As society adjusts to the demands of our digital world, one thing is clear: governments and companies need a structured and measured approach to digital identity and its management – an approach that is consistent and trustworthy enough to ensure public and private sector organisations handle information responsibly. But different governments have different visions of what identity is, and how it should be managed. So, can guidelines and regulations deliver the privacy and data protection frameworks today’s needed today, without putting the brakes on innovation tomorrow?
Regulation or guidance? What works at a global level?
Unlike a regulation, a guideline is never mandatory, binding or enforceable; it simply provides a recommendation, direction or suggestion for best practice. Take, for example the recent eIDAS regulation. This now mandatory framework aims to manage digital identities and access across Europe also includes a set of guidelines to support various EU governments in the implementation of processes and technologies to achieve compliance with the regulation. Adopted in July 2014, eIDAS represents a milestone for the EU, laying down a predictable legal framework for people, companies and public administrations to safely access services, and transact online and across borders, in just ‘one click’.
The hope is that, in due course, a globally consistent approach to identity provision will emerge. The passport system, regulated by the ICAO (the International Civil Aviation Organisation), has demonstrated how international collaboration and interoperability on a global scale is achievable. As passports become increasingly ‘smart’ and digital, there’s no reason to believe this will not be the case for managing digital identity.
To date, however, the majority of digital identity management regulation has been developed regionally – take eIDAS, which enable the mutual recognition of citizenship and enable greater ‘borderless’ transactional integration across the EU only.
Yet, despite the enforceable nature of eIDAS, differences in national ‘perceptions’ present stumbling blocks. For example, Germany may rate a service as needing a high level of security access, while elsewhere in the EU access to the same service may only require a medium security level. This difference in rating may inhibit the ability of citizens from outside Germany when it comes to accessing this service.
The relationship between state and private data and identity protection
With the identity landscape is in continuous motion, and territories like the EU are pursuing initiatives such as the General Data Protection Regulation (GDPR), how do global companies navigate these regional identity requirements? Company identity requirements, for example, are often based on a local context – reflecting the laws of the territory in which the organisation operates. And while they will issue their own credentials to users, many will be based on government-derived credentials.
For example, banks require consumers use a passport or birth certificate to demonstrate identity. The acceptance of ID credentials issued by trusted third parties such as governments is commonplace in the enrolment process utilised by companies when issuing their own credentials. Global firms like Samsung, Apple and Google utilise government and banking credentials ‘second hand’ as a means to confirm identity, before generating their own security credentials for service users.
There have been some efforts to create private sector worldwide identity and authentication systems, such as FIDO (Fast ID Online). But the success of these schemes relies on the universality of user acceptance and their ease of use.
The impact of the EU-US ‘Privacy Shield’
Let’s turn now to the EU-US ‘Privacy Shield’, the new transatlantic data pact that replaces the previous Safe-Harbor agreement. Will it bring added protection to the online data of EU citizens?
While bilateral agreements such as this certainly expand the ‘perimeter’ of protection for the personal information of European citizens connected to a US based organisation, there remains doubt over the overall effectiveness of such provisions. Especially as the main enforcers of the framework will be the US Department of Commerce and the US Federal Trade Commission who resisted EU pressure for a greater role for European data protection authorities in enforcing the pact.
So we come back to the questions of vision and definition – which, as we have seen, differ between countries. So, the question ‘what is data protection?’ is the first crucial point. If there’s agreement between bi-lateral partners, then the next step is to develop a framework that assures protection. Only once this is in place, implementation policies can be agreed. But the current challenge with the Privacy Shield is that the first question is still being debated. Get past this, and how to take and data protection further can be explored.
It’s not just the question of definition. It is also important to look at information models. In the Safe Harbor scenario, it is unclear how much influence the US administration has over major online companies whose businesses are built on data capture and dissertation. If they can’t protect at home, then the Administration can’t be expected to assure protection of either incoming or outgoing citizen data.
A financial warning for data regulators
But perhaps the biggest issue in cracking global identity and data protection questions are territories that ignore or stand outside the accepted regulatory environment. No starker warning can be given to governments and regulators looking to develop global compliance than the global crash of 2008.
Here, in arguably one of the most heavily regulated industries – the global banking sector – it would appear incidences of non-compliance were rife. The presence of secretive off-shore havens that appear to pay little head to, or work directly against, international money laundering regulations illustrates the potential problems posed by ‘information havens’. And not just off-shore. Many onshore institutions were found to be guilty of malpractice – and many have since paid the financial and regulatory price.
Digital identity management is fundamental to further development of the digital economy. Around the world, national policy makers are being urged to develop efficient framework conditions for innovation across the public and private sectors, while enhancing security, privacy and trust. While the need for technical interoperability standards are recognised and understood, wider issues relating to the definition and scope of data protection and enforcement when it comes to federated or international standards and schemes still remain.
About Frédéric Trojani
Frédéric Trojani is Chairman of the Board of the Secure Identity Alliance, the Alliance which brings together public, private and non-government organizations to foster international collaboration on Digital ID challenges . The Alliance includes the leaders in security technology and three Government agencies (BMI – Germany, Dutch Ministry of Interior and EIDA, UAE).
About Secure Identity Alliance
The Secure Identity Alliance supports worldwide economic growth and prosperity through the development of trusted digital identities and the widespread adoption of secure eServices. The Alliance offers support and expertise to allow government agencies and other public bodies to implement their digital ID projects and realize the wide range of economic, public health, electoral and sustainability opportunities offered by the shift to digital service provision.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now