Digital identity has become the foundation of the digital transformation of states and the establishment of online relationships between governments and citizens.
The digitization of administrative procedures and commercial transactions presents a new challenge for both sovereign states and businesses, prompting the need for the question, ‘How can we ensure the reliability of digital identities for citizens and clients?’ to be answered. This interview focuses on the legal framework surrounding digital identity in Europe and Africa.
What is digital identity?
Digital identity (DI) refers to the aggregation of digital traces an individual leaves behind on the internet. It encompasses more than just civil identity by including a wide range of attributes. In addition to a person’s official civil name, digital identity may incorporate common names, pseudonyms, images, videos, IP addresses, bookmarks, and online comments about the individual.
Digital identity has become the foundation for the digital transformation of states and the establishment of online interactions between governments and citizens. It also serves as a key driver of the digital economy across various sectors, including e-commerce and online banking.
The rise of digital interactions has highlighted two major risks:
- A risk of technical solution failure: This encompasses security, trust, and user comfort.
- A human risk of fraud: This has led to the development of two crucial concepts aimed at ensuring that digital services are provided to the correct individual: digital identification (How to establish the identity of an online user?) and digital authentication (What measures should be implemented for the user to prove their declared identity online?).
Legally, digital identity is a multifaceted concept. It intersects with administrative law (personal data protection), commercial law (electronic transactions), and criminal law (cybersecurity).
So why have digital identification issues overtaken those of digital authentication?
We now have highly robust authentication tools capable of verifying that a person is indeed who they claim to be. However, these systems do not prevent hacking or data breaches. A person may act in bad faith, with their authentication relying on a digital identity that has not been sufficiently verified in advance. For example, ten years ago in France, the National Identity Card project included two chips: one for the citizen's biometric identity and the other for electronic signatures. However, the French Law No. 2012-410 of March 27, 2012, regarding identity protection, was overturned by the Constitutional Council. Experts demonstrated that the system failed to ensure proper identification of individuals before any authentication, including strong authentication.
This issue intersects with the concept of digital identity. The most effective form, sovereign digital identity, enables individuals to manage and control their digital identity seamlessly without third-party intervention. This approach mirrors the real world, where individual identities are represented by various documents. Some are universal (like identity cards), while others are specific to certain individuals (such as professional licenses). All these documents are validated by external entities, which are responsible for ensuring the reliability of the identity, such as the state, regulatory authorities, and professional organizations.
How is the security of digital identity legally regulated in different countries?
In France, there is no specific legal text solely dedicated to digital identity. The applicable legal framework derives from concepts established at the World Summit on the Information Society (WSIS), a forum initiated in 2003 in Geneva by the International Telecommunication Union (ITU). This framework consists of four key laws that address aspects of the Information Society, which can be applied to digital identity (DI). This general framework has been widely adopted around the world, including by all member states of the European Union and the African Union.
The four WSIS laws governing Digital Identity
- A general law on the new rights that people enjoy because of developments in today's digital society. Application: everyone in a country has the right to a digital identity.
- A law on the protection of personal data. Application: beware, not everything is permitted!
- A law on the legal organization of electronic transactions. Application: how to conduct e-commerce? How do you deal with government agencies? How to use electronic signatures with electronic certificates? How do you control access?
- A law on cybersecurity/cybercrime. Application: What penalty should be applied to a hacker who seizes another person's digital identity?
At the European level, Regulation eIDAS No. 910/2014 of July 23, 2014, on electronic identification and trust services for electronic transactions within the internal market, marked the sector. However, in practice, the regulation was limited to a system of mutual recognition between member states, whereby each remains free to establish its own digital identity schemes. A revision of the regulation is underway to model some standard electronic identity schemes, while still preserving the sovereign rights of states.
More recent European regulations have supplemented this framework, such as the European Payment Services Directive (PSD2) (EU 2015/2366), which introduces stricter security standards for online payments, and the General Data Protection Regulation (GDPR) (EU 2016/679).
In France, isolated texts ensure the security of specific sectors (National Health Identity) or certain applications (remote identity verification).
Today, nearly all countries have adopted the WSIS legal framework, adhering to the laws regarding electronic transactions that mention electronic identity. This is also the case in Africa, where the African Union has established a framework for Harmonization of ICT Policies in Sub-Saharan Africa (HIPSSA Program). This framework has frequently served as a basis for drafting laws; however, the publication of the necessary implementing decrees for managing legal and security cooperation has been slow.
Additionally, many African countries have already integrated personal data protection into their legislation, allowing them to create regulatory authorities that manage various treatments applied to online identities, without defining their fundamental essence.
What reference digital identity systems have governments invested in within the European Union?
In France, the FranceConnect solution, launched in 2021, forms part of the French government's digital transformation program and involves an investment of 1 billion euros. This system secures and simplifies access for 40 million French users to over 1,400 online services through a single digital identifier. The system operates efficiently and is expected to significantly impact French public services.
Additionally, France's La Poste Digital Identity grants access to 1,300 online services via FranceConnect and La Poste with a single identifier. The National Health Identity (INS), based on the individual’s social security number, allows for the centralized referencing of a patient's health data.
Across Europe, by 2024, all member states must provide citizens with a single digital identity wallet upon request. This Digital Identity Wallet will streamline interactions with users and enhance the quality, cost-efficiency, and effectiveness of public services.
What are the priorities for digital identity in Africa?
In African countries, where borders remain poorly defined and vital civil events (such as birth, marriage, and death registrations) are often unreliable, there is a critical need to manage population records effectively. Many African nations are conducting studies, with financial support from the African Development Bank (AfDB), to deploy a national digital identity strategy that allows for comprehensive population registration and the re-establishment of civil records. These studies invariably include a legal component to restructure civil status systems using ICT, personal data protection, and electronic certificates and signatures. This foundational step enables states to issue secure identity documents (ID cards, passports, voter cards) upon citizens' request via a specialized authority.
Overall, states must develop national digital identity schemes and prioritize sovereign national identities. This will facilitate, at either the regional or sub-regional level, the establishment of mutual recognition systems between states to interconnect their models and their citizens.
