Data sovereignty and trusted online identity – COVID-19 vaccination data

Event report

Online identities are vital for many digital services, noted Ms Clara Neppel (Senior Director European Operations, IEEE), the moderator of the session.. Identification is essential, but it remains to ask who should control these models of identification and how to minimise the data exchanged for the services. Recent discussions about COVID-19 vaccination passports have highlighted three approaches to the problem:

• scenario 1: private companies lead the effort,
• scenario 2: government leads the way with a centralized public key infrastructure
• scenario 3: hand some control to citizens 

Scenario 1: private companies lead the effort

First, private companies provide us with secure electronic identification including two factor security and biometric verification. However, this raises many privacy and data-sovereignty concerns.

Scenario 2: government leads the way with a centralized public key infrastructure

Second, government-led centralised public key infrastructure (e.g., EU-eIDAS) regulation has established electronic identification based on a centralised public key infrastructure. This approach has reached very high adoption rates in some countries (e.g., Estonia) and low adoption rates in other countries (e.g., Germany).

Ms Cecilia Alvarez (EMEA Privacy Policy Director, Facebook) clarified the proliferation of proposals of various forms of identification that include or conflict with traditional ID verification. ‘When we see government-sponsored ID systems, such as the European proposal now, as a general rule, these kinds of systems have been specifically addressing how to facilitate government service access like tax paying or voting or other kinds of government-related assistance. We are seeing there’s a trend to invite private businesses to use this kind of system’. But some groups do not have IDs; young people, for example, who haven’t reached a particular age. Also, privacy and civil rights issues arise, for example, when people are forced to reveal their identities to the private or the public sector.

Scenario 3: hand some control to citizens 

Third, some control goes to citizens, for example, the European Self Sovereign Identity Framework. Mr Nishan Chelvachandran (Founder and CEO, Iron Lakes) discussed this approach. He stressed that presently users are not involved in the process of designing the identification frameworks. He added that people want to know how their data is used, not because of lack of trust, but to have the mechanism to determine who uses their data. Thus we need to create a hybrid approach to include citizens within the identification framework design process.

User empowerment and individual autonomy are the priority at the moment, noted Mr Pēteris Zilgalvis (European Commission, Head of Unit, Digital Innovation and Blockchain, Digital Single Market Directorate). Decentralised ledger technology (DLT)-based solutions, such as the digital identity wallets proposed by the European Commission, put citizens in control of their own digital identity. Zilgavis noted that these would allow citizens to link their national digital identities with proof of personal attributes, driving licenses, diplomas, and bank accounts, or to use decentralised ledger technology (DLT)-based self-sovereign identity solutions.

Zilgalvis added that standardisation is a resource-consuming effort. In his opinion, ‘It’s not acceptable to put responsibilities onto the citizen by trying to figure out which framework is safe, and which is not’. The legal framework has to be as simple as the tools for digital identification.

Transparency in identification

‘Contextual transparency is sometimes more useful when you see what data is requested and you understand for which stage of identification it is going,’ noted Alvarez. She added that sometimes people do not like to read long terms of service, so video or image presentations may help to address this concern. Zilgalvis agreed that citizens should have tools to aid in realising their autonomy, but it cannot be too complicated and technical. So he looks with optimism at self-sovereign identity solutions where citizens can control how data is disclosed.

The interoperability of authentication 

There is a need to ensure that digital identity frameworks work across borders and services, noted Neppel. Chelvachandran emphasised that companies use different solutions and models to gather and process data and stated that ‘We need to figure out a way of standardising and allowing for both the normalisation of data and the interoperability of data while including the agency and consented use of such data in these processes’.