Why is the relationship between data protection and digital identity difficult?
Data protection and digital identity may seem incompatible. On the one hand, digital identity, together with innovations like multi-factor authentication and electronic signature, facilitates electronic operations. On the other hand, the massive use of digital technologies brings challenges in terms of cyber security and data protection.
Here are a few reasons why data protection and digital identity can be difficult to reconcile:
- The data collected for digital identity purposes can be quite sensitive. This data can include everything from biometric data to addresses and contact details. Given the sensitivity, it is important to ensure proper protection. However, if this data is not properly protected, it could be accessed and used without the individual’s consent, which would be a breach of data protection law;
- The use of digital identity systems can often involve the sharing of data between different organizations. For example, when an individual uses their digital identity to log in to a website or app, the data associated with that identity may be shared with the service provider. This data sharing can make it difficult to ensure that the data is only used for the purposes for which it was collected and not for any other purpose;
- Digital identity systems can be used to track an individual’s online activity. This tracking can be done by collecting data about the websites and apps that they use, as well as the data they input into those websites and apps. Most of the time this tracking has marketing purposes, but it can have more sinister ones, such as surveillance.
The issue of data protection
Cybersecurity not only concerns companies and public administrations. Ordinary citizens are constantly exposed to cyber risks such as ransomware, phishing, and identity theft. As a Verizon study points out, 80% of cyber attacks after March 2020 relied on vulnerable credentials. Indeed, users tend to choose predictable passwords and they often use the same one for different services.
In general, according to Cybersecurity Ventures, the global cost of cybercrime is expected to exceed $ 10 trillion by 2025.
Among the major risks associated with data protection and digital identity, there are:
- Data breach
It can occur when digital identities are stolen or used without the individual’s consent. This can happen through data theft, hacking, or phishing. When data breaches occur, sensitive data such as passwords, credit card numbers, and personal information can be exposed.
- Data privacy
The way data is collected, stored, and used can have a major impact on people’s privacy. For example, the use of facial recognition (a form of biometric recognition) raises serious privacy concerns. This technology can track people’s movements, identities, and even emotions.
- Data scraping
Data scraping consists of extracting user’s data from sources like social networks, websites, and databases. Data scraping can be used for marketing purposes, but it can also be used to steal people’s identity.
Digital identity, the European Digital Identity Wallet
We can define digital identity as the virtual representation of a real identity. It allows individuals to access a system and carry out activities through the use of unique credentials. This is usually a username and password combination. However, there is also multi-factor authentication, such as two-factor authentication or multi-factor biometric authentication. These are more secure than a common single password because they are more difficult to steal or replicate.
Nowadays, every individual has more than one digital entity. For this reason, the European Union is working to create a single digital identity system, the European Digital Identity Wallet that allows to storage and use digital identity with just one tool.
It means that users can easily prove their identity to:
- access public and private services, online and offline,
- share digital documents,
- verify personal data without revealing others.
In other words, users always have full control of their data and can choose which information to share, while keeping track of all interactions.
eIDAS Regulation and GDPR
The challenges associated with data protection and digital identity are not insurmountable. However, they do require careful consideration and a balancing of the different interests at play. In fact, technological innovation must compromise with the protection of privacy. Likewise, cybersecurity must not hinder people’s access to new opportunities.
In the European Union two regulatory references try to balance data protection and digital identity:
- elDAS (electronic IDentification Authentication and Signature) Regulation, or EU Regulation n. 910 / 2014).
It offers a framework and a legal basis for the secure and reliable exchange of data between citizens, institutions, and companies in Europe. It indicates the most appropriate level of authentication and electronic or digital signatures based on the data to be shared.
- GDPR (General Data Protection Regulation), or EU Regulation n. 2016/679
The GDPR focuses on ensuring that privacy and personal data are protected. It does not explain how to use technologies to do this. It simply suggests the procedures that companies and institutions must follow.
The two complement one other: the GDPR says that companies need to protect data and the eIDAS suggests the technical requirements to do so.
Of course, as digital transformation advances the challenges of making data protection and digital identity coexist will increase. However, at the moment these two regulations can balance freedoms and safeguards, challenges and opportunities.
