The European Network and Information Security Agency (ENISA),
which is funded by the EU, has studied all 10 ID card systems in
the EU and the 13 in development and has found that they each adopt
different standards of privacy and methods of protecting it.
Unless countries co-ordinate activity and ensure that all ID
systems have good privacy protection, many of the claimed benefits
of having ID cards will not materialise, it said.
“Privacy is an area where the member states' approaches differ a
lot and European eID [electronic identification] will not take off
unless we get this right," said ENISA executive director Andrea
Pirotti. "Europe needs to reflect on eID privacy and its role in
the interoperability puzzle. The fundamental human right to privacy
must be guaranteed for all European eID card holders."
The report said that the lack of co-ordination over privacy
controls will damage the usefulness of cards.
"The increasing numbers of card schemes in place are creating
opportunities for pan-European initiatives exploiting the new
infrastructure," said the ENISA report. "Privacy features have been
developed, implemented and tested at a national level and there is
no co-ordinated strategy at a European level as to which features
should be implemented and how they should be implemented."
"The lack of co-ordination is an important obstacle to any
possible cross-border interoperability of eID card schemes," it
said. "[This is] important in order to create the necessary trust
in the users of such schemes – any cross-border scheme only offers
as much protection as its weakest participating member: If just one
participating country offers what is generally considered to be
inadequate privacy protection, the citizens of the other countries
are not likely to accept any cross-border interoperability scheme
which puts their data at more risk than their national scheme."
The ENISA report outlined the various kinds of attacks that can
be made on ID cards and the systems behind them, and the different
kinds of measures that countries put in place to guard against
those threats.
It said, though, that though it was possible to create systems
to deal with the problems, this was not always done, and even when
done it was not always replicable on other countries' systems.
"A lot of very practical techniques exist to protect the
citizen’s privacy and, from the survey of available techniques in
this paper, it is possible to identify a set of best practice
guidelines for the protection of personal data in national eID card
schemes," said the report.
"European eID card specifications are very diverse in terms of
their implementation of the privacy features we have identified.
They are by no means universally implemented and where they are
implemented, they are not always technically interoperable," it
said.
ENISA said that the report was designed to give policymakers the
information necessary to improve the situation.
"A clear statement of the status quo is an essential first step
towards the important goals identifying best practice, improving
the base-line of citizen privacy protection in eID cards throughout
Europe and ultimately to improving interoperability and adoption by
citizens," it said.
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
