Under what conditions do citizens trust secure, digital identities and systems, such as the digital vaccination card and the electronic identity card? In this interview, we will be talking to the German Federal Data Protection Commissioner Prof. Ulrich Kelber about Self-Sovereign Identities (SSI) and digital business models that uphold the General Data Protection Regulation (GDPR) gold standard. What are the opportunities for companies that offer privacy-compliant products and services?
Mr. Kelber, why is it important for companies to integrate data protection into their business model right from the start?
Kelber: Thinking about data protection from the beginning saves expensive and time-consuming corrections later on. Provided that corrections are even still possible at this point. After all, you don’t first build a house and then think about how you want to lay the pipes in accordance with the regulations. Apart from that, there is a great need for data protection-compliant services and products. European companies could score points here with their experience advantage if they credibly implement the requirements and advertise them.
How can companies continue to improve in the area of data protection?
Kelber: Many companies are already sitting on huge amounts of data, most of which remains unused. For both customers and companies, it would be much better to take a closer look at which data is really needed and what can be done with it in accordance with data protection laws. Companies should also make themselves less dependent on the market power of the large US tech corporations and not integrate questionable services into their products out of convenience. And last but not least, transparency pays off. Not data is the new oil, but trust. Only those who are trusted will be trusted with people’s data.
How can we ensure secure digital identities (self-sovereign identities) for users?
Kelber: The basic idea of SSI systems is that users manage different badges and attributes themselves in one place on their own device. This has two advantages: Unlike centralised digital systems, the body that issued badges or attributes cannot track when users “show” them to third parties. That’s how it was in the analogue world until now: If a person provides proof of their degree when applying for a job, the university is not informed in any way. Moreover, with these special digital systems, users can show only the relevant information and hide everything else. For example, the residential address does not have to be shared when proving that someone is over 65 years of age.
However, in order for these good concepts to be implemented safely, rules of the game are needed for all participants. Particularly relevant here are the so-called wallets, i.e., the storage and management programmes for the badges and attributes. The users should install the wallets on their own hardware. However, they must not be made responsible for the safety of the products. Citizens must be able to rely on the wallets provided to be secure and to protect against identity theft, for example. Furthermore, the infrastructure must be designed in such a way that the possibility of abusive profiling is excluded.
How do you assess the introduction of the digital vaccination card from a data protection perspective?
Kelber: In principle, the idea of a digital vaccination certificate was not wrong for the current situation. Of course, one has to be aware that we are taking the problems from the analogue world with us. The yellow vaccination certificate has never been intended as an “admission ticket”. That is why the digital vaccination certificate is also susceptible to misuse. If one wants to use such certificates, then a digital solution can even be more data protection-friendly. Quite simply because the examining person does not see as much data as would be the case if the vaccination certificate were shown. Unfortunately, the first version of the digital vaccination certificate unnecessarily shows, in addition to the blue tick, whether you have been vaccinated, recovered or tested. Based on my consultation, this will be corrected with the next update, at least for the difference vaccinated or recovered. Overall, I would have liked my authority to have been involved earlier. Then time and money would have been saved for the corrections.
With the eIDAS Regulation, electronic identities have been given a secure and uniform European standard. How do we need to implement eIDAS projects, such as the eID electronic identity card, so that they become a secure success in the future? What are the current challenges and what opportunities do you see for the future?
Kelber: With the electronic identification function (eID function) of the identity card, the electronic residence permit and the eID card for EU citizens (hereinafter referred to as ID card), we have secure and recognised instruments for cross-border electronic identification, which is becoming increasingly important for the processing of (administrative) services. Especially in the Covid-19 pandemic, digital opportunities have greatly increased in all areas of life. This development will continue after the pandemic. In Germany, the digitalisation of the administration is being driven forward by the Online Access Act, according to which the federal government, the states and the municipalities must also offer their administrative services digitally by the end of 2022. There is a need for legally secure procedures for identification as well as for the trustworthy handling of business processes. Within this framework, citizens will need to be educated about the secure use of electronic identities. The use of electronic identities may only take place under data protection-compliant and secure conditions. I see a considerable challenge here. Central in this context is the strengthening of ”citizens’ data protection competence, the prevention of unnecessary data collection and possible profiling, as well as the maintenance of a high level of security of the solutions.
What developments in data protection do we expect to see in the next five years?
Kelber: The European General Data Protection Regulation is the global gold standard right now. However, first countries are already starting further developments in data protection laws, following the example of the GDPR. Individual large companies have also recognised the value of data protection and are beginning to change their business models in this direction. At the same time, digitalisation and new technologies are forcing us to consider adjustments and specific regulations. For example, I see a need for regulation of AI and algorithmic systems, profiling, biometric identification, encryption and anonymisation, as well as data trustees and digital privacy assistants. In the next twelve months, we finally need to make a decision on a privacy-friendly ePrivacy Regulation.
Thank you very much for the interview!
You can find out more about this topic at the Internet Security Days 2021. Prof. Ulrich Kelber will be giving a keynote speech on 17 September on the topic of data protection (in German). Get tickets here.