The University of Southampton
University of Southampton Institutional Repository

Analysing the impact of the GDPR on eIDAS: Supporting effective data protection by design for cross-border electronic identification through unlinkability measures

Analysing the impact of the GDPR on eIDAS: Supporting effective data protection by design for cross-border electronic identification through unlinkability measures
Analysing the impact of the GDPR on eIDAS: Supporting effective data protection by design for cross-border electronic identification through unlinkability measures
The European Commission has decided to accelerate the use of electronic identification for digital services between Member States through the adoption of the Regulation on electronic identification and trust services, ‘eIDAS’. eIDAS aims at establishing the mutual recognition of national eID schemes whilst offering strong confidentiality, security and protection of personal data. In the meantime, EU’s data protection regime has been updated under the EU General Data Protection Regulation, the ‘GDPR’, which introduced an obligation of ‘data protection by design’ and made explicit a risk-based approach to the protection of personal data. This research explores the interplay between eIDAS and the GDPR. For the interoperability of electronic identification services, eIDAS sets up an Interoperability Framework which comprises technical requirements, required attributes representing a natural or legal person, procedural rules, dispute resolution arrangements, and common security standards. The research findings enable the assessment of the degree that the Interoperability Framework is ‘fit-for-purpose’ for a high level of ‘by design’ protection on intra-EU flows of personal data. A mixed methods triangulation-based approach is used to determine the adequacy of the level of data protection afforded by eIDAS’ Interoperability Framework. Desk research is employed to clarify the substance of data protection by design. A data protection by design methodology is proposed based on risk assessment and it is then used to assess the current specifications of eIDAS. Three case studies of national electronic identification services are analysed in order to elicit the state of the art in terms of data protection by design. The findings are then evaluated through interviews with experts in the field of electronic identification. This thesis argues that the definition of a mandatory set of person identification data, among which a persistent unique identifier, in the current implementation of the Interoperability Framework overlooks the importance of unlinkability and addresses the principles of data minimisation and purpose limitation insufficiently. Further, it asserts that the existence of the mandatory set hampers the effective use of pseudonymisation and will in certain cases lower the level of data protection guaranteed by some Member States. The thesis concludes that lowering the level of data protection would be hard to justify against the contextual factors of data protection by design, i.e. the state of the art, the cost of implementation and the risks posed to the individuals. It suggests a practical solution to increase the level of data protection by implementing pseudonymisation and selective disclosure functionality in the eIDAS-nodes that mediate the communication of the national services. This thesis, therefore, provides contributions that help to understand the newly introduced notion of data protection by design, proposes a way to contextualise its implications for cross-border electronic identification, and offers a way to strengthen unlinkability in the Interoperability Framework.
University of Southampton
Tsakalakis, Nikolaos
eae42e98-58b8-45b9-8c11-35a798cc9671
Tsakalakis, Nikolaos
eae42e98-58b8-45b9-8c11-35a798cc9671
O’Hara, Kieron
d7306468-477d-48f2-9a06-d720841dadc3

Tsakalakis, Nikolaos (2020) Analysing the impact of the GDPR on eIDAS: Supporting effective data protection by design for cross-border electronic identification through unlinkability measures. University of Southampton, Doctoral Thesis, 302pp.

Record type: Thesis (Doctoral)

Abstract

The European Commission has decided to accelerate the use of electronic identification for digital services between Member States through the adoption of the Regulation on electronic identification and trust services, ‘eIDAS’. eIDAS aims at establishing the mutual recognition of national eID schemes whilst offering strong confidentiality, security and protection of personal data. In the meantime, EU’s data protection regime has been updated under the EU General Data Protection Regulation, the ‘GDPR’, which introduced an obligation of ‘data protection by design’ and made explicit a risk-based approach to the protection of personal data. This research explores the interplay between eIDAS and the GDPR. For the interoperability of electronic identification services, eIDAS sets up an Interoperability Framework which comprises technical requirements, required attributes representing a natural or legal person, procedural rules, dispute resolution arrangements, and common security standards. The research findings enable the assessment of the degree that the Interoperability Framework is ‘fit-for-purpose’ for a high level of ‘by design’ protection on intra-EU flows of personal data. A mixed methods triangulation-based approach is used to determine the adequacy of the level of data protection afforded by eIDAS’ Interoperability Framework. Desk research is employed to clarify the substance of data protection by design. A data protection by design methodology is proposed based on risk assessment and it is then used to assess the current specifications of eIDAS. Three case studies of national electronic identification services are analysed in order to elicit the state of the art in terms of data protection by design. The findings are then evaluated through interviews with experts in the field of electronic identification. This thesis argues that the definition of a mandatory set of person identification data, among which a persistent unique identifier, in the current implementation of the Interoperability Framework overlooks the importance of unlinkability and addresses the principles of data minimisation and purpose limitation insufficiently. Further, it asserts that the existence of the mandatory set hampers the effective use of pseudonymisation and will in certain cases lower the level of data protection guaranteed by some Member States. The thesis concludes that lowering the level of data protection would be hard to justify against the contextual factors of data protection by design, i.e. the state of the art, the cost of implementation and the risks posed to the individuals. It suggests a practical solution to increase the level of data protection by implementing pseudonymisation and selective disclosure functionality in the eIDAS-nodes that mediate the communication of the national services. This thesis, therefore, provides contributions that help to understand the newly introduced notion of data protection by design, proposes a way to contextualise its implications for cross-border electronic identification, and offers a way to strengthen unlinkability in the Interoperability Framework.

Text
N_Tsakalakis_PHD_WAIS_201120
Available under License University of Southampton Thesis Licence.
Download (12MB)
Text
PTD_Tsakalakis-SIGNED
Restricted to Repository staff only

More information

Published date: November 2020

Identifiers

Local EPrints ID: 447268
URI: http://eprints.soton.ac.uk/id/eprint/447268
PURE UUID: a9783651-7955-4474-9868-221c472535da
ORCID for Nikolaos Tsakalakis: ORCID iD orcid.org/0000-0003-2654-0825

Catalogue record

Date deposited: 08 Mar 2021 17:30
Last modified: 19 Jul 2022 01:50

Export record

Contributors

Thesis advisor: Kieron O’Hara

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×