Analysing the impact of the GDPR on eIDAS: Supporting effective data protection by design for cross-border electronic identification through unlinkability measures

Abstract

The European Commission has decided to accelerate the use of electronic identification for digital services between Member States through the adoption of the Regulation on electronic identification and trust services, ‘eIDAS’. eIDAS aims at establishing the mutual recognition of national eID schemes whilst offering strong confidentiality, security and protection of personal data. In the meantime, EU’s data protection regime has been updated under the EU General Data Protection Regulation, the ‘GDPR’, which introduced an obligation of ‘data protection by design’ and made explicit a risk-based approach to the protection of personal data. This research explores the interplay between eIDAS and the GDPR. For the interoperability of electronic identification services, eIDAS sets up an Interoperability Framework which comprises technical requirements, required attributes representing a natural or legal person, procedural rules, dispute resolution arrangements, and common security standards. The research findings enable the assessment of the degree that the Interoperability Framework is ‘fit-for-purpose’ for a high level of ‘by design’ protection on intra-EU flows of personal data. A mixed methods triangulation-based approach is used to determine the adequacy of the level of data protection afforded by eIDAS’ Interoperability Framework. Desk research is employed to clarify the substance of data protection by design. A data protection by design methodology is proposed based on risk assessment and it is then used to assess the current specifications of eIDAS. Three case studies of national electronic identification services are analysed in order to elicit the state of the art in terms of data protection by design. The findings are then evaluated through interviews with experts in the field of electronic identification. This thesis argues that the definition of a mandatory set of person identification data, among which a persistent unique identifier, in the current implementation of the Interoperability Framework overlooks the importance of unlinkability and addresses the principles of data minimisation and purpose limitation insufficiently. Further, it asserts that the existence of the mandatory set hampers the effective use of pseudonymisation and will in certain cases lower the level of data protection guaranteed by some Member States. The thesis concludes that lowering the level of data protection would be hard to justify against the contextual factors of data protection by design, i.e. the state of the art, the cost of implementation and the risks posed to the individuals. It suggests a practical solution to increase the level of data protection by implementing pseudonymisation and selective disclosure functionality in the eIDAS-nodes that mediate the communication of the national services. This thesis, therefore, provides contributions that help to understand the newly introduced notion of data protection by design, proposes a way to contextualise its implications for cross-border electronic identification, and offers a way to strengthen unlinkability in the Interoperability Framework.

More information

Identifiers

ORCID for Nikolaos Tsakalakis: orcid.org/0000-0003-2654-0825

Catalogue record

Export record