect of upholding the right to privacy: individuals must be able to control their identity and protect it from any misuse (fraud or identity spoofing but also targeting, profiling or surveillance). Recital 75 of the GDPR explicitly mentions identity theft or fraud as one of the risks to the rights and freedoms of natural persons, of varying likelihood and severity, that may result from personal data processing. Recital 85, on the other hand, identifies identity theft or fraud as one of the potential results of a personal data breach. Finally, recital 88 establishes the importance of assessing the technical measures protecting personal data to limit the likelihood of identity fraud effectively. While legal identity establishes an individual's recognition under the law, the right to privacy ensures that this recognition does not come at the cost of personal freedom and autonomy over personal data.
The owner of the identity is the individual, and the government must guarantee the right to said identity while respecting the rest of the fundamental rights and freedoms. However, there is a trend to consider identity as a service by creating new identity schemes in particular application domains. These new schemes promise different advantages, but the fact is that, in many cases, citizens lose real control and rights over their own identity.
There are instances where the implementation of identity management systems driven by this "as a service" approach has negatively affected populations. For example, the World Bank Group's Identification for Development (ID4D) Initiative is helping countries realise the transformational potential of identity management systems, including civil registration. We can also find examples of identity "as a service" in federated schemes for identity management on the Internet in which large technology companies have become identity providers. However, many experts and activists highlight how some deployed models focus more on an "economic identity" delinked from the concept of legal identity, a right.
What happens when this right is violated, and an individual sees their access to a legal identity that guarantees their ability to act limited? What happens if this limitation is so extreme that their legal identity is completely removed? And if this decision is in the hands of a private company, a specific community, an inefficient administration, or a totalitarian government? For example, the United Nations High Commissioner for Refugees (UNHCR) introduced a biometric identification system for refugees in camps like Dadaab, located in the northern region of Kenya, following the civil war in Somalia. This database was shared with the Government of Kenya as a "service" and integrated with the Register of Persons in 2012.
An estimated 40.000 individuals listed in the UNHCR database are believed to be Kenyan citizens. During a catastrophic drought that devastated the East African region from 2010 to 2012, they frequently entered refugee camps to access food aid, healthcare or education. Many of these individuals had their fingerprints recorded by the UNHCR when they were minors and had not yet applied for a Kenyan national identity card, which is typically obtained at age 18.
Some individuals who have turned 18 and applied for the Kenyan national identity card are facing rejection due to their fingerprints being in the refugee database. There is currently no provision in the registration of persons law that addresses the issue of "double registration". These citizens are uncertain about their identity and are in a state of limbo. The lack of legal identity affects not only the identity of individuals but their children, too. This type of exclusion of specific population groups may also affect participatory or electoral processes.
We can find other examples in different countries pushing towards digital identity systems without proper infrastructure, regulations or governance mechanisms, including explicit models for the necessary public-private collaboration. This has resulted in exclusion and identity crises, with these systems exacerbating social inequality and even poverty.
The struggles and failures of the ID.me system in the USA or the Verify system in the UK can be attributed, in part, to the generation of this type of inequality, which makes individuals unable to access essential government services. If identity is a right, it must be guaranteed for all users, even if they do not have an Internet connection, a last-generation mobile phone, a digital footprint, or the possibility or willingness to undergo a facial recognition process. Besides, individuals should be able to fall back on manual or offline methods of managing their identity.
But interpreting identity is a service, the user is considered a client or consumer who must adapt to the way in which it is offered, often, by a private third-party. Or face the consequences. Which is what happened, when citizens required help or manual/offline methods, under-resourced (human) solutions were frequently overwhelmed and failed to provide the level of service expected, causing exclusion.
Another example can be found in the new digital-by-default welfare system in India. The Aadhaar scheme is a unique 12-digit number linked to citizens' biometric and demographic data. This is the world's largest identity management system. However, different implementation and governance flaws are causing arbitrary exclusions, causing dramatic situations such as the impossibility of receiving financial aid or even starvation. Given India's large population, even a 2% exclusion rate (as documented in different reports) affects over 20 million people.
While these examples do not necessarily indicate that identity is now always a paid service, they do reflect the complexities and potential adverse outcomes when identity management systems are not carefully designed to support a fundamental right guaranteeing privacy and equity.
We must be vigilant and prevent identity from becoming a surveillance, manipulation, or exclusion mechanism. Rather than reinventing the "identity wheel" for each sector (public or private) or service, the "identity as a right" approach should rely on foundational, reusable elements that can be leveraged by individuals across their personal and professional spheres. European legislative initiatives such as eIDAS2 or the passport and travel documents regulation follow this approach, trying to support citizens for access management, payments, data sharing, or age verification, to mention only some examples. This also may ease standardisation and interoperability, create efficiency gains, and establish a platform for specialised innovation.
This post is related to some other materials published by the Innovation and Technology Division of the AEPD, such as:
Entradas relacionadas
Privacy risks when logging in other applications with social media accounts
Read more