Digital identity in a new era of data protection
16 Apr 2018 16:30h - 18:30h
Event report
[Read more session reports from the UNCTAD E-Commerce Week 2018]
This session focused on the evolution of the digital economy, which requires individuals to be able to assert their identity in order to participate in it, both on the national and international level. Furthermore, the sustainable development goals (SDGs) provide the target that all people will be able to obtain a ‘legal identity’ by 2030 (SDG 16.9). However, nearly 1 billion people are still unable to prove who they are. It must be noted that to achieve this goal, the role of data protection must be reinforced.
The session was moderated by Mr David Satola (Lead Counsel, World Bank) who addressed the aspect of ‘Setting the stage: UN SDG 16.9 requirements and current international trends’. He framed the target of ‘legal identity’ as contextualised in the rule of law; however, he stressed that a comprehensive definition is still to be found. He also recalled the work of the World Bank on digital identity, based on the following aspects: thought of leadership and analytic work; global convening and platforms; and country engagement. It is indeed crucial for the ID Enabling Environment Assessment (IDEEA) to set the legal framework supporting both the enabling and the security sides.
The second speaker, Ms Anna Joubin Bret (Secretary, United Nations Commission on International Trade Law (UNCITRAL)) argued about ‘Developing a Global Legal Response’. She said that the Engineers of the World (IdM) can support international trade and better identify actors and goods. Identity management should be contextualised in a broader framework. It applies to natural and legal persons and to physical and digital objects. Furthermore, there are different types of IdM systems: commercial-driver or government-driven; centralised or decentralised. The traditional approach to IdM (witnesses, signatures, and seals) require a new updated identity management tool. Eventually, it can require government-issued identity credentials based on civil registration and vital statistic registries or designed for other purposes. Moreover, third parties could be involved, for example notaries. On the level of policy implications, IdM could pursue:
-
E-government and commerce
-
E-government only
-
Cybersecurity
With this regard, she recalled the Organisation for Economic Co-operation and Development (OECD) report on ‘Digital Identity Management’. Finally, recalling the need of interoperability of ID schemes, she addressed the extent of their use. There is a need to identify a common definition, to ensure that there is a level of mutual recognition achieved through the scheme. Thus, key objectives that should be considered are:
-
technology neutrality,
-
non-discrimination and observance of the national and international law.
The third speaker, Mr Chris Watson (Partner, CMS Cameron McKenna, London) addressed the ‘GDPR Impact on Digital Identity’. He argued that the EU General Data Protection Regulation (GDPR) is related both to public and private international law, and structured his argument analysing the main implications for institutions that design ID systems. He stressed that the wording is similar to the anti-trust regulation, and that the rules will be applied de facto to all the types of data that pass or may pass through the European Union. Thus, extra-territorial effects feature in it. The GDPR protects data subjects in the Union, which means not European citizens or residents but all people whose data passes through Europe. It covers all industries and bodies and governments. Governments will have some form of liability and penalties for damages. The GDPR applies to ID systems and operators especially in international transfers of data. It has to comply with how these data are treated, for what purposes and the mechanisms for protecting the sensitivity of such data. Indeed, the ID system designer needs to consider the GDPR principles before creating system.
The fourth speaker, Ms Wafa Ben-Hassine (Policy Counsel of MENA, Access Now) talked about ‘prioritising users’ human rights in digital identity programmes’. She stressed that it is essential to frame questions of digital identity in the context of the SDGs and the human rights principle (especially, but not limited to, inclusiveness) behind them. The main topic today is about building a digital infrastructure that will last forever, keeping in mind that personal data of people can be weaponised. Many of the digital ID programmes use biometric data that are completely unchangeable. However, it must be noted that ‘legal identity’ does not coincide with ‘digital identity’. On the extension of the use of digital identity, she argued that extension can perpetuate patterns of surveillance and it is crucial to consider data protection at every level: conceptualisation, implementation, and continuation. Finally, she proposed possible solutions through the integration of human rights, human rights impact assessments, and stakeholder engagement, including users. Digital identity systems rely on personal data, so it is crucial to implement the protection of data.
The last speaker, Ms Victoria Saue (Head of Risk and Compliance, e-Residency Programme, Estonia) addressed the aspect of ‘Country Experiences: EU eIDAS (Trust Services)’. Her speech focused on the Estonia example that she defined as ‘the most advanced digital society’. She explained the X-Road system used in data management, based on the feature that all data is signed, encrypted, and locked. Underlining the lack of centralised databases, she explained that data is stored where it has been created. An electronic ID is mandatory for every Estonian citizen or resident. It is characterised by a chip with two certificates: one for identification purposes and one for the digital signature. Furthermore, Estonia introduced e-Residency: a secure digital identity for everybody in the world interested in running a location-independent business online. It must be stressed that it does not represent an identity document; however, it is a crucial benefit for businesses.
By Stefania Grottola