Data protection & digital identification – the current status in Europe
Some of the data protection and digital ID laws we have in Europe have now come into play in Brazil. Our colleague, Colin van den Heuvel, was recently interviewed about the impact and implications of these laws by Brazilian website CryptoID. Below is a translation of the original article on CryptoID.
Two important laws that recently came into force in Brazil have been applied in Europe for at least two years.
What lessons have been learned from this experience in Europe?
Technology has many benefits, but a nation’s laws need to consider the new behaviours of individuals and society to prevent technological innovations causing social chaos.
Digital platforms provide practicality, cost reduction, time savings and more for governments, companies and individuals. But they need to provide users with guarantees such as authorship, integrity, authenticity, qualification, confidentiality and temporality, so transactions can be completed electronically. They need the same legal conditions we use in the analogue world.
Currently, nations on all continents are aware of legislation around the applications of technology.
Issues involving privacy and data protection and how people, equipment and companies identify themselves online are being prioritised.
We spoke with Colin van den Heuvel, Business Consultant at global company AET Europe, about GDPR (General Data Protection Regulation) and eIDAS legislation. Which, respectively, deal with privacy and data protection and the use of identification credentials in digital transactions.
This topic is a current focus in Brazil because two important laws dealing with these issues recently came into force. LGPD (General Data Protection Law No. 13,709, of August 14, 2018) came into force on September 18, 2020. Law 14.063 (September 23, 2020) deals with communication between entities and the public, and also presents concepts about electronic signatures.
Law 14.063/2020 is also very important for the private sector because it’s the most current legal parameter since Provisional Measure No. 2,200-2, of August 24, 2001. The latter regulates the use of digital and electronic identities for signatures and authentication. It’s almost 20 years old and will be replaced by a specific law that’s more appropriate to the evolution of technology, and the continuous change in society’s behaviour, during this period.
eIDAS has established the technical and legal framework to provide support for electronic signatures to become legal in Europe
eIDAS (Regulation of Electronic Identification and Trusted Services – eIDAS 910/2014 / EC) simplifies and standardises IDs – digital identities and digital and electronic signatures across Europe. It creates a “single digital market” to ensure secure digital transactions between European Union (EU) members and the countries with which they have international relations.
eIDAS was introduced in the European Community in 2016, but the regulation only come into force in 2018. It was created to efficiently and securely guarantee electronic transactions between the countries of the European Union, which bring together different digital economies.
“eIDAS provides the European community with a legal basis for citizens, governments and companies to exchange data with each other in a safe and reliable way. The European Union’s digital framework has established rules and agreements for the recognition of digital signatures. And also, for example, as a citizen, you can authenticate yourself to use the services provided by the government,” says Colin.
AET Europe is an expert in international regulations and develops state-of-the-art technologies for privacy, data protection and digital identification. It has many success stories in several countries around the world, including Brazil, with cryptographic solutions aimed at creating, managing and storing digital identification credentials.
“We at AET Europe provide solutions that make it possible to exchange data in compliance with eIDAS and GDPR regulations. A good example of how our solutions help businesses and governments is what’s called high levels of assurance in eIDAS. In this regulation, there are requirements to guarantee each citizen’s privacy. This necessitates establishing strong authentication for each person to access their own data held by the government or companies. eIDAS determines that organisations storing data have to prove they have the right technical solutions to authenticate their users unquestionably,” says Colin.
According to the executive, one requirement relating to eIDAS’s high guarantee levels is that the application must identify the type of qualified digital certificate, as well as the device in which it’s stored.
QSCD – Qualified Signature Creation Devices
eIDAS states that companies and governments must use QSCD-certified solutions – Qualified Signature Creation Devices.
“At AET Europe, we provide solutions for smartcards and tokens with qualified certificates. And QSCD and qualified certificates are managed by BlueX. BlueX eID Management manages the lifecycle of the user’s digital and electronic identities in the form of virtual certificates, smart cards and tokens. The solution we developed complies with eIDAS regulations and similar regulations in countries outside the European community. It even adheres to Brazilian legislation: LGPD, MP 2.200 / 2001, Law 14.063 / 2020 and similar regulations, as well as being totally compliant with the ICP Brasil standard. In Brazil, we have customers already using BlueX to issue and control digital identities. Our clients include certification authorities, government organisations and other organisations in the financial, industry and health sector,” informs Colin.
The mutual recognition of digital signatures in the European Union enables the closing of agreements and commercial transactions between governments and/or between companies. Colin told us there are also some examples, mainly in the financial sector, where banks use digital signatures to allow citizens from one country to sign agreements with a financial institution based in another country.
“Mutual recognition between digital signatures allows many citizens in the European Union to remotely open a bank account in a country other than the one they live in. But it’s essential that signatures are qualified. This means a Frenchman can open and operate a bank account in Italy, without ever having been to that country.”
QTSP – Qualified Trusted Service Provider
“Companies that identify themselves frequently use the Qualified Certificate for Electronic Seal (QC eSeal), which is a qualified certificate issued for use as an electronic seal. The seal must be issued by a Qualified Trusted Service Provider (QTSP) that meets the requirements set out in Annex III of Regulation (EU) No. 910/2014 (eIDAS).
“It is also common for companies to exchange customer registration information between different countries. But there needs to be strong authentication between companies, and the procedures for protecting the privacy of any data exchanged must follow eIDAS technological requirements.
“These are some practical examples of mutual recognition using digital identification in the European Union. Currently, the sector that uses mutual recognition the most is the financial sector,” says Colin.
“In relation to eIDAS solutions, the structure is there, the solutions are available and, even while we’re talking, more solutions are being developed and updated. So, now is the time for everyone to adopt them here in Europe. By that, I mean that governments, companies and citizens must start making more and better use of the mutual recognition of digital signatures,” adds Colin.
The intersection of GDPR and eIDAS regulations
Regarding the intersection of GDPR and eIDAS regulations, Colin said that GDPR is very strict and focuses mainly on ensuring that European citizens’ privacy and personal data is protected.
According to Colin, “An institution, whether private or public, that processes or exchanges personal data, or does anything relating to it, must use all possible technology mechanisms to ensure the data is protected.”
GDPR does not determine how you use the technology, but it does outline some procedures organisations need to follow to ensure data protection. So eIDAS complements this aspect of GDPR.
The first rule is that whoever holds the data must ensure they can guarantee the confidentiality, integrity and availability of the data. And you must make sure that, wherever data exchange takes place, it is done with strong authentication between the parties involved.
GDPR determines the limits and eIDAS the technical framework
eIDAS determines the level of authentication and electronic and digital signatures to be used, depending on the criticality of what is being authenticated or signed electronically. The higher the level of criticality, the higher the level of authentication or digital signature to be used.
These are the main intersections between GDPR and eIDAS.
GDPR stipulates that you need to protect data and eIDAS provides the technical requirements for doing this, so you can be sure, as a company, that you’re protecting the data. eIDAS also requires that solutions are developed by a Qualified Trusted Service Provider (QTSP), so organisations can be sure they’re using appropriate and safe solutions that comply with eIDAS.
We asked Colin if he had already issued a digital identity. He told us it’s not necessary for all citizens because they’re still implementing applications for use in the European Union.
“Here in the Netherlands, there is, unfortunately, no easy access to qualified certificates. We’re still in the beginning of implementing applications for use, so it’s very different from the reality that exists in Brazil today,” said Colin.
“In Brazil, you have many applications for using qualified certificates to communicate with the government. You also use them on a large scale in the judiciary, in the health sector and to access tax commitments.
“Which means Brazil is far ahead of Europe in the use of qualified digital certificates. One day, we hope to have as many applications as the ones we know about in Brazil,” adds the executive.
Finally, talking about interoperability between electronic transactions – “electronic frontiers” – in the European Community, Colin tells us about his predictions for the coming years.
“What we see at AET Europe is that the eIDAS framework, the infrastructure and the technical solutions are all available. One of these technical solutions is our SafeSign applet. It’s already placed on smartcards and tokens, allowing you to access a qualified digital certificate and make your transactions secure.
“Now is the time to increase adoption across sectors throughout the European Union. We believe that, in the near future, increasingly more companies and ordinary people will see how important it is to use secure transactions; between themselves, with their government and with the companies competing to provide services,” concludes Colin.
Do you want to discuss this topic? Please let us know and feel free to contact us.
Colin van den Heuvel, Business Consultant at AET Europe.