Governing the digital ID – How Germany and the EU plan to reclaim our digital sovereignty
The implementation of digital identity schemes at the national level offers huge economic potential for countries. According to one study from McKinsey Global Institute, countries that implement a digital ID scheme can boost their gross domestic product by 3 to 13 percent by 2030.1 But beyond economic potential, questions about the future of digital identity encompass larger political and social debates. As a unique representation of our attributes in the virtual space, such technologies offer a great degree of control over individuals and organizations. Moreover, “digital identity determines what products, services and information we can access – or, conversely, what is closed off to us.”2 Hence, questions about who controls and governs the digital identities of individuals, machines, or organizations are foundational to the constitution of the future society.
It is therefore no surprise that the EU has declared digital identity as a strategic technology on its agenda to strengthen European citizens’ “digital sovereignty,” their ability to act independently in the digital sphere and in control of their own data. In her State of the Union Address in September 2020, European Commission President Ursula von der Leyen announced plans for a “secure European e-identity.” This “EUiD” would be “one that we trust and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data and how data is used,” she promised.3
Her statement points to two major challenges that the EU faces. First, creating a true single digital market requires citizens, organizations, and machines to be able to identify themselves online across borders and across sectors, no matter where they are based or which service provider they want to use. Identities need to be intuitively usable, scalable, and grant effortless access to a wide range of public and private services. Second, the data involved in identification and authentication processes are highly personal and require adequate levels of data protection and IT security.
Yet, despite regulation to enable the mutual recognition of electronic identity systems in the EU – via the so-called eIDAS Regulation – the European identity landscape resembles a patchwork of different national and sectoral solutions. Some EU member states have highly advanced national digital identity schemes, some have none at all. Moreover, interoperability and security standards only exist for the use of identity systems in the public sector, but not across different sectors, such as healthcare, e-commerce, or banking.4 At the same time, Europe needs to provide competitive alternatives to the “single sign-on” solutions of American tech giants Facebook, Google, and Apple, which offer easily usable cross-service logins via their platforms. The EU is announcing an overhaul of the related legal framework as this goes to press.
Somewhat surprisingly, Germany has launched two strategic digital identity initiatives at once. The country’s initiative seems counterintuitive at first, since Germany is one of the EU’s less successful nations in terms of society-wide digitization. In contrast to (much smaller) countries like Denmark or Estonia, where the government-issued digital identity solution is used by more than 95 percent of the population, only 6 percent of German citizens used the eID function of their identity card in 2020.5 Germany’s national eID card fulfils some of the highest IT security standards but has been notoriously cumbersome to use for end users as well as for third-party services. Private identity solutions have not established themselves as comprehensive nation-wide solutions. Fragmented legal requirements and standards for identification at national and European levels exacerbated the problem. The inability of either the government or private identity providers to solve the problem by themselves demonstrated that no one solution could be successful by itself. A successful national digital identity requires the cooperation of the public and private sectors within a common governance framework.
Under mounting political pressure in the context of public sector digitization, Chancellor Angela Merkel herself took up the matter in December 2020. Together with business leaders from tourism, mobility, banking, and e-commerce, she outlined a strategy to build an ecosystem with standards for the exchange and storage of digital credentials. The ecosystem will be based on a so-called “self sovereign identity” (SSI) approach. With SSI, individuals can control and manage their digital identities via a “wallet” application on their smartphone. It is based on a decentralized trust infrastructure, which is referred to as a distributed ledger or “blockchain.” The decentralized approach guarantees that no central authority has an overview of the system in which proofs of identity and certificates circulate between people, companies and, at some point, things. The Chancellery’s project has started with a pilot project for the use case of a digitized hotel check-in process and will be complemented by additional pilots in the fields of online banking, telecommunications, and logistics until the pilot phases end in September 2021.
In parallel, the Federal Ministry of Economics and Energy (BMWi) has launched “Secure Digital Identities,” a high-profile showcase program providing €45 million of funding for three digital identity project consortia over a time span of three years, until 2024. The projects are run by public-private consortia involving numerous cities and municipalities, commercial enterprises, and scientific institutions, and focus on the development and broad application of secure digital identities. The program’s goal is to build three broad ecosystems of digital identity, which are all technically interoperable. This allows users to freely choose their identity provider and identity management application. All three projects also focus on SSI approaches relying on users’ mobile devices. The local identity ecosystems emerging from the projects will be tested in so-called showcase regions in Germany.
The two initiatives – one run by the Chancellery and with a time span of a few months only, the other run by the BMWi with a time span of three years – work in close cooperation toward the goal of creating one national ecosystem for digital identities, which is based on interoperable and open standards and will provide the basis for a decentralized ecosystem at the European level.
ESMT Berlin will play an important role in the process. Until 2024, ESMT’s Digital Society Institute (DSI), in partnership with Ernst & Young and the technology consultancy Nimbus, will support the BMWi with researching political, operational, and technical factors for a successful national and European ecosystem of digital identities, with scientific monitoring of the projects, as well as with the communication and transfer of the innovative program’s results to the public and stakeholders, and transfer the results into standardization and implementation. The accompanying research will support the projects by laying the foundation for a networked ecosystem of digital identities that will form the basis for new types of trustworthy internet services throughout Germany. The research office will be based at ESMT Berlin and regularly publish information and articles about the projects’ progress and the political, technical, and economic aspects of digital identity management at large.
