Following up on its research programme on digital identities, which among other things led to the publication of two multidisciplinary handbooks, Digital Identities in March 20161 and Digital Identities in Tension – Between Autonomy and Control in January 2019,2 the research Chair on Values and Policies of Personal Information is hosting a series of conferences on ‘Trustworthy digital identities’.
This topic has become an issue that requires a practical response at the French, European and international level.
Topical regulatory matters with regard to societal issues
At the EU level, the topic of digital identity, ‘an important factor in better border protection and migration management and the move towards an effective and genuine Security Union’,3 falls within the context of combatting document fraud and identity theft.
In order to help mainly identify non-EU citizens who enter or try to enter EU territory, two EU regulations were adopted on 20 May 2019 to establish the conditions for interoperability between information systems in the fields of borders and visas (Regulation 2019/817)4 as well as of police and judicial cooperation, asylum and migration (Regulation 2019/818).5 No fewer than eight information systems are involved: the Schengen Information System (SIS), Eurodac,6 the Visa Information System (VIS), the Interpol database of Stolen and Lost Travel Documents (SLTD database) and Europol data, as well as three new systems: the Entry/Exit System (EES), the European Travel Information and Authorisation System (ETIAS), and the European Criminal Records Information System for Third-Country Nationals (ECRIS-TCN).
These highly technical acts establish, in particular, a Common Identity Repository (CIR), which will include an individual file regrouping some of the biographic and biometric data of individuals registered in the VIS, the EES and the ETIAS. Monitoring their implementation enforcement, in line with our fundamental legal acts, will be supervised by national supervisory authorities – including the French Data Protection Authority, the CNIL – and the European Data Protection Supervisor (EDPS).
Beside interoperability between databases on third-country nationals, the security of identity cards of EU citizens was increased last summer, on 20 June 2019, with the adoption of Regulation 2019/1157 on strengthening the security of identity cards of Union citizens and of residence documents.7 Discussions on the topic, which could ultimately affect 370 million citizens across 26 Member States, focused especially on which biometric data should be registered – a facial image and two fingerprints or ‘just’ fingerprints. In this regard, the EDPS issued a reasoned and detailed opinion in which it considers that ‘the Proposal does not sufficiently justify the need to process two types of biometric data (facial image and fingerprints) in this context, while the stated purposes could be achieved by a less intrusive approach.’8
In practical terms, France needs to develop its national identity card format by 2 August 2021. The identity card will follow the ‘credit card’ format and will need to include a facial image and two fingerprints of the card holder, stored on a ‘highly secure’ contactless chip in a digital interoperable format. The national identity card may incorporate a dual interface or a separate storage medium to store national data for e-government and e-business services. Such data will have to be physically or logically separated from the biometric data.9
Another link in the trust chain, especially for electronic transactions, is Regulation No 910/2014 or eIDAS Regulation on electronic identification and trust services for electronic transactions in the internal market,10 which needs to be reviewed by the European Commission no later than 1 July 2020.11 The regulation focuses in particular on mutually recognised electronic identification means between EU Member States. It provides the possibility for States to notify their interoperable electronic identification scheme(s) used at the national level to the Commission. So far, 18 identification schemes have already been notified by 14 States,12 and Estonia implemented a digital identity strategy as early as 2002, followed by many States such as Belgium, Austria and Germany, while France still has not notified any scheme.
France is still discussing ways of developing a secure digital identification strategy that could be used by public services and private actors alike. More specifically, the mandate given to the inter-ministerial mission led by Valérie PENEAU in January 2018 was to ‘develop, for all citizens, legally staying foreign nationals and companies, a smooth digital identification strategy to be used on the State Digital Platform and France Connect [the French identification and authentication system for services]’.13 This strategy should include at least two levels, the eIDAS ‘low’ and ‘high’ assurance levels. Yet, as the developed solutions were meant to be ‘effective as of September 2019’, the mission’s findings have yet to be made public.
Meanwhile, in July 2019, Cédric O, the French Secretary of State for Digital Affairs, consulted the French Digital Council in order to shed a light on how the future digital identity mechanism could be used and connected with the digitalisation of public services.14 The consultations aiming to help draft recommendations should be presented early 2020.
In the mean time, end of October 2019, the French National Assembly launched a fact-finding mission on digital identity headed by Marietta Karamanli, together with fellow MPs Christine Hennion and Paola Forteza. The ambitious stated objective is ‘to be able to guarantee that the technological choices, legal framework, governance and economic model for digital identity in France will pave the way to developing a digital citizenship based on trust’.15 The MPs have started their hearings, to which Claire Levallois-Barth has contributed.16
Among the many issues addressed, which included economic opportunities enabled by the development of new digital identity solutions which citizens can trust; simplified uses; inclusion and risks of discrimination; interaction between public authorities and the private sector; and users’ control over their identity and data, the debate particularly focus on the topic of the very definition of digital identity. In this regard, the hearings have highlighted how difficult it is to define this concept, which is still under construction, therefore as it stands, very dynamic.
Digital identity: a polysemic notion
Digital identity may be particularly defined by reference to an electronic identity document (a passport, an ID card with a chip), an online proof of identity or an electronic means of identification allowing an individual to prove they are its holder, authorised to access certain online services.17 Conventionally, digital identity may be considered as civil status extended to the digital space; an external perspective that views an individual as the sum of stable characteristics in order to identify and individualise them unequivocally and permanently. In this respect, French philosopher Paul Ricœur, in his book Oneself as Another, underlined the ‘interrupted continuity between the first and the last stage in the development of what we consider to be the same individual. […] Thus, we say of an oak tree that it is the same from the acorn to the fully developed tree.’18
Digital identity may also be considered in a wider sense, from the point of view of the subject and the way they mean to introduce themselves to others: it is the identity they have given themselves, chosen for themselves, as an active projection, thus contributing to their self-determination. Let us recall that the European Court of Human Rights (ECHR) found that ‘respect for private life requires that everyone should be able to establish details of their identity as individual human beings’19 and that ‘an individual’s entitlement to such information is of importance because of its formative implications for his or her personality’. The ECHR therefore lays down a ‘right to identity’, which is protected by Article 8 of the European Convention on Human Rights.20 Using a social network is a great example of this: on their own initiative, an individual chooses the way they wish to identify themselves, shows aspects of their perceived identity, such as their hobbies, pictures, relationships with ‘friends’, opinions… The Article 29 Working Party (Art. 29 WP) points to that in its opinion on online social networking. Indeed, national supervisory authorities consider that social networks ‘should consider carefully if they can justify forcing their users to act under their real identity rather than under a pseudonym’.21
In this respect, through a survey carried out in May 2019, the Chair on Values and Policies of Personal Information was able to show that users adopt actual strategies to introduce themselves as they please. 75% of respondents said they had several email addresses and 60% used several pseudonyms, while 31% used at least one fake identity.22
However, we must admit that using many usernames and passwords – 93% of respondents said they used several passwords, a 4-point increase compared to our previous survey in March 2017 –23 implies a certain level of difficulty, a low security level and the risk of personal data being used by malevolent third parties.
Yet, the very definition of the notion of digital identity conditions its determined scope, and therefore the legislator’s scope of action. Should the principle of a right to anonymity, or a right to pseudonymity, in the public space be recognised? In which cases should it be required to use a ‘real’ name?
Related challenges with regard to the GDPR
The very enforcement of General Data Protection Regulation (GDPR) is being challenged here.24 Should particular provisions be adopted to regulate the use of biometric data, which has been classified as ‘sensitive data’ since GDPR was adopted?25 Should certain identification technologies be prohibited in the public space, as they are in San Francisco or Seattle?26 If so, for which of their uses? Which purposes and which level of identification should be provided for?
In this respect, on 17 October 2019, in its plenary session, the CNIL ruled that experimenting on a ‘virtual gate’ controlling school access through facial recognition at the entrance of two high schools in Nice and Marseille violated the key principles of proportionality and data minimisation laid down by the GDPR.27 According to the CNIL, purposes such as preventing intrusion and identity theft as well as reducing the time required to check students – most of them minors – can be achieved through much less intrusive means, e.g. through ID badge control.
The topic of biometrics in relation to consent was also discussed in the debate on mobile digital identity with regard to the Alicem application developed by the French Ministry of the Interior.28 Indeed, this programme provides that to activate their account, an individual needs to prove they are who they pretend to be in order to achieve the ‘high’ assurance level of digital identity as set out in the eIDAS Regulation. For that purpose, they are required to film themselves doing several ‘challenges’ such as blinking and moving their head and face about. The video then allows the French National Agency for Secure Documents (ANTS) to check that the person holding the phone is indeed the subject (dynamic facial recognition) and to capture a picture it compares with the picture included in their electronic passport or residence card (static facial recognition).
In a deliberation adopted on 18 October 2018, the CNIL pointed out that Alicem was incompatible with the GDPR, mainly because facial recognition was mandatory. The CNIL recalled that, in line with Art. 29 WP’s position,29 which was confirmed by the European Data Protection Board (EDPB), ‘in the event where the provision of a service is subject to consent to the processing of personal data, such consent is only free if the data processing is strictly necessary to the provision of the service requested by the individual, or if an alternative option is effectively offered by the data controller to the data subject. In this case, refusing the processing of biometric data impedes the account’s activation, and deprives of effect the initial consent to the account’s activation’.30
While Decree n° 2019-452 authorising the creation of Alicem was published on 13 May 2019 against the CNIL’s opinion,31 a launch – only available on Android phones with an NFC system so far – was discussed for November 2019, then postponed to mid-2021. In addition to a debate on the background of the implemented technology,32 an application for annulment of Decree n° 2019-452 was lodged with the French Council of State by French organisation La Quadrature du Net on 15 July 2019.33 The organisation raised the same concerns as the CNIL as regards the violation of the concept of ‘freely given and non-mandatory consent’, as well as fears that Alicem would ultimately threaten online anonymity.
Towards a potential surveillance paradigm shift
Aside from such specific experimentations, the CNIL called for a ‘debate that is up to the challenges’ on 15 November 2019.34 It stressed that ‘replacing human checks of people’s identity with checks carried out by algorithmic processing alters, per se, the surveillance potential’, entailing a major risk that progressive slips lead to a paradigm shift in surveillance, ‘moving from the targeted surveillance of some individuals to the potential surveillance of all in order to identify some.’
This potential paradigm shift is also being discussed at the EU level.
Some privacy activists, such as Statewatch, view the implementation of the interoperability of databases on non-EU citizens as the ‘point of no-return’ of a data collection policy that is meant to get broader in scale.35 According to the NGO, the risk is now about generalised biometric national ID cards and the data included in them being transferred to a future central biometric database, which would enable an unprecedented monitoring of 440 million EU citizens. For now, however, the Identity Card Regulation does not provide for the establishment of such a centralised database.36
The EDPS also mentions the potentiality of a point of no return in its Opinion on the proposals for two regulations establishing a framework for interoperability between EU large-scale information systems, specifying: ‘The decision of the EU legislator to make large-scale IT systems interoperable would not only permanently and profoundly affect their structure and their way of operating, but would also change the way legal principles have been interpreted in this area so far and would as such mark a “point of no return”.’37 It also points out that ‘interoperability is not only or primarily a technical choice but rather a political choice liable to have profound legal and societal consequences’.
Therefore, the very exercise of our fundamental rights and freedoms – especially our freedom of movement, our right to privacy and our right to personal data protection – is being questioned.
Thus, how can we combine our European values with requirements to enable security and trust in the digital environment? According to which criteria should we define cases in which it is necessary to establish the identity of a person unequivocally and situations in which citizens themselves must choose elements of their perceived identity? How should such requirements be translated into technical systems which we could trust?
To that end, in order to try and answer these questions collectively in an informed way, and consistently with the work we have carried out on these topics since April 2013, the Chair on Values and Policies of Personal Information would like to invite you to attend its next series of conferences on Trustworthy digital identities.
‘The EU eIDAS Regulation: enforcement and outlook in France’
‘Digital identities, biometric data and facial recognition’
‘Digital identities and their various faces’
Claire Levallois-Barth, Associate Professor of Laws at Télécom ParisTech (France), Coordinator of the Chair Values and Policies of Personal Information
1 Digital Identities, coordinated by Claire Levallois-Barth with Armen Khatchatourov, Pierre-Antoine Chardel, Maryline Laurent, Patrick Waelbroeck, Delphine Chauvet, Nesrine Kaâniche.2 Digital Identities in Tension: Between Autonomy and Control, Armen Khatchatourov, with Pierre-Antoine Chardel, Andrew Feenberg and Gabriel Périès, January 2019.
3 In this regard, see the Commission’s December 2016 Action plan to strengthen the European response to travel document fraud, COM(2016) 790 final, p. 2.
4 Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA, OJEU L 135/27 of 22.5.2019.
5 Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816, OJEU L 135/85 of 22.5.2019.
6 Which aims to determine which Member State is responsible, under the Dublin Convention, for examining an asylum or subsidiary protection application. End of 2014, 2.7 million individuals were registered in the EURODAC processing files. In 2015, France received 3.6 million visa applications and issued 3.3 million visas, while 70 million alerts were made in the C-SIS II alert database. The CNIL has provided information on such processing of personal data, which can be found in French under the following links [last checked on 8 January 2019]:
7 Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement, OJEU L 188/67 of 12 July 2019 (Identity Card Regulation).
9 Identity Card Regulation, abovementioned, art. 3(9) and (10).
10 Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, OJEU L 257/73 of 28.8.2014 (eIDAS Regulation).
11 eIDAS Regulation, abovementioned, art. 49 ‘Review’.
12 For an overview of the 18 notified schemes, see https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS
13 Valérie Peneau’s mission letter signed on 5 January 2018 by the then French Minister of the Interior Gérard Collomb, Minister of Justice Nicole Belloubet, and Secretary of State for Digital Affairs Mounir Mahjoubi.
14 Lancement des consultations sur l’identité numérique : données, usages, inclusion : n’oublions pas l’avis des citoyens ! [Launch of consultations on digital identity: data, uses, inclusion – citizens’ opinions shouldn’t be left aside!], 29 October 2019.
15 Paola Forteza, Quelle Identité numérique en France ? Je suis rapporteure d’une mission parlementaire [Which digital identity for France? I am the rapporteure of a parliamentary mission], 31 October 2019.
17 To that end, see art. L 102-I of the French Post and Electronic Communications Code:
‘I. – Electronic identification is the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person. An electronic identification means is a material or immaterial unit containing person identification data and which is used for authentication for an online service.’
18 Paul Ricoeur, Oneself as Another, University of Chicago Press, 1994, p. 117.
19 ECHR, Gaskin v. the United Kingdom, Judgment of 7 July 1989, series A No. 160, p. 16, § 39.
20 See, for instance, ECHR, Mikulic v. Croatia, Judgment of 7 February 2002, JCP G 2002, I. 157, § 54.
22 Second survey by the CVPIP Chair-Médiamétrie – May 2019, Données personnelles et confiance : évolution des perceptions et des usages post-RGPD.
23 First survey by the CVPIP Chair-Médiamétrie – March 2017, Données personnelles et confiance : quelles stratégies pour les citoyens-consommateurs en 2017 ?
24 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJEU L119/1 of 4.5.2016.
25 Article 4(14) of the GDPR defines biometric data as ‘personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data’. Article 9(1) prohibits the processing of such data, while Article 9(2) sets potential exceptions to such prohibition.
27 Expérimentation de la reconnaissance faciale dans deux lycées : la CNIL précise sa position [Two high schools experiment facial recognition: the CNIL clarifies its stance], 29 October 2019.
28 Alicem is part of the French government’s strategy to enable online access to all public services by 2022. Based on transferring the data registered inside the electronic component of passports or residence cards (except the digital fingerprint image), this mechanism aims to identify and authenticate individuals to allow access to services performed by providers bound to France Connect through a convention.
30 Délibération de la CNIL n°2018-342 du 18 octobre 2018 portant avis sur un projet de décret autorisant la création d’un traitement automatisé permettant d’authentifier une identité numérique par voie électronique dénommé « Application de lecture de l’identité d’un citoyen en mobilité » (ALICEM) et modifiant le code de l’entrée et du séjour des étrangers et du droit d’asile [CNIL Deliberation No 2018-342 of 18 October 2018 on the opinion on a draft decree authorising the creation of an automated processing allowing to electronically authenticate a digital identity called ‘Application reading the identity of a mobile citizen’ (Alicem) and amending the French Code for Entry and Residence of Foreigners and Right of Asylum] (Request for Opinion No 18008244), French Official Journal No 0113 of 16 May 2019.
31 Décret n° 2019-452 du 13 mai 2019 autorisant la création d'un moyen d'identification électronique dénommé « Authentification en ligne certifiée sur mobile » [Decree No 2019-452 of 13 May 2019 authorising the establishment of an electronic identification means entitled ‘Certified online authentication on mobile phones’], French Official Journal No 0113 of 16 May 2019.
32 Alicem, la solution de reconnaissance faciale française, a été financée aux États-Unis [French facial recognition mechanism Alicem funded in the US], 9 October 2019.
33 La Quadrature du Net attaque l’application ALICEM, contre la généralisation de la reconnaissance faciale [La Quadrature du Net tackles the Alicem app and broad-scale facial recognition], 17 July 2019.
34 CNIL, Reconnaissance faciale - Pour un débat à la hauteur des enjeux ? [Facial recognition – For a debate that is up to the challenges?]15 November 2019. PDF.
35 Statewatch, Analysis, The ‘point of no return’ – Interoperability morphs into the creation of a Big Brother centralised EU state database including all existing and future Justice and Home Affairs databases, Tony Bunyan, May 2018.
36 See Article 10(3) of the Identity Card Regulation, which provides: ‘Other than where required for the purpose of processing in accordance with Union and national law, biometric identifiers stored for the purpose of personalisation of identity cards or residence documents shall be kept in a highly secure manner and only until the date of collection of the document and, in any case, no longer than 90 days from the date of issue. After this period, these biometric identifiers shall be immediately erased or destroyed.’