Those Who Shall Be Identified: The Data Protection Aspects of the Legal Framework for Electronic Identification in the European Union

Andraško, Jozef; Mesarčík, Matúš

doi:10.2478/bjes-2021-0012

Abstract

The article focuses on the intersections of the regulation of electronic identification as provided in the eIDAS Regulation and data protection rules in the European Union. The first part of the article is devoted to the explanation of the basic notions and framework related to the electronic identity in the European Union— the eIDAS Regulation. The second part of the article discusses specific intersections of the eIDAS Regulation with the General Data Protection Regulation (GDPR), specifically scope, the general data protection clause and mainly personal data processing in the context of mutual recognition of electronic identification means. The article aims to discuss the overlapping issues of the regulation of the GDPR and the eIDAS Regulation and provides a further guide for interpretation and implementation of the outcomes in practice.

References

Andraško, J. (2016), ‘Electronic identification and authentication in the context of electronic public administration services,’ CER Comparative European Research, no. 2, pp. 75–78.
Search in Google Scholar Back to article
Andraško, J. (2017), ‘Mutual recognition of electronic identification means under the EIDAS Regulation and its application issues,’ AD ALTA: Journal of Interdisciplinary Research, vol. 7, no. 2, pp. 9–13.
Search in Google Scholar Back to article
Article 29 Data Protection Working Party (2007), Opinion 4/2007 on the concept of personal data adopted on 20th June, 01248/07/EN WP 136.
Search in Google Scholar Back to article
Bygrave, L. (2017), ‘Data protection by design and by default: Deciphering the EU’s legislative requirements,’ Oslo Law Review, vol. 4, no. 2, pp. 105–120. http://doi.org/10.18261/ISSN.2387-3299-2017-02-0310.18261/issn.2387-3299-2017-02-03
Search in Google Scholar Back to article
Carpenter, C. (2020), ‘Privacy and proportionality: Examining mass electronic surveillance under Article 8 and the Fourth Amendment,’ International Comparative Law Review, vol. 20, no. 1, pp. 27–57. https://doi.org/10.2478/iclr-2020-000210.2478/iclr-2020-0002
Search in Google Scholar Back to article
Cavoukian, A. (2011), 7 Principles of Privacy by Design. Retrieved from https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf [accessed 7 Nov 2020]
Search in Google Scholar Back to article
Court of Justice of the European Union (2009), Judgment of the Court (Grand Chamber) of 9 November 2010, Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62009CJ0092 [accessed 7 Nov 2020]
Search in Google Scholar Back to article
CEF Digital (n.d.), ‘How Does It Work? EIDAS Regulation.’ Retrieved from https://ec.europa.eu/cefdigital/wiki/pages/viewpage.action?pageId=82773030 [accessed 7 Nov 2020]
Search in Google Scholar Back to article
Cuijpers, C. & Schroers, J. (2014), eIDAS as guideline for the development of a pan European eID framework in FutureID. Retrieved from https://core.ac.uk/download/pdf/34614563.pdf [accessed 7 Nov 2020]
Search in Google Scholar Back to article
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, OJ L 13, 19.1.2000, pp. 12–20.
Search in Google Scholar Back to article
EDPB (2019), Guidelines 4/2019 on Article 25 Data Protection by Design and by Default adopted on 13 November 2019. European Data Protection Board Plenary meeting, 12–13 November 2019.
Search in Google Scholar Back to article
EDPS (2012), Opinion of the European Data Protection Supervisor on the Commission proposal for a Regulation of the European Parliament and of the Council on trust and confidence in electronic transactions in the internal market (Electronic Trust Services Regulation), European Data Protection Supervisor. Retrieved from https://edps.europa.eu/sites/edp/files/publication/12-09-27_electronic_trust_services_en_0.pdf [accessed 7 Nov 2020]
Search in Google Scholar Back to article
ENISA (2014), Privacy and Data Protection by Design—from policy to engineering, The European Union Agency for Cybersecurity. Retrieved from https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design [accessed 7 Nov 2020]
Search in Google Scholar Back to article
European Commission (n.d., a), ‘eIDAS Cooperative Framework.’ Retrieved from https://ec.europa.eu/cefdigital/wiki/display/EIDCOOPNET/eIDAS+Cooperation+Network [accessed 7 Nov 2020]
Search in Google Scholar Back to article
European Commission (n.d., b), ‘eIDAS—Implementing Acts.’ Retrieved from https://ec.europa.eu/futurium/en/content/eidas-implementing-acts [accessed 7 Nov 2020] European Commission (n.d., c), ‘eIDAS Level of Assurance.’ Retrieved from https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS+Levels+of+Assurance [accessed 7 Nov 2020]
Search in Google Scholar Back to article
European Commission (n.d., d), ‘EU Trusted Lists of Trust Service Providers.’ Retrieved from https://ec.europa.eu/digital-single-market/en/eu-trusted-lists-trust-service-providers [accessed 7 Nov 2020]
Search in Google Scholar Back to article
Fuster, G. (2014), The Emergence of Personal Data Protection as a Fundamental Right in the EU, Cham: Springer.
Search in Google Scholar Back to article
Hamuľák, J. & Nevická, D. (2020), ‘The Slovak v the Danish labor law approach to COVID 19 pandemic,’ International and Comparative Law Review, vol. 20, no. 2, pp. 231–238. https://doi.org/10.2478/iclr-2020-002610.2478/iclr-2020-0026
Search in Google Scholar Back to article
Jasmontaite, L.; Kamara, I.; Zanfir-Fortuna, G. & Leucci, S. (2018), ‘Data protection by design and by default: Framing guiding principles into legal obligations in the GDPR,’ European Data Protection Law Review, vol. 4(2018), no. 2, pp. 168–189. https://doi.org/10.21552/edpl/2018/2/710.21552/edpl/2018/2/7
Search in Google Scholar Back to article
Kesa, A. & Kerikmäe, T. (2020), ‘Artificial intelligence and the GDPR: Inevitable nemeses?’ TalTech Journal of European Studies, vol. 10, no. 3(32), pp. 68–90. https://doi.org/10.1515/bjes-2020-002210.1515/bjes-2020-0022
Search in Google Scholar Back to article
Porcedda, M. G. (2018), ‘On boundaries—finding the essence of the right to the protection of personal data,’ in R. Leenes, R. van Brakel, S. Gutwirth & P. De Hert (eds.) Data Protection and Privacy: The Internet of Bodies, Oxford: Hart Publishing.
Search in Google Scholar Back to article
Project FIDIS (n.d.), [Homepage]. Retrieved from http://www.fidis.net/ [accessed 7 Nov 2020]
Search in Google Scholar Back to article
Project STORK (n.d.), [Homepage]. Retrieved from https://cordis.europa.eu/project/id/297263 [accessed 7 Nov 2020]
Search in Google Scholar Back to article
Razmetaeva, Y. (2020), ‘The right to be forgotten in the European perspective,’ TalTech Journal of European Studies, vol. 10, no. 1(30), pp. 58–76. https://doi.org/10.1515/bjes-2020-000410.1515/bjes-2020-0004
Search in Google Scholar Back to article
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, pp. 1–88.
Search in Google Scholar Back to article
Regulation (EU) no. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, OJ L 257, 28.8.2014, pp. 73–114.
Search in Google Scholar Back to article
Romano, F. B. (2013), The Right to the Protection of Personal Data: A New Fundamental Right of the European Union. Retrieved from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2330307 [accessed 7 Nov 2020]
Search in Google Scholar Back to article
Rubinstein, I. S. (2011), ‘Regulating privacy by design,’ Berkeley Technology Law Journal, vol. 26, no. 3, pp. 1409–1456.
Search in Google Scholar Back to article
van der Sloot, B. (2015), ‘Do privacy and data protection rules apply to legal persons, and should they? A proposal for a two-tiered system,’ Computer Law & Security Review, vol. 31, no. 1, pp. 26–45. https://doi.org/10.1016/j.clsr.2014.11.00210.1016/j.clsr.2014.11.002
Search in Google Scholar Back to article
The Modinis IDM Study Team (2005), ‘Modinis study on identity management in eGovernment: Common terminological framework for interoperable electronic identity management,’ Consultation paper v2.01. Retrieved from http://ec.europa.eu/information_society/activities/ict_psp/documents/eid_terminology_paper.pdf [accessed 7 Nov 2020]
Search in Google Scholar Back to article
Tsakalakis, N.; Stalla-Bourdillon, S. & O’Hara, K. (2016), ‘What’s in a name: the conflicting views of pseudonymisation under eIDAS and the general data protection regulation,’ in D. Hühnlein, H. Roßnagel, C. H. Schunck & M. Talamo (eds.) Open Identity Summit 2016, Bonn: Gesellschaft für Informatik e.V., pp. 167–174.
Search in Google Scholar Back to article
Tsakalakis, N.; Stalla-Bourdillon, S. & O’Hara, K. (2018), ‘Data protection by design for cross-border electronic identification: Does the eIDAS interoperability framework need to be modernised?’ in E. Kosta et al. (eds.) Privacy and Identity Management. Fairness, Accountability and Transparency in the Age of Big Data, 13th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2, International Summer School, Vienna, Austria, August 20–24, 2018, Revised Selected Papers, pp. 255–274.
Search in Google Scholar Back to article
Tzanou, M. (2013), ‘Data protection as a fundamental right next to privacy? “Reconstructing” a not so new right,’ International Data Privacy Law, vol. 3, no. 2, pp. 88–99. https://doi.org/10.1093/idpl/ipt00410.1093/idpl/ipt004
Search in Google Scholar Back to article
Zaccaria, A.; Schmidt-Kessel, M.; Schulze, R. & Gambino, A. M. (2020), EU eIDAS Regulation: Article-by-Article Commentary, Oxford: Bloomsbury Publishing PLC.10.17104/9783406759017
Search in Google Scholar Back to article

Those Who Shall Be Identified: The Data Protection Aspects of the Legal Framework for Electronic Identification in the European Union

Abstract

Paradigm

My account