The term Digital Public Infrastructure (DPI) encompasses digital identity and also includes digital payments and data exchange. Such systems provide a digital platform that’s created by or on behalf of the state and that is used by people and companies to exchange data, identities, money, goods and services in a regulated way that provides certain legal assurances.

With the creation of easy-to-use, cheap, legally-binding digital identity platforms we risk losing anonymity in many daily interactions. We call this risk over-identification, which is amplified when digital identity systems are opened to the private sector. When we are constantly asked for our most sensitive health, financial or identity information there is also the risk of over-sharing personal information. As these are general purpose systems, able to reach in all areas of life from shopping, doctor visits, public transport or online activity, observing user behaviour can create a panoptical situation in which operators of the system know everything everyone does all the time.

No digital system will fit all people. We should not forget the elderly, less digital literate, more privacy-friendly or stateless people. Therefore, we need to ensure that the law protects everyone who chooses not to use the system. There must be a right to opt-out of digital identity systems without suffering from negative consequences like higher prices or refusal of services. The law and administrative framework also has to ensure that everyone has a right to a Digital Public Infrastructure and that there are no costs attached to it.

For any DPI ecosystem to deserve the trust of people, it needs to have strong protections against bad actors and data hungry companies. Companies and public sector entities should have to register their use cases and be limited to only ask from people the information that is necessary for these use cases. Bad actors must be expelled from the ecosystem and their registration revoked. In many situations putting the full burden to say no on the shoulders of users would not be legitimate. Users need to be in control of their full transaction history with means to exercise their data subject rights, including launching a complaint against a company and demanding the deletion of their data from them. Whenever a request for information is received, the user needs to know who is asking (symmetrical identification).

Biometrics are very often used to authenticate someone using a digital identity system. Biometric data is particularly sensitive, since it can’t be changed like a password and not everyone has all fingers, eyes or other characteristics. Therefore, biometrics shouldn’t be a precondition for using Digital Public Infrastructures. Uploading such data to a cloud requires the prior explicit consent of the user and it needs to be specially protected.

Our work on this issue started in 2017 with a legal analysis of the Austrian national digital identity system. With the COVID-19 pandemic we were thrusted into a huge debate about public digital systems that deal with the health emergency. Most prominent about them were the contact tracing systems and the EU Digital Covid Certificates (QR codes for vaccination, recovery, testing), both exemplary in their high privacy-safeguards and earned trust from large parts of society. From 2021 to 2024 we were deeply involved in the creation of the European Digital Identity System (eIDAS reform, EUID Wallet). Starting 2023 we also worked on the Digital Euro and the Right to Cash legislation. In February 2024 our Executive Director was appointed Chair of the Governance Working Group of the DPI-safeguards project of the Tech Envoy of the United Nations. This project aims to create global safeguards for digital public infrastructures.

Right after we concluded our work on the EU level, the UN started its project to create a global framework to make digital public infrastructures safe. We participate in this project with our Executive Director who was in February 2024 appointed Chair of the Governance Working Group. Such systems have become common around the world and very often we see them being abused against vulnerable parts of society or with negative privacy consequences for the whole population. Since global institutions like the world bank and foundations are promoting digital public infrastructures and also push for their inter-operability, we hope that this project can highlight the risks that these systems bring and increase the safeguards for them. The final report is expected by end 2024 and some sections about digital public infrastructures are expected to be added to the Global Digital Compact.

The European Digital Identity Wallet is a powerful, general purpose technology for identification, authentication and attribute verification of natural and legal persons vis-à-vis public authorities and private companies, online and offline. In practice, every EU country will provide such a wallet as an app for smartphones with which their citizens can prove their name, date of birth, family status, financial situation, educational degrees or COVID-19 vaccination status to others in a legally binding way. It will also be mandatory for large online platforms like Facebook, Amazon or Google to support this system. E-government services, banks, energy providers and public transport services will also be obliged to use it. By 2030, the European Commission aims to have 80% of EU citizens use the system. The industry interest in this reform is huge as they no longer need to expend considerable resources to verify their customers (KYC) by themselves.

READ THE BLOGPOST
 

In 2017 the legal basis for the ID Austria system was created in national law. Back then we already pointed out some of the flaws in the systems and called for a change. Many of these demands could later be added to systems that are build on top of ID Austria, but the underlying architecture remains at odds with privacy-by-design. The current debate is mostly about ID Austria becoming a mandatory system by forcing certain groups in society to use it. No technical system should be a precondition for obtaining essential government services or information from employers. We have collected such cases and brought them to the media's attention, in order to create pressure for a right to choose for everyone. You can read our analysis of ID Austria (DE) and several of the adjacent systems in our blog and in our media appearances.