Last week we participated in a workshop titled "Towards Principles and Guidance on eID interoperability for Online Platforms” organized by the EU Commission in the context of the Communication on Online Platforms and the Digital Single Market. The goal of the event was to gather feedback and share some best practices in order to further develop the principles and guidance on eID interoperability that has to be published by the end of 2017.
In this post we summarize the insights of that workshop.
This post is also available in Spanish.
What was discussed at the workshop on principles and guidance for eID interoperability for online platforms?
The event was organized mainly into two blocks: a morning session with some keynotes and roundtables with industry experts to cover the user / consumer perspective, as well as the perspective from the online platform / ecommerce. In the afternoon the actual workshop took place, and all the participants with different backgrounds and interests were able to exchange their ideas.
To start the morning session, Despina Spanou (Director of DG CNECT) made a brief opening talk followed by a video from Stefano Quintarelli, member of the Italian Parliament. Both of them remarked the importance of the new eIDAS Regulation (910/2014) and that it has to be aligned with the new regulations that have been developed recently in different fields, like the Payment Services Directive (EU) 2015/2366 (PSD2) and the Directive (EU) 2015/849, on the prevention of the use of the financial system for the purposes on money laundering or terrorist financing (AML4) for the Financial Services industry. They talked as well of the importance of the eID as a trustworthy source.
Privacy by Design
During the panel discussions, David Martin, Senior Legal Officer of the BEUC, shared his view of the importance of protecting user data privacy and the express need for the consent of the consumers in order to access it with a data minimization approach.
Moreover, this concern was also shared by Luc Hendrickx, Director of the Enterprise Policy and External Relations of the UEAPME, together with the importance of the deliverability and accessibility of the system.
The General Data Protection Regulation (GDPR) - (Regulation (EU) 2016/679) - is a regulation with the aim to strengthen and unify data protection for all individuals within the European Union (EU).
More information: Essential guide to Europe’s new Data Protection Regulation.
On the other hand, the afternoon session had a more hands on approach, where the attendees had to tackle different questions provided by the Commission. The session was much more interactive in the afternoon and we could hear the voices of different stakeholders like consumer and business organizations, private businesses, trust service providers and Member State authorities.
We participated in some work groups together with representatives from corporate enterprises, business organizations and think tanks to address two main questions:
1. What matters for user authentication for online transactions?
To answer the first question our group considered that there would be a difference in the criteria depending on the stakeholders taken into account: the business, the user or the government / regulatory authority.
If we put the customer at the center of the stage, we thought that the first thing that matters is the convenience of the eID solution, followed by protecting the customer’s privacy by exposing the minimum information needed for the transaction.
From the business perspective, two of the most important points are: first, to have some guarantees on the identity of the user, in order to reduce fraud and prevent risks; and second, the conversion rate of the customer onboarding process, to make sure that there are not huge drop offs in this workflow.
2. Which principles for identification and authentication can you identify?
- Global Scalability
- Control / User consent
3. Conclusion and next steps
At Signaturit, as a Trust Service Provider under the new Regulation (EU) 910/2014, we are completely aligned with the conclusions of the workshop; and that’s why we try to combine in the legal validity aspects (data privacy, security and enforceability) together with the usability of our solutions. We are looking forward to participate in the coming events and keep contributing as much as we can to the development and implementation of this new legal framework.
Furthermore, the e-Government and Trust team at DG Connect will work with inputs and ideas exposed during the workshop. The goal is to have a draft of the principles and guidelines by October 2017, and to validate it before the end of the year.
This post is also available in Spanish.