The European Digital Identity Wallet

Introduction

This brief is part of a broader project examining identification technologies and migration conducted by Caribou Digital, University of Virginia, and Queen Mary University of London with support of the Robert Bosch Stiftung GmbH. 1 Digital identity proponents regularly claim that innovations like self-sovereign identity are privacy-preserving and empowering for otherwise undocumented or ‘invisible’ populations. Similarly, a new class of emerging applications commonly referred to as ‘digital wallets’ are said to give users more control over their personal data, including in cross-border contexts, and thereby correct historic power imbalances between the vulnerable and authorities. This project interrogates these claims.

At a basic level, a digital wallet is an electronic method of storing, managing, and exchanging money and/or identity credentials, often through the use of mobile phones. The digital wallet model proposes to reformulate institutional arrangements, governance models, privacy protections, patterns of authority, and the very landscape of trust surrounding digital identity and payment.

This project aims to assess the inclusionary and exclusionary dimensions of digital wallets for migrants and produce a set of policy and design recommendations to ensure that the development of wallets supports migrants’ needs. It is particularly oriented around current EU efforts to develop a digital identity wallet, as well as emerging open-source standard-setting initiatives, and aims to provide inputs to ensure that these developments consider migrant needs.

As part of the project, the research team commissioned an expert analysis of the European Digital Identity Wallet to inform stakeholders and others on this key initiative.

Five key takeaways for policymakers

1. Digital identity wallets are an emerging innovation in digital identification, but are only at the pilot stage of implementation. There is a lot to learn from these pilots and attention should directed to emerging insights and outcomes.
2. The European Digital Identity Wallet scheme is significant for people outside the European Union, as it has the potential to set global standards for identification because of the EU’s standard-setting power (i.e., the ‘Brussels effect’).
3. Digital identity wallets, like all technologies, are shaped by politics and ideologies. The details of their design matter and have significant implications for specific groups, especially vulnerable ones.
4. Digital wallets are more than technologies—they require an ecosystem of policy, institutions, and technologies to function. From specifying relying parties to technological exclusion, factors outside the technology itself shape how technologies are used and misused.
5. For digital identity wallets to be inclusive and mitigate risks, especially around surveillance, privacy, and data protection, policymaking must be responsive to rights advocates and civil society. Inclusion and accessibility barriers include amplification of digital exclusion through expensive smartphone requirements, failure to consider solutions that address relationships of dependency and care, common use of non-accessible technologies (such as biometrics and QR codes), and implications for populations who lack existing proof of nationality or legal residence (i.e., stateless and forcibly displaced people).

EU Digital Identity Wallet: An overview

The European Digital Identity (EUDI) Wallet is an ambitious new digital identification infrastructure that was proposed by the European Commission in 2021. Its main aim is to provide European citizens, residents, and businesses with a means to access public and private services across the European Union (EU). 2

As such, it aims to make it easier for European citizens and residents to identify, verify, and authenticate themselves in member states other than their own. 3 The eIDAS (Electronic Identification, Authentication and Trust Services) Regulation and accompanying Architecture Reference Framework lay out the legal scope and specifications for a wallet app, which can be downloaded onto smartphones. On this app, individuals will be able to store digital equivalents of official documents and other identity-related data. 4 This includes various types of credentials, such as university degrees, health information, transport tickets, and mobile driver’s licenses. 5

The EUDI Wallet comes at a time of increasing public and regulatory scrutiny of the harvesting and sharing of personal data. As such, one of its main promises is that users will be able to choose which personal data they would like to release in a given transaction. 6 In her 2020 State of the Union address, President of the European Commission Ursula von der Leyen summarised the raison d’être of the wallet as follows:

‘Every time an app or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality. That is why the Commission will propose a secure European e-identity. One that we trust and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data is used and how.’ 7

This statement underlines the fact that the EUDI Wallet aims to be more than just a means to access e-government services—it will also allow access to private services, including those online, such as the so-called ‘Very Large Online Platforms’, like Meta (Facebook), Amazon, or Booking.com. 8

While the legislation for the EUDI Wallet is established at the EU level, it will be the responsibility of EU member states to provide their citizens, residents and businesses with a wallet. 9 In practice, this means that each member state will have to certify wallets and offer them to their population for free. 10 While the previous iteration of the European-wide identification scheme (eIDAS) was voluntary, under EUDI Wallet legislation, it will be mandatory for member states to provide a wallet. Importantly, using the wallet will not be mandatory; prospective users can decide whether they want to use one or not, and services should be equally accessible for those not using the wallet. 11

Regional and regulatory context

The EUDI Wallet fits into the classic European goal of market integration. It also reflects the ambition to move (crucial) services online. Digitising society is part of a larger ambition of the European Commission. For example, the so-called ‘digital decade’ framework sets targets for innovations that need to be accomplished by 2030, such as access to digital ID and online medical records for all EU citizens. 12 The European Commission has also been taking a stance against big tech. For example, it has emphasised its ambition for digital and technological sovereignty 13 and to become a global leader in the data policy space. 14 Also, the growing influence of big tech companies in the identity sphere is likely playing a role in the development of the EUDI Wallet.

The EUDI Wallet builds on an older digital identification project; the original eIDAS Regulation was proposed in 2014 and entered into force in 2018. Because uptake of the first eIDAS regulation was limited, the European Commission proposed to revise and expand the regulation, now known as ‘eIDAS 2.0’, including the concept of the EUDI Wallet. 15

One reason given for the expansion of the scope of the regulation is that the first version did not include private sector services. 16 The fact that the private sector was previously unable to connect to the system was seen as an obstacle to the functioning of the single internal market. 17

A ‘wallet’ turn?

This corresponds to larger changes in the digital identity space, which is currently seeing a shift towards wallet-based solutions. 18 In recent years, there has been an increasing emphasis on user control and decentralisation (as opposed to big, centralised databases that contain large quantities of data). Wallet-based technologies are often touted as a solution to the control that powerful actors—both states and companies—have over personal data. Often these solutions are framed in terms of accessibility, ease, and, in the case of decentralised solutions, ‘empowerment’.

The sector-wide shift to (different types of) wallets has caused some friction as well. The company or state that is able to develop a widely adopted wallet will likely have significant influence on the wallet landscape and beyond. 19 Most notably, American big tech companies like Apple and Google are working on expanding their own wallets beyond the payment function. This is exemplified by the partnerships that both Apple and Google have with various US states to include a mobile driver’s license in their wallets. 20 The EUDI Wallet can thus in part be seen as a reaction to these commercial wallets, as it aims to provide an alternative to private sector–led solutions, which are increasingly encroaching on public service delivery. In addition, an often-mentioned issue is that identities created by big online platforms are increasingly used as default identities, which are then subsequently used to verify identities for other services on the internet (for example, using a Google account to access other services 21 ). This initiative also comes at a time of increased criticism of big tech companies and (other) online platforms and the ways in which they process data for profit. 22

The EUDI Wallet aims to speak to these data challenges by giving wallet users more control over their personal data and identity. This aligns with the goals of self-sovereign identity (SSI) technology. However, the European version includes specific safeguards and limitations; for example, so-called ‘relying parties’ (the entities that will ask for identification information through the wallet) are required to register before they can be part of the EUDI Wallet ecosystem. 23

Self-Sovereign Identity (SSI)

SSI is a digital identity model that aims to provide individuals with a digital identity that is portable across contexts. 24 The idea behind SSI is to take away power from the entities that create identities for people (e.g., social media networks). Similar to the EUDI Wallet, SSI wants to ‘put people back in control’ over their data and identity. The most extreme version of SSI is based on rather libertarian ideals and shares ideological roots with the blockchain and cryptography movements. 25

There are concerns as to whether the EUDI wallet will completely rectify the control problem. Users will not have unlimited control over their data—they will still need to share the minimum amount of data necessary for a given transaction. For example, when an individual would like to open a bank account, the bank will still be required to ask for the information needed to complete Know Your Customer (KYC) and Anti Money Laundering (AML) checks. On the flipside, wallet users will be given the control to decide whether they would like to release additional data, on top of the information required.

Timeline

After the EUDI wallet was initially proposed in 2021, a consultation period followed. This project is being realised at a high speed, especially for such large and EU-wide process.

Large-Scale Pilots

In order to test different types of use cases, the European Commission launched a call for pilot projects in February 2022 and selected four: the EU Digital Identity Wallet Consortium, the NOBID Consortium, Potential, and DC4EU. These are led by consortia consisting of both private and public sector actors primarily located in European member states. The projects were launched in May 2023 and will run for two years. 26 The pilots span banking, education, travel, and health, and primarily focus on use cases within the EU and a selected number of partner states (such as Ukraine and Norway). Certain functions, particularly travel and border-crossing, have future implications for applications outside the EU as well.

EU Digital Identity Wallet Consortium (EWC) This consortium focuses on travel. The objective is to provide a streamlined experience for the traveller, where they can book and pay for a ticket, use credentials to check in, store the downloaded ticket, and use the wallet to cross borders. 27 This project works on integrating two previously different kinds of wallets: payment wallets and wallets that store credentials. The consortium has 60 members from all EU member states, Norway, the UK, and Ukraine. Among them are corporations such as Visa Europe Limited, airlines such as Finnair, and public sector institutions such as the Ministry of Digital Governance in Estonia. 28

The NOBID Consortium focuses only on digital payments. Its objective is to test the authorisation of payments by wallet holders, as well as examine the issuance of wallets and financial institutions’ provision of payment. 29 Both the consortium and the European Commission mention the possibility of extending this project to facilitate the Digital Euro (currently under development). 30 This consortium is led by public and private entities from six member states and defines itself as a set of Nordic and Baltic countries together with Italy and Germany. It includes banks, such as DNB, but also tech multinational Thales and Signicat Identity Solutions. 31

Potential The Potential consortium looks at six different use cases: e-government, opening bank accounts, SIM card registration, mobile driving licenses, qualified e-signatures, and e-prescriptions. The goal is to make all of these services accessible across (internal) borders, allowing citizens and residents to, for instance, set up bank accounts or fill prescriptions in all member states. 32 The consortium consists of members from 19 member states and Ukraine and has 140 partners, including IDEMIA Identity & Security France, Vodafone, and the Deutsche Bank. 33

DC4EU The DC4EU consortium engages with educational and professional credentials, as well as portable documents for social security: the A1 document and the European Health Insurance Card. 34 The consortium’s main aim is to test the interoperability of these credentials both nationally and internationally (but within the EU). Public and private actors from 20 member states as well as Norway and Ukraine are participating in this pilot. They include universities, notably eight Spanish universities, public sector entities, such as the Ministry of Digital Transformation in Ukraine, and social security actors, like Belgium’s Crossroads Bank for Social Security. 35

Summary of the Architecture Reference Framework

The Architecture Reference Framework (ARF) specifies the technical underpinnings, guidelines, and best practices for the European Digital Identity Framework. Such a framework is necessary because there will be more than one wallet: member states can develop their own wallet or certify a wallet developed by a private provider, as long as it meets the criteria established in the ARF. In addition, member states can decide to make the wallets that they developed or certified available to citizens and residents from other member states. Therefore, the EUDI Wallet project is likely to create a new market for digital identity wallets.

The ARF also forms the basis for the Large-Scale Pilots, which will in turn provide feedback on the ARF. The document is continually updated and will be aligned with the final outcomes of the legislative process. The Expert Group, which includes representatives from all EU member states and works on the ARF, published the initial version in January 2023 and the most recently updated version in February 2024. This section summarises the ARF to date. 36

Blueprints for use cases are the basis of the ARF. The initial blueprints were the mobile driving license; health and educational credentials, and professional qualifications; digital finance; and digital travel credentials.

The ARF lays out the digital wallet ecosystem, defining its different actors (such as wallet users, wallet providers, and relying parties) and the roles they play in this system. For example, it specifies that ‘relying parties’ are the natural or legal persons or parties that rely upon electronic identification. (In other words, they are the entities, such as states or companies, that request identifying information.) An important concept to mention here is ‘trusted lists’, which provide information about different actors in the ecosystem and are, for example, a place where one can check whether a credential issuer has been verified and can therefore be trusted. In order to be put on the trusted list, a party that wants to be part of the ecosystem will need to register. At the time of writing, this registration process has not been specified, and the ARF states that more information is to follow.

The ARF also establishes the ‘life cycle’ of the key concepts. An important concept here is personal identification data (PID), which is the core identifying data about a person. The current mandatory attributes are the wallet’s status is still ‘operational’ even when the PID has not been validated. This means that it can still be used for things like loyalty cards or other attestations that do not require binding to the PID.

Another important concept is (Q)EEA, Qualified and Non-Qualified Electronic Attestation of Attribute. Simply put, these are the pieces of information within a credential (e.g., a passport number within a passport credential 37 ). The ARF includes specific requirements of what the PID and the (Q)EEAs must include, how they must be formatted, and how they must be issued.

The ARF also specifies design choices, such as the technological standards that are to be used, as well as software protocols, additional components (such as external hardware), and ‘flows’. The document states, for example, that there are both ‘proximity’ and ‘remote’ flows, where the first concerns the exchange of data when devices are close (and are thus done through, e.g., Bluetooth or QR codes), and the second concerns the exchange of data over the internet.

The ARF also specifies how the certification procedures should work: member states are required to designate accredited Conformity Assessment Bodies, which will assess the conformity of the wallets against the implementing acts. In other words, these bodies will look at whether proposed wallets are in accordance with the legislation, and can therefore be certified to be used by the public. This process should be harmonised between states.

Politics and controversies

The wallet can be seen as part of a larger political objective—though, as the negotiations between the Commission, Council, and Parliament happened largely behind closed doors, it is difficult to determine whether there are particular member states that significantly promoted this project. What can be observed, however, is differences in approach by the presidencies of the Council of the EU. For example, the French presidency (January–June 2022) suggested implementing the principle that relying parties will have to register and inform national authorities of the use case and the data required. The Czech presidency (July–December 2022) reversed this, leaving the registration process up to the discretion of individual member states. 38 Similarly, the Swedish presidency (January–June 2023) put its stamp on the file by emphasising the importance of internal security and coordination between different digital policies (including the EUDI Wallet) and bodies. 39  Throughout the development process, different strands of criticism have emerged.

Civil society concerns

Digital rights organisations (largely coordinated by Epicenter Works, an Austrian digital rights organisation) have warned of several potential dangers arising from the wallet. These include:

• Central surveillance and ‘observability’, which refers to the risk that powerful actors such as states could be able to track and observe all users’ attributes and interactions. 40
• Risks introduced by different quality smartphones, potentially putting low-income users at a higher security risk.
• Concerns about a non-discrimination clause (ensuring that the wallet is not mandatory). 41
• Risks of data-sharing—the EUDI Wallet will contain an unprecedented amount of personal data, thus it is essential to have safeguards in place. 42

Some of these concerns have been addressed in the final version of the legislation; among other things, it does include non-discrimination protections, the registration of relying parties (which are required to indicate which data they need), and selective disclosure. However, there are still concerns that governments can keep tabs on their citizens in unprecedented ways. 43 An open letter with over 500 signatories (as of November 2023) expressed concern about the possibility of profiling and governments’ ability to intercept web traffic. 44

Unique and persistent identifier

Civil rights organisations, politicians, and the technical community have expressed concerns about the use of a unique and persistent identifier in the wallet. The proposal initially included a requirement for a set of data that would persistently identify individuals—meaning that this identifier is unchangeable and would stay with them for a lifetime. 45 The European Commission argued this identifier was necessary to ensure interoperability between member states, as well as with the private sector. 46 The main criticism of the identifier was that it would allow actors (such as states) to link different types of data together and over time establish a full profile of an individual. 47 Such identifiers are unconstitutional in Germany, and it would be illegal for the government to use one identifier to track its citizens across databases in the Netherlands and Austria. 48 In response to the controversy, the EU Commission changed its position, referring to ‘identity matching’ 49 instead of ‘unique identifier’. 50 However, the legislation does not specify what ‘identity matching’ would entail exactly. Responses by the European Commission indicate that identity matching is interpreted as record matching. Critics have pointed out, however, that this method might be more error prone, as databases might be held by different entities and people would need to have enough identical data points in these different sets. This method could also be more vulnerable to hackers as it uses more sensitive data. 51

Pushback by regulated industries

In addition to concerns about individual privacy, industry actors have also expressed concerns, in particular those in the banking and financial sectors. The European Banking Federation has called on the European Commission to reconsider the legislation’s wording, which they believe implies that the payment sphere will be fully included in the EUDI Wallet on a mandatory basis. This, they argue, would incur large unforeseen costs, as it could mean that systems, such as (over 15 million) payment terminals and web pages, would suddenly need to be changed and/or upgraded. As such, they request that the use of the wallet for the ‘full payment cycle’ should be ‘voluntary’. 52

Technical debates

There are also technical concerns. Mozilla expressed concern that, if QWACs (Qualified Website Authentication Certificates) become the new standard website certificates, they would reduce the safety of the internet. QWACs are of a lower security standard, which could mislead users as they might mistakenly think that they are on a safe website, thereby putting sensitive data at risk. 53 A second debate emerged around the levels of assurance, which determine the ‘degree of confidence in the claimed identity of a person’. 54 While the initial proposal distinguished between ‘low’, ‘substantial’, and ‘high’ assurance, a later version removed the ‘substantial’ level. This prompted a response from the technical community, which argued that it would disqualify many existing eID schemes, such as the existing French system, that do not offer the highest level of assurance. 55

Inclusivity to migrants and other marginalised populations

The EUDI Wallet is, as it stands, designed for European citizens and residents. As such, migrants who do not have an official status are not reflected in the policy and technical architecture. While residents with a permit should be able to access the wallet, others, without such papers, are likely to be excluded. While the legislation does include a non-discrimination clause, which specifies that non-digital alternatives must be made available for those who cannot use the EUDI wallet, 56 practice will have to show whether the wallet becomes the de facto default option. In a recent report, the International Organization for Migration (IOM) includes a brief section on the EUDI Wallet. 57 This report flags that, to date, the identification mechanisms for migrants in the European Union are primarily organised at the national level, which means that there are disparities in the access that migrants have to e-government services. 58 While the report does not assess the EUDI Wallet in depth, it tentatively suggests that the specificities of credentials issued to migrants, as well as the registration process for the EUDI Wallet, should be considered. 59

As migrants have not been considered in relevant policy, it is unclear, for example, if and how they would be able to get access to the PID, which is, simply put, a foundational identity credential. As this foundational information is issued by member states (i.e., on the national level), it is not clear which institution would do this for migrants. Furthermore, as the formatting is harmonised and implemented at a European level, it is currently unlikely that migrants’ home countries would be able to issue this information in a compatible format. This is important, because the PID is necessary to obtain access to services that require binding to this identification data—which essential services likely will.

Smartphone access may also limit the access that certain migrants—and the significant percentage of European citizens who do not own a smartphone— have to the EUDI Wallet. The ‘high’ level of assurance, which guarantees a large degree of confidence that the person using the wallet is indeed who they claim to be, will likely require a type of hardware for smartphones that is not yet available. While new smartphones are likely to be brought to market by the time that EUDI Wallets are widely available, 60 it is probable that this will limit accessibility, as people without financial or technical smartphone ownership in the EU was only 81% of the population. 61 This is important to recognise, as phones that are unable to support ‘high’ assurance will likely face barriers to access, and therefore essential services, as the ARF and legislation state that the EUDI Wallet will be ‘issued under a notified electronic identification scheme of assurance level “high.”’ 62

Other dimensions of digital wallet design that may further marginalise or exclude already-marginalised groups (such as immigrants, people with disabilities, and people with low socioeconomic status) include digital wallet designs that fail to consider relationships of dependency and care and the use of technologies with recognised accessibility issues, such as biometrics and QR codes.

Legislative barriers also have the greatest implications for populations who lack existing proof of nationality or legal residence, such as stateless and forcibly displaced people. These groups often struggle to obtain an officially recognised ID because of difficult legal requirements to prove their nationality, legal residence, and/or right to refugee status. 63 As such, well-meaning designs of digital wallets for migrants such as rWallet 64 often make the naïve assumption that they can offer a legally valid digital identification tool while overlooking the legal and policy barriers that prevent the same populations from accessing physical forms of ID.

Future steps

Although there are estimates that wallets will be available by 2027, some have already suggested that the EUDI wallet could be a model for future digital identity initiatives in other (non-EU) countries 65 —even as other countries are promoting their own models (e.g., India’s Aadhaar, Singapore’s Singpass, Italy’s digital identity system, and different US driver’s licenses 66 ).

The eIDAS framework has recently been approved by the European Parliament. It will have to be formally approved by the EU Council of Ministers before it becomes law. 67 Once these institutions have formally adopted the regulation, there will be 6 to 12 months to define and adopt the Implementing Acts (to implement law in EU countries) and Delegated Acts (to supplement the original legislation). These acts are based on the ARF. 68 There are expected to be 45 Implementing Acts and 3 Delegated Acts. 69 After these have been adopted, EU member states will have 24 months to provide their citizens with a wallet. 70

Therefore, while the main regulation is unlikely to change at this juncture, there may still be opportunities to influence the Implementing and Delegated Acts. In addition, while the Large-Scale Pilots are establishing the initial use cases, there will be the option to extend the scope of the wallet. As the IOM report also suggests, it might be worthwhile to consider a credential for migrants, or ways in which migrants could register for the EUDI Wallet. 71 As neither has yet been developed, this may also be an area in which contributions are needed.