The European Data Protection Supervisor (EDPS) has published its opinion on the European Commission draft Regulation on electronic identification and trust services for electronic transactions in the internal market. The proposed Regulation is expected to enhance trust in pan-European electronic transactions, to ensure cross-border mutual recognition of electronic identification by enhancing current rules on e signatures, and by providing a legal framework for electronic seals, time stamping, electronic document acceptability, electronic delivery and website authentication.
Electronic Identification schemes and trust services raise significant data-protection issues stemming from the processing of personal data, and the EDPS supports the proposed Regulation as a method of harmonising data-protection principles, and contributing toward mutual recognition and acceptance of electronic trust services and identification schemes. The EDPS, however, has suggested several recommendations to increase harmonisation and interoperability, such as a common set of security requirements, and clarification of individuals’ rights of access and to be informed.
The proposed Regulation leaves wide discretionary powers with the member states to create electronic identification schemes, and the EDPS recommends adopting a common set of conditions to be applied for the use of national identification schemes across borders.
In relation to the requirements for a mutual recognition scheme for electronic identification schemes, the EDPS recommends that the Proposed Regulation specify: (i) which data or categories of data will be processed for cross-border identification of individuals and set data minimisation goals; (ii) a common minimum safeguard level proportionate to the risks involved and at least compliant with the requirements set forth for the providers of qualified trust service; and (iii) a set framework for the interoperability of national identification schemes.
In relation to the requirements for the provision and mutual recognition of electronic trust services, the EDPS recommends that the Proposed Regulation specify: (i) if personal data will be processed and, if so, the data or categories of data to be processed so as to assess data protection implications; (ii) appropriate safeguards to avoid any overlap between the competencies of the supervisory bodies; (iii) that notification requirements for data breaches be consistent with those in the e-Privacy Directive; and (iv) the setting of specific time limits for data retention.