Financial, Impact on private sector.
Terminology
What is eSignature?
e-Signature is the electronic equivalent of a handwritten signature.
What is eIdentification (e-ID)?
eIdentification is the
process of unambiguously determining a person/entity 's identity by
using electronic means. In Europe many Member States provide their
citizens with electronic IDs via smart cards, mobile phones, or other
technologies: some Member States combine an e-ID with the function of an
identity card used also as a travel document, others have a citizen
card to access public online services, others work with mobile devices,
or a combination of card and phone.
What is time stamping?
An electronic time stamp is the date and
time on an electronic document which proves that the document existed at
a point-in-time and that it has not changed since then. For example, a
student is entering a competition which closes at midnight, and sends
his entry by email at 23:55 but its delivery is delayed due to some
technical problems. A time stamp would prove that his entry existed at
23:55 and the delivery problems would have no consequence.
What is an electronic seal?
An electronic seal is the electronic
equivalent of a seal or stamp which is applied on a document to
guarantee its origin and integrity. An electronic seal means that a
company could issue millions of authentic invoices matching EU legal
requirements.
What is website authentication?
It is trusted information on a website
(e.g. a certificate) which allows users to verify the authenticity of
the website and its link to the entity/person owning the website.
Organisations can be also sure that that they are protected from hackers
setting up a fake website. Website authentication is becoming fairly
common: when the address of a website becomes green in the browser, it
means that the website is authenticated with a certificate.
What is ‘electronic delivery’?
It is a service that, to a certain
extent, is the equivalent in the digital world of registered mail in the
physical world. At the moment the legal effect of the "registration" of
an email stops at the border of the Member State of origin of an e-mail
unless the Member State of destination recognises the registered nature
of the email.
Basic Facts
Which countries have e-ID already?
Electronic ID cards exist in: Belgium, Estonia, Finland, Germany, Italy, Portugal and Spain.
Other forms of e-ID, like citizen cards
and access tokens are used in: Austria, Czech Republic, Denmark,
Lithuania, Luxembourg, The Netherlands, Slovakia, Slovenia and Sweden.
17 EU countries also participate in a project called STORK which has proven that e-IDs can be safely recognised across borders.
Who issues official electronic ID?
Official electronic ID in most of the
Member States is issued directly at state level, in others they are
issued by the private sector under the responsibility of the state (e.g.
Austria, Sweden).
What is the current issue?
While hundreds of millions of European
are now able to use electronic identification for services like online
shopping, and have received better services as a result, these benefits
are much less commonly achieved with public services, and especially not
outside one's home country.
Citizens can rarely, if ever, use their
e-ID to interact online with public administrations of other EU Member
States. This undermines our rights as Europeans, and causes
inconvenience and extra costs associated with time delays and the hassle
of maintaining multiple identity documents.
The absence of common
EU rules on legal recognition of e-ID acts as a brake on those citizens
who need to be mobile or undertake business or work activity outside
their home country.
Equally, the lack of an EU
legal framework for essential trust services like time stamping
(legally proving the time), electronic documents (legal effect and
acceptance), registered electronic delivery (legal proof of a
communication channel), and electronic seals (which legally link a
person or a company to a document) also means lots of companies divert resources from their key functions to standing in queues, waiting for forms and stamps.
When was this proposal planned / decided?
From 2010 onwards the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200), listed
a revision of the eSignature Directive and legal measures to ensure
mutual recognition of eIdentification (e-ID) and eAuthentication as an
objective.
This call was repeated as one of 12 elements of the Single Market Act (SMA) (see IP/11/469) The
European eGovernment Action Plan 2011-2015, and various Council
Conclusions both call for legislation "to ensure mutual recognition of
eIdentification and eAuthentication across the EU".
Finally, the Roadmap for Stability and Growth, underlines this measure as key to the development of the digital economy.
Why not just update the eSignature Directive?
The eSignature Directive (Directive 1999/93/EC)
has been in place for over 12 years. The Directive has gaps, such as
undefined obligations for national supervision of service providers,
which are holding back cross-border eSignatures, and it does not cover
many new technologies.
Given the demand for greater trust in
electronics services, these issues are best addressed by an evolution to
more comprehensive legislation.
Objectives and benefits
Why extend use of electronic identification?
e-ID is convenient and cost-effective compared to most paper-based or face-to-face transactions with government.
e-ID is a popular form of identification already, for example on social networking, shopping and banking websites.
Who is this Regulation aimed at?
eSignatures trust services and eIdentification are
largely relevant for businesses (legal persons), and individuals
(natural persons) as they will lead to new opportunities within the EU.
For example, this will affect the 13 million EU
citizens who work in another EU country and the hundreds of thousands
of students studying in other EU countries. Wider use and improved eSignatures and trust services would help Europe's 21 million SMEs, many of whom work across borders.
What does the Regulation actually do?
There are three key elements.
1. It upgrades the legal framework of electronic signatures replacing, the existing eSignature Directive.
For instance, it allows you to "sign" with a mobile phone; it requires
higher accountability for security; and it provides clear and stronger
rules for the supervision of eSignature and related serviecs.
2. Through
requiring mutual recognition between various national eID systems
(different to harmonisation or centralisation), the Regulation extends
the capabilities - the opportunities available with your existing eID -
by making it functional across EU borders.
3. Other trust services are included in
the Regulation for the first time, meaning there will be a clear legal
framework and more safeguards through strong supervision services of
electronic seals, time stamping, electronic document acceptability,
electronic delivery and website authentication.
What are the key benefits of this proposal?
- Better online public services as government services get closer to the flexibility and convenience of private sector service.
- Saves you time and money
- More legal certainty for those who use e-ID and eSignatures
- Upholds European citizens’ rights - the right to access government services or tenders in other EU countries
What is the Commission NOT proposing?
The Commission's draft Regulation does
NOT make it obligatory for all citizens to have an eID card. The
European Commission does NOT have the right to legislate on the
management of electronic identities; this is a matter of national
sovereignty. It is up to Member States to decide whether to have such a
form of identification, when it is required, and what technology to use.
The Commission's proposal aims only to ensure that where these
electronic identifications exist, they can be used across borders fully
respecting privacy and data protection rules.
This proposal does NOT create or propose the creation of a new 'European eID' or European database of any kind.
It does NOT set European standards for security, supervision or enrolment for electronic identification.
It will NOT lead to new exchanges of personal data across borders.
Finally it does not oblige Member States to notify their eID schemes to the European Commission.
Is this linked to other Commission initiatives?
Yes. Several other EU policy initiatives
(e.g. the Services Directive, the Public Procurement Directives, the
eCommerce Directive, the VAT (e-invoices) Directive and the Data
Protection Directive) will have a greater impact if there is a
consistent legislative framework for easy-to-use, trustworthy and secure
electronic transactions in the Digital Single Market.
Why choose “mutual recognition” of e-ID over “harmonisation”?
Member States are solely responsible for
the management of their electronic identities, so direct harmonisation
is not an option. Direct harmonisation is also unnecessary, given that
mutual recognition will achieve most of the same benefits, and quicker.
Mutual recognition is also clearly more politically acceptable and the Commission respects this.
Why choose “harmonisation” for eSignatures?
eSignatures are a single and relatively
simple trust service, for which we need to ensure a well functioning
internal market. The 1999 eSignature Directive already aimed at
harmonisation. eSignatures mostly benefit and affect legal persons
(companies) rather than individuals.
Examples
How eIdentification revolutionised banking
Today, because of effective electronic
identification, banking takes place 24/7 at cash machines, in
restaurants and shops, and online in all countries. e-ID removed
artificial barriers from banking transactions and is now an accepted and
essential part of our daily life.
By comparison, government services tend
to be much more cumbersome. They are often not available online, they
are available at limited times and places and at far greater cost –
either to the individual or company or indirectly via the taxpayer.
Services likely to see greatest positive impact of greater e-ID use:
Online tax collection, education courses and other social services, eProcurement and eHealth.
Case studies of specific, typical current problems
Elisa, a Belgian student,
wants to enrol at a university in Italy. She logs on to the university
website but cannot use her Belgian electronic identification when she is
asked to identify herself. Why? Her Belgian eID is neither recognised
nor accepted in Italy. Elisa has to buy a train ticket to Italy and
queue up to do the necessary paperwork in person.
A small company based in Hungary
wants to bid online for a contract being tendered by a Portuguese local
administration. However, the electronic signature used to seal the bid
is denied because of specific national requirements and interoperability
problems. The Hungarian company has to submit the bid on paper, print
copies and send them by courier to Portugal, which costs lots of extra
time and money.
A French multinational
wants to sign contracts electronically with a counterpart based in
Latvia. This is technically possible, but the two countries have
different legal requirements for trust services like electronic seals,
electronic documents, time stamping. The French company will need to
invest time and money to assess whether it is legally possible to use
electronic documents and processes.
An Estonian bank
wants to send a notice of default to a borrower based in Germany. The
Estonian bank wants to use an electronic document, but is this legally
valid under Estonian and German law? The bank will examine the
applicable laws in both countries. If in doubt, the bank will probably
opt to send the document by traditional mail.
General impacts on stakeholder groups
All citizens
will be able to carry out secure and trustworthy cross-border electronic
transactions and take full advantage of their rights across the EU.
Workers who
get a job in another Member State, or who are residents but not EU
citizens, will get more readily the transfer formalities electronically.
Businesses will suffer less from red tape
and literally from less paperwork. The gains can be enormous for large
scale businesses, and can be the difference between profitability and
difficulty, and expansion or stagnation for small and medium sized
businesses.
Public administrations
will save taxpayer's money through reduced administrative burdens and
will be able to provide better, more efficient services. Environmental
benefits will accrue through reduced travel and paper use.
Private sector companies will be able to use and accept eIDs opening up new e-Business, eCommerce and eGovernment service possibilities.
Real-world examples of e-ID in practice today
The STORK
project has technically proven that e-IDs work across borders. 17 EU
countries (and a total of 35 partner organisations from private,
academic and civil society sectors) with many different approaches to
identification systems have developed an interoperable platform to
enable cross-border identification and authentication without disruption
of national systems. This work was jointly funded by participating
Member States and the EU (€26 million since 2008) and members include
those who do not have an ID card system, such as the United Kingdom.
The Connecting Europe Facility proposed by the Commission would enable further cross-border digital service infrastructures.
Examples of current cross-border e-ID enabled services
Through the Estonian e-Business portal,
a simple limited liability company can be set up online in 18 minutes.
Creating a company via the internet can be done with either an Estonian
ID card, or one from Belgium, Portugal, Lithuania or Finland. Estonia
hopes to extend this service to other ID card systems.
Around 500 students studying in Austria, Estonia, Spain, Italy and Portugal have participated in a student mobility pilot project,
where their national e-ID-card gives access to online enrolment, access
to online courses or tutorials, and computing infrastructures in other
countries.
An interoperable Change of Address framework has been created for Estonian, Portuguese, Slovenian, Spanish and Swedish citizens. This enables foreign citizens to notify
all relevant entities in government (and, for example, water and
electricity companies) of an address change in one-step and has been
used more than 25,000 times in early testing.
German and Polish pension and social care services
now provide for recognition of each other’s e-ID. This is an example of
a bilateral cross-border mutual recognition. This provides a lower
level of functionality compared to EU-wide mutual recognition, but shows
the value of such services for communities living close to each other
but on either side of national borders.
National examples of the positive impact of e-ID
In total, Estonia
has issued approximately 1.2 million e-ID smartcards, and conducted 52
million electronic signatures to authenticate more than 88 million
electronic transactions. Private sector organisations use the
authentication mechanism widely for their own services.
Submitting company balances sheets in
Estonia was streamlined from a 3-month long paper process to a 20 minute
electronic process. Countless hours for printing, sending, scanning and
manually inputting data has been saved.
Austria and Iceland enable 'Safer Chat' for 14-18 year olds where
users need their e-ID card to enter chat rooms for 14-18 year olds.
This means much greater safety with only minimal disclosure of data.
In Austria the delivery time for a document confirming an individual does not possess a criminal record was reduced to 2 minutes.
Financial
What is the cost burden of this change on Member States?
Both eSignature and eIdentification
systems come with an initial upfront cost, but far greater financial
returns in the medium and long term.
Much of the technical work has already been done in the STORK
large scale pilot project, and further development costs can be largely
absorbed through a small portion of the funding being made available by
the Connecting Europe Facility, which is designed to support
cross-border digital services
The best large scale analogy for the
cost-benefit ratio of electronic identification and other trust services
is the changes in banking in recent decades. Today a far greater range
of services is provided more cheaply and often 24/7 compared with
banking based on paper and face-to-face transactions. This has been good
for banks and good for their growing number of customers.
Privacy and security
What about my privacy?
Your privacy can be
enhanced by electronic identification and authentication as they limit
the need to always, and repeatedly, provide personal data
Secure eIDs combine
state of the art cryptography with common security practices such as
PIN-codes or passwords. This means they are as strong and private as
typical bank solutions, which are already widely and safely used.
How will my data be protected?
Under these proposals no unnecessary data is revealed or exchanged.
For example, if a teenager wanted secure
access to a chat room for 14-18 year olds, or a gambler needed to prove
they were of legal age, the website should only check information about
their age from the e-ID card. Other details such as nationality and
address would not need to be revealed.
When relying on other forms of
identification – for example a person volunteering information that
cannot be verified, or a physical photo ID, the result is either lower
security or more data being revealed. e-ID avoids this problem.
What are the key safeguards in the eID proposal?
The proposals are designed to avoid the
centralisation of information. There is no aggregation of information,
beyond the aggregation that already takes place in national systems.
However there is one key additional safeguard.
Data protection regimes already apply to national eID schemes. In addition, Member
States assume liability for their participating systems. That means you
will have the right to sue your government if there is a problem with
your data or access to services. This new right, to make one’s
government liable, is a clear incentive against lax behaviour; it will
provide an effective lock on the ‘door’ of your data file.
What are the key safeguards for other trust services?
Trust service providers already have to
comply with EU and national data protection legislation. In addition to
this, the mandate of supervisory bodies, which already exist for
eSignatures, will now be extended to other trust services.
What about levels of security?
The proposals provide for clear and
unambiguous identification and proof of identity. For many public
services, users and administrations alike prefer higher levels of
security than is necessary, say, for online shopping. For example, using
an electronic token with an access code to complete a tax declaration
online.
Other security services include electronic signatures, electronic seals or time stamping. These enable online
transactions to be concluded with the same legal validity as in the
physical world. Such use of the Internet can speed up enormously the
time it takes for small companies to carry out their business.
What about data storage?
These proposals do not create new databases or deliver personal information to other databases.
All people using mutual recognition and other services must strictly comply with EU data protection legislation.
Impact on the private sector
New business opportunities
The new rules require governments to
recognise any eSignature provider that meets the standard. Equipment
makers therefore have significant new opportunities.
In Estonia the
government has not placed any restrictions on the use of eID in the
private sector and the authentication mechanism is available to any
outside developer. Currently, applications exist for using eID to
authorise online bank transactions, to sign contracts and tax
declarations, to authenticate to wireless networks, to access government
databases, and for automated building access.
Next steps
The Commission's proposal will now be
passed on to the European Parliament and the Council of Ministers for
scrutiny and debate. This process may take between one and two years,
but is impossible to give an accurate estimate.
The Regulation would take effect
immediately in all EU Member States as soon as it has been formally
approved by the European Parliament and Council and 20 days after
publication in the Official Journal.