4.1 Strengthening digital sovereignty by means of self-sovereign identities
4.2 Key role for the financial industry
4.3 Harmonisation of the legal framework for identification processes
4.4 Interoperability between identity providers
4.5 Close cooperation between public and private sectors
Digital identities have now become an integral of part of our everyday lives. Nine out of ten Germans use the internet, around 80 per cent make online purchases and two thirds of them use online banking. This trend has resulted in the need for digital identity data, including personal log-ins, which now form part of every digital customer journey. However, these are usually stand-alone solutions, which means a digital identity needs to be set up for each provider. In Germany, there is still a lack of available and widely accepted solutions with which people can digitally identify themselves to business partners everywhere (i.e. across various sectors). This is not only due to the lack of interoperability among existing solutions, but also because the identity data collected by businesses may not be used externally. The resulting lack of widely available digital identity data is holding back the urgent digitisation of Germany, and also of Europe.
It is, therefore, all the more important to create an ecosystem for the use and management of digital identities that can be employed across sectors and providers. The aim must be to enable people and, by extension, companies and things (Internet of Things) to be seamlessly integrated into digital value creation processes based on digital identities. At the core of an ecosystem of this kind is the provision of identity data that have already been confirmed by one party (e.g. a bank) and which other business partners can rely on. The identity data should be controlled by the respective identity subject, in keeping with the principle of digital sovereignty and in line with data protection legislation.
Businesses must work together with government to achieve this goal of a flourishing ID ecosystem. It would require new and close cooperation between the public and private sector, whose objective might even extend to formulating standardised procedural and organisational rules (a governance structure) as well as minimum technical standards. The ecosystem would not compete with existing providers of identity solutions, on the contrary, it would allow them to (further) develop their offers and innovations in a joint environment.
However, to achieve this, the legal and regulatory requirements for verifying identities, which are currently inconsistent, need to be harmonised across the different economic sectors. The only way to ensure that the new standards are widely accepted and that the market can adapt to them quickly is for the ecosystem to allow identity data to be used and exchanged across all sectors and for all parties. To achieve this, there needs to be equivalent requirements for the identification processes and mutual recognition by the respective supervisory authorities for all the regulated areas. The most effective way to attain full harmonisation would be by creating a standardised, cross-sector legal framework.
The ID ecosystem should be launched as a national initiative which could then also be developed into a standardised European framework and interoperable identity solution. European payment transactions provide a good example of how the rules and technological standards might be standardised. The private banks expressly welcome the German government’s initiative launched late last year to create an open European ecosystem of digital identities.
- There must be a general equivalence of requirements for identification processes in sector-specific rules (including in anti-money laundering and terrorist financing, in the telecommunications sector, the public sector and for trust services). Where these rules are based on European legislation, full harmonisation in the form of a European regulation will be required.
- The most effective way to achieve full harmonisation would be using a single cross-sectoral European legal framework, which could then act as a reference for sector-specific regulations. This would also ensure that the scope of the data collected by those obliged to check identities is identical in order to make them re-useable throughout the EU.
- Furthermore, the legislator must continue to create the framework conditions required to ensure legal certainty in the relationship between identity verifier and issuer. This should also include taking account of questions of legal responsibility, such as liability limits, in order to ensure a fair balance of interests and to provide the necessary incentive.
The upcoming revision of the eIDAS Regulation should be used to define horizontally standardised requirements in the sense of full harmonisation at European level, thereby making the whole cross-border verification process much easier.
The digital transformation is progressing at pace, new technologies and services are welcomed enthusiastically where they promise to add value for users and are simple and convenient to use. The latest Initiative D21 study, the D21 Digital Index 19/20, reveals that the majority of citizens expect, and indeed, welcomes digitisation becoming an even more ubiquitous part of their daily lives.
On average, every EU citizen currently has around 90 digital identities, including login data for social media accounts, online shops, mobility platforms or online banking. And this figure will continue to rise due to the many digitisation initiatives being pushed in a variety of sectors. In the area of customer onboarding, there is still considerable room for improvement in the level of digitisation. One major weakness is that customers often have to enter lots of personal data manually as part of the application process, even though this information has already been verified and is available in other parts of the system, and simply needs transferring over to the application process. US tech companies have been aware of this problem for a while now. Users with Apple, Google, Facebook or Amazon profiles can use these to log in to other websites.
The range of digital identities is broad: they can be limited to a simple combination of username/password with no reference to personal credentials or they can also be linked to personally identifiable information from official proof such as an ID document. They can also include more detailed information, such as payment data, health information or evidence of training and employment.
A “verified digital identity” is a data record that contains the identity and, where applicable, other identity credentials (e.g. holds the title of “Dr” issued by a university, owns a hunting licence issued by a local authority, etc.) about a natural person or legal entity which have been verified by one or more trusted sources (e.g. a bank).
Bringing together all these various data, which can paint a comprehensive picture of the respective person or entity, requires a high degree of integrity and trust within the entire system.
However, these single sign-on authentication schemes offered by tech companies do not guarantee that the data entered by the customer are actually correct. But in regulated sectors, such as banking or mobile telecommunications, companies are legally obliged to verify their customers’ data. Though they do so conscientiously, legally valid identification can often only be carried out with a break in the media chain (e.g. video identification, the German Post-Ident service, etc.). In Germany, the electronic ID (eID) function of national ID cards has not been sufficiently accepted by consumers.
Several European countries have recognised this issue and come up with solutions, particularly in Scandinavia. In Denmark, 99 per cent of the population have been using a digital identity (NemID),  which is provided jointly by business and the government, for more than 15 years. With up to 100 million transactions per month, NemID is an integral part of Danes’ digital lives. For example, 9 out of 10 customers use NemID to log on to their bank accounts or use administrative services. In 2003, a number of major banks in Sweden developed the BankID. Today, more than eight million out of 10 million Swedes own a BankID which they use to log on to their accounts, verify their digital identities or legally sign contracts digitally.
In contrast, the basis for verifying the identities of natural persons in Germany is still physical documents such as personal ID cards, residence permits or passports. Although nearly all personal ID cards and residence permits issued in Germany are now equipped with electronic proof of identity (eID), and identification procedures like video identification are partly digital, the ID document must always be physically presented (in the form of a chip card) by the consumer for verification, which stands in the way of fully digital user experience.
Although, German ID cards and electronic residence permits have been issued with eID since 2010, the function is only activated in half of all documents. In addition, only seven per cent of German citizens claim to have ever used their electronic ID card.  One reason for this is that the number of opportunities to use this function has only started growing quite recently. It could also be down to the inconvenience of needing to combine an ID card with a reading device or smartphone. The legal and technical requirements for transferring an electronic ID from a personal ID card or residence permit to a mobile device are currently being formulated. The objective is to allow identities to be verified solely with a smartphone and to increase user friendliness and acceptance.
Another way of making digital identities available to a broad user base in the short term is to reuse existing identity data, as demonstrated by the Danish example mentioned above. Since banks and also companies from various other sectors are obliged to verify the identity of their customers, this verified information about a person could serve as the basis for creating a digital identity. The data are based on government-issued identity documents and are checked at regular intervals, making them comparable in terms of quality and reliability.
The current situation shows that small and large businesses, as well as administrations and public authorities need to be able to implement future-proof and innovative identity verification procedures so that their digital services are used and accepted. Businesses are affected by this issue from both sides – because they need to prove their digital identities as well. They are therefore faced with the additional challenge of combining the digital identity of the legal person with the digital identity of the natural person(s) acting on behalf of the business.
In Germany, there are currently more than 40 providers of digital identities all competing for users. The exchange of data between these providers and requesting companies usually occurs via bilateral connections. These connections are complex. They require recurring integration costs, individual regulations for technical specifications and contractual agreements. Not only is there limited data portability between the various identity service providers, which often results in isolated applications and data silos, but the digital identities on offer do not always meet the high standards expected by the regulating authority. Ultimately, a company wanting to give its customers access to its services using a digital identity, is faced with the challenge of choosing, from a whole range of relevant suppliers, the best provider for them in terms of implementation costs, customer reach, conversion rate and potential economies of scale.
And what about the users? Despite demand being high, there is still a lack of practical applications in which the same digital identity can be used conveniently and for different purposes (regularly). Without practical applications, the individual will see no benefit from setting up a digital identity of this kind and demand will remain low. The classic chicken and egg problem.
How successful the use of digital identity solutions is will largely depend on how digital users behave in the future. Today, 74 per cent of citizens access the internet from mobile devices, and this figure jumps to 93 per cent in the 14 to 39 age range. In just a few years, more people will use a smartphone to access the internet than a desktop PC or laptop. The use of an app-based identity solution depends, not least, on the number of compatible smartphones in circulation.
Nevertheless, irrespective of the issue of user behaviour, if identity solutions really are to become a resounding success, there must be certainty that they are secure, convenient and, ideally, generally accepted and recognised. It is not only important that the standards enable fitting solutions, but that a fine balance can also be struck between usability and strong security. The maximum extent to which identity solutions can be standardised is therefore crucial.
At the European level, the 2014 eIDAS Regulation was a milestone, allowing mutual recognition of electronic identity systems in the EU. Its impact has been limited, however, since recognition is reserved for notified eID systems only. Its limitations were also compounded by a continued lack of operative and technical standards both in Germany and in the EU, particularly in the private sector. This resulted in ever increasing hurdles for the development of cross-sectoral and cross-border solutions.
Another challenge is the jungle of different legal requirements of identity verification, both across the various sectors as well as between the national and European levels. This leads to inconsistent framework conditions, hinders the mutual recognition of verified identity data when it comes to reusing them and, depending on their location, puts individual providers at a disadvantage in terms of European competition.
In order to simplify the standardisation and harmonisation process, Germany and Europe should take the approach of a public-private partnership. This would help promote the development of a set of rules, practices and standards that would achieve the interoperability required to provide and operate these identity solutions.
An answer to these challenges is an ecosystem in which digital identity data can be exchanged in a way that is secure, reliable, scalable and convenient. This will have a positive impact on the economic future of Germany and Europe while at the same time enhancing the private sphere of the individual. To be a success, an ecosystem of verified digital identities must
- be usable by different companies and across different sectors,
- enable interoperability with existing schemes,
- be based on consistent and, ideally, globally recognised standards,
- be usable by any individual in society, irrespective of nationality,
- be secure and help to protect consumers against identity fraud,
- be consumer-centric, meaning that it enables data sovereignty,
- be usable in legal contexts and be recognised by all public authorities,
- and be able to accommodate natural persons and legal entities and, in future, objects too.
The following diagram shows the numerous ways in which digital identities could be used across a wide range of industries.