Cross-border authentication: mutual recognition of electronic identification means
The Regulation introduces a fundamental new legal rule: a Member State of the EU is obliged to recognize electronic identification means that are issued in another Member State. Of course, a number of legal requirements will have to be met before this mandatory recognition of authentication means takes effect. Furthermore, the mandatory recognition is limited to online services by the public sector.
This limitation to the public sector does not preclude the use of electronic authentication means for use in public sector online services that have been issued by private parties. This is important because in some EU countries, private parties do actually issue eID means for public services within the framework of a public/private partnership. Examples are the Dutch eRecognition (eHerkenning) framework and the (future) eID framework.
Proper notification of an eID scheme
A Member State is only obliged to recognize eID means that have been issued in another Member State, if: 1. those eID means were issued under an eID scheme that fulfills the requirements set by the Regulation; and 2. the European Commission was notified of this eID scheme and subsequently included the scheme in the officially published list of notified schemes. According to the Regulation, an eID scheme is ‘a system for electronic identification under which electronic identification means are issued to natural or legal persons, or natural persons representing legal persons’.
Requirements imposed on eID schemes
An eID scheme is only eligible for notification if it fulfills a number of requirements. Some of these requirements are relevant for eID schemes that are based on public/private partnerships. The Regulation states, among other things, that the Member State needs to ensure that the ‘person identification data’, which uniquely identify the person in question, are attributed to that person in accordance with the requirements that apply for the relevant assurance level. This raises the question how roles and responsibilities should be distributed if the Member State itself is not the issuing party. This question becomes especially acute if the issuing party is a private party acting within a public/private partnership. The Regulation suggests that the Member State is responsible for assigning person identification data to its citizens. So, does that mean that a mistake in assigning those data cannot be attributed to the issuing private party? Additionally, how does the use of ‘person identification data’ relate to the directive on the processing of personal data, which states that the use of a national identification number or some other identifier of general application must be subject to specific legal conditions?
An additional requirement that needs to be fulfilled before the mandatory recognition takes place, relates to the use of assurance levels. In order to be able to compare different kinds of eID means, assurance levels have been defined. A well-known classification of assurance levels is the Quality Authentication Assurance Framework, developed by the STORK project (the STORK QAA framework). There are four STORK QAA-levels. Level 1 provides no or minimal assurance, level 4 provides high assurance. The levels have been determined on the basis of technical and organizational aspects of the authentication process.
The Regulation introduces three assurance levels: ‘low’, ‘substantial’ and ‘high’, but these are not extensively defined. The European Commission will publish minimum technical specifications, standards and procedures that will relate the assurance levels to eID means. The Commission will do so according to the reliability and quality of the identification process, the issue process, the authentication process, and the reliability and quality of the entity that is issuing the eID means.
Now, according to the Regulation, mandatory cross-border recognition of eID means only takes effect if the assurance level of the eID means is equal to or higher than the assurance level required by the public sector body. There is a minimum assurance level: the public sector body needs to set an assurance level of ‘substantial’ or ‘high’, for the mandatory mutual recognition to take effect.
* Marten Voulon is a legal researcher at Leiden University’s Center for Law in the Information Society (eLaw@Leiden), a member of the Complaints & Disputes Committee of eRecognition (eHerkenning) and senior legal counsel at NN Group.