BETA

Activities of Cornelia ERNST related to 2021/0136(COD)

Shadow opinions (1)

2022/10/11
Committee: LIBE
Dossiers: 2021/0136(COD)
Documents: PDF(234 KB) DOC(182 KB)
Authors: [{'name': 'Cristian TERHEŞ', 'mepid': 197655}]

Amendments (72)

Proposal for a regulation
Recital 6

(6) Regulation (EU) No 2016/67919, or Regulation 2018/1725, as the case may be, applies to the processing of personal data in the implementation of this Regulation. Therefore, this Regulation should lay down specific safeguards to prevent providers of electronic identification means and electronic attestation of attributes from combining personal data from other services with the personal data relating to the services falling within the scope of this Regulation. This Regulation should also further specify the principles of purpose limitation, data minimisation, and data protection by design and by default, for the specific use-cases set out in this Regulation. These specifications should be without prejudice to the other principles, rules and obligations stemming from Regulation (EU) No 2016/679. _________________ 19 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 8

(8) In order to ensure compliance within Union law or national law compliant with Union law, service providers should communicate their intent to rely on the European Digital Identity Wallets to Member States~~. That will allow Member States~~’ supervisory authorities for data protection. That will allow Data Protection Authorities (DPAs) to protect users from fraud and prevent the unlawful use of identity data and electronic attestations of attributes ~~as well as to ensure that the processing of sensitive data, like health data, can be verified by relying parties in accordance with Union law or national law~~.

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 9

(9) All European Digital Identity Wallets should allow users to electronically identify and authenticate online and offline across borders for accessing a wide range of public services and private services, where the verification of certain attributes is mandated by law. Without prejudice to Member States’ prerogatives as regards the identification of their nationals and residents, Wallets can also serve the institutional needs of public administrations, international organisations and the Union’s institutions, bodies, offices and agencies. Offline use would be important in many sectors, including in the health sector where services are often provided through face-to-face interaction and ePrescriptions should be able to rely on QR-codes or similar technologies to verify authenticity. Relying on the level of assurance “high”, the European Digital Identity Wallets should benefit from the potential offered by tamper- proof ~~solutions~~technology such as secure elements, to comply with the security and integrity requirements under this Regulation. The European Digital Identity Wallets should also allow users to create and use qualified electronic signatures and seals which are accepted across the EU. To achieve simplification and cost reduction benefits to persons and businesses across the EU, including by enabling powers of representation and e- mandates, Member States should issue European Digital Identity Wallets relying on common standards to ensure seamless interoperability and a high level of security. Only Member States’ competent authorities can provide a high degree of confidence in establishing the identity of a person and therefore provide assurance that the person claiming or asserting a particular identity is in fact the person he or she claims to be. It is therefore necessary for certain use cases that the European Digital Identity Wallets rely on the legal identity of citizens, other residents or legal entities. Trust in the European Digital Identity Wallets would be enhanced by the fact that issuing parties are required to implement appropriate technical and organisational measures to ensure a level of security commensurate to the risks raised for the rights and freedoms of the natural persons, in line with Regulation (EU) 2016/679.

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 10

(10) In order to achieve a high level of security and trustworthiness, this Regulation establishes the requirements for European Digital Identity Wallets. The conformity of European Digital Identity Wallets with those requirements should be certified by accredited public or private sector bodies designated by Member States. Relying on a certification scheme based on ~~the availability of~~state of the art technology and commonly agreed standards with Member States should ensure a high level of trust and interoperability. Certification should in particular rely on the relevant European cybersecurity certifications schemes established pursuant to Regulation (EU) 2019/88120 . Such certification should be without prejudice to certification as regards personal data processing pursuant to Regulation (EC) 2016/679 _________________ 20 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act), OJ L 151, 7.6.2019, p. 15

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 11

(11) European Digital Identity Wallets should ensure the highest level of security for the personal data used for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking into account the different levels of risk. ~~Using~~Since biometrics ~~to authenticate is one of the id~~represents a unique, immutable characteristic of a person, the use of biometrics required for authentification~~s methods providing a high level of confidence, in particula~~ is not appropriate. Storing information from the European Digital Identity Wallet in the cloud has to be an optional feature only active after wthen used in combination with other elements of authentication. Since biometrics represents a unique characteristic of a person, the use of biometrics requires organisational and security measures, commensurate to the risk that such processing may entail to the rights and freedoms of natural persons and in accordance with Regulation 2016/679. r has given explicit consent. Member States should offer at least one European Digital Identity Wallet that stores cryptographic material and handles transactions on the user device without requiring cloud services. Where the European Digital Identity Wallet is provided on the Smartphone of the user its cryptographic material should be stored in the secure elements of the device.

2022/06/13
Committee: LIBE

(12) To ensure that the European Digital Identity framework is open to innovation, technological development and future-proof, Member States should be encouraged to set-up jointly sandboxes to test innovative solutions in a controlled and secure environment in particular to improve the functionality, protection of personal data, security and interoperability of the solutions and to inform future updates of technical references and legal requirements. This environment should foster the inclusion of European Small and Medium Enterprises, start-ups and individual innovators and researchers.deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 17

(17) Service providers use the identity data provided by the set of person identification data available from electronic identification schemes pursuant to Regulation (EU) No 910/2014 in order to match users from another Member State with the legal identity of that user. ~~However, despite the use of the eIDAS data set, in many cases ensuring an accurate match requires additional information about the user and specific unique identification procedures at national level.~~ To further support the usability of electronic identification means, this Regulation should require Member States to take specific measures to ensure a correct identity match in the process of electronic identification. For the same purpose, this Regulation should also extend the mandatory minimum data set and require the use of a unique and persistent electronic identifier in conformity with Union law in those cases where it is necessary to legally identify the user upon his/her request in a unique and persistent way.

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 22

(22) In order to streamline the cybersecurity obligations imposed on trust service providers, as well as to enable these providers and their respective competent authorities to benefit from the legal framework established by Directive XXXX/XXXX (NIS2 Directive), trust services are required to take appropriate technical and organisational measures pursuant to Directive XXXX/XXXX (NIS2 Directive), such as measures addressing system failures, human error, malicious actions or natural phenomena in order to manage the risks posed to the security of network and information systems which those providers use in the provision of their services as well as to notify significant incidents and cyber threats in accordance with Directive XXXX/XXXX (NIS2 Directive). With regard to the reporting of incidents, trust service providers should ~~notify~~treat any incidents as having a significant impact on the provision of their services, including such caused by theft or loss of devices, network cable damages or incidents occurred in the context of identification of persons. The cybersecurity risk management requirements and reporting obligations under Directive XXXXXX [NIS2] should be considered complementary to the requirements imposed on trust service providers under this Regulation. Where appropriate, established national practices or guidance in relation to the implementation of security and reporting requirements and supervision of compliance with such requirements under Regulation (EU) No 910/2014 should continue to be applied by the competent authorities designated under Directive XXXX/XXXX (NIS2 Directive). Any requirements pursuant to this Regulation do not affect the obligation to notify personal data breaches under Regulation (EU) 2016/679.

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 25

(25) In most cases, citizens and other residents cannot digitally exchange, across borders, officially certified information related to their identity, such as addresses, age and professional qualifications, driving licenses and other permits and payment data, securely and with a high level of data protection.

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 28

(28) Wide availability and usability of the European Digital Identity Wallets require their acceptance by private service providers. Private relying parties providing services in the areas of transport, energy, banking and financial services, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications should acceptcitizens as a trusted means of sharing their personal data with private service providers. Private relying parties should be required to provide a data protection impact assessment according to Article 35 of Regulation 2016/679 to the Member State they seek approval by the relevant national supervisory authority from, for their use of European Digital Identity Wallets for the provision of services where strong user authentication for online identification is required by national or Union law ~~or by contractual obligation~~. WThe~~re very large online platforms as defined in Article 25.1. of Regulation [reference DSA Regulation] require users to authenticate to access online~~ information requested from the user vices, those platforms should be mandated to accept the use of European Digital Identity Wallets upon voluntary request of the user. Users should be under no obligation to use the wallet to access private services, but if they wish to do so, large onla the European Digital Identity Wallet has to be necessary and proportionate for the intended use case of the relyineg platforms should accept the European Digital Identity Wallet for this purpose while respecting the principle of data minimisation. Given the importance of very large online platforms, due to their reach, in particular as expressed in number of recipients of the service and economic transactions this is necessary to increase the protection of users from fraud and secure a high level of data protection.arty and follow the principle of data minimisation. Users should be under no obligation to use the wallet to access private services Self-regulatory codes of conduct at Union level (‘codes of conduct’) should be developed in order to contribute to wide availability and usability of electronic identification means including European Digital Identity Wallets within the scope of this Regulation. The codes of conduct should facilitate wide acceptance of electronic identification means including European Digital Identity Wallets by those service providers which do not qualify as very large platforms and which rely on third party electronic identification services for user authentication. They should be developed within 12 months of the adoption of this Regulation. The Commission should assess the effectiveness of these provisions for the availability and usability for the user of the European Digital Identity Wallets after 18 months of their deployment and revise the provisions to ensure their acceptance by means of delegated acts in the light of this assessment.

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 29

(29) The European Digital Identity Wallet should technically enable the selective disclosure of attributes to relying parties. ~~This feature should become a basic design feature thereby reinforcing convenience and personal data protection including minimisation of processing of personal data.~~ It should also ensure that no attributes are disclosed to parties that are not by law entitled to receive such attributes. The European Digital Identity Wallet should technically enable the selective disclosure of attributes to relying parties. This feature should become a basic design feature thereby reinforcing convenience and personal data protection including minimisation of processing of personal data in particular privacy by design and by default. Mechanisms for the validation of the European Digital Identity Wallet, selective disclosures and authentication of users to access online services shall be privacy-preserving thereby preventing the tracking of the user and respecting the principle of purpose limitation, which implies a right to pseudonymity to ensure the user cannot be linked across several relying parties.

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 32

(32) Website authentication services provide users with assurance that there is a genuine and legitimate entity standing behind the website. Those services contribute to the building of trust and confidence in conducting business online, as users will have confidence in a website that has been authenticated. The use of website authentication services by websites is voluntary. However, in order for website authentication to become a means to increasing trust, providing a better experience for the user and furthering growth in the internal market, this Regulation lays down minimal security and liability obligations for the providers of website authentication services and their services. To that end, web-browsers should ensure support and interoperability with Qualified certificates for website authentication pursuant to Regulation (EU) No 910/2014. They should recognise and display Qualified certificates for website authentication to provide a high level of assurance, allowing website owners to assert their identity as owners of a website and users to identify the website owners with a high degree of certainty. To further promote their usage, public authorities in Member States should consider incorporating Qualified certificates for website authentication in their websites.deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 33

(33) Many Member States have introduced national requirements for services providing secure and trustworthy digital archiving in order to allow for the long term preservation of electronic documents and associated trust services. To ensure legal certainty and trust, it is essential to provide a legal framework to facilitate the cross border recognition of qualified electronic archiving services. That framework could also open new market opportunities for Union trust service providers.deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 34

(34) Qualified electronic ledgers record data in a manner that ensures the uniqueness, authenticity and correct sequencing of data entries in a tamper proof manner. An electronic ledger combines the effect of time stamping of data with certainty about the data originator similar to e-signing and has the additional benefit of enabling more decentralised governance models that are suitable for multi-party co-operations. For example, it creates a reliable audit trail for the provenance of commodities in cross-border trade, supports the protection of intellectual property rights, enables flexibility markets in electricity, provides the basis for advanced solutions for self- sovereign identity and supports more efficient and transformative public services. To prevent fragmentation of the internal market, it is important to define a pan-European legal framework that allows for the cross-border recognition of trust services for the recording of data in electronic ledgers.deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 35

(35) The certification as qualified trust service providers should provide legal certainty for use cases that build on electronic ledgers. This trust service for electronic ledgers and qualified electronic ledgers and the certification as qualified trust service provider for electronic ledgers should be notwithstanding the need for use cases to comply with Union law or national law in compliance with Union law. Use cases that involve the processing of personal data must comply with Regulation (EU) 2016/679. Use cases that involve crypto assets should be compatible with all applicable financial rules for example with the Markets in Financial Instruments Directive23 , the Payment Services Directive24 and the future Markets in Crypto Assets Regulation25 . _________________ 23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU Text with EEA relevance, OJ L 173, 12.6.2014, p. 349– 496. 24 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, OJ L 337, 23.12.2015, p. 35– 127. 25 Proposal for a Regulation of the European Parliament and of the Council on Markets in Crypto-assets, and amending Directive (EU) 2019/1937, COM/2020/593 final.

2022/06/13
Committee: LIBE

Proposal for a regulation
Recital 35 a (new)

(35 a) The recording of personal data in public and append-only data structures, such as permissionless distributed ledgers should not be considered to comply with the requirements of Union legislation for the protection of personal data. Due to the immutable nature of such ledgers, anonymity of the data contained cannot be guaranteed either.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 1

Regulation (EU) No 910/2014
Article 1 point c

(c) establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, certificate services for website authentication, electronic archiving and electronic attestation of attributes, the management of remote electronic signature and seal creation devices~~, and electronic ledgers~~;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point c

Regulation (EU) No 910/2014
Article 3 point 14

(14) ‘certificate for electronic signature’ means an electronic attestation ~~or set of attestations~~ which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person;;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point d

Regulation (EU) No 910/2014
Article 3 point 16 point f

~~(f) the recording of electronic data into an electronic ledger.;~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point g

Regulation (EU) No 910/2014
Article 3 point 29

(29) ‘'certificate for electronic seal’ means an electronic attestation or set of attestations that links electronic seal validation data to a legal person and confirms at least the name or the pseudonym of that person;;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point i

Regulation (EU) No 910/2014
Article 3 point 42

(42) ‘European Digital Identity Wallet’ is a product and service that allows the user to store identity data, credentials and attributes linked to her/his identity, to provide them toselectively to duly authorized relying parties on request and to use them for authentication, online and offline, for a service in accordance with Article 6a; and to create qualified electronic signatures and seals;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point i

Regulation (EU) No 910/2014
Article 3 point 43

(43) ‘attribute’ is a representation of a feature, characteristic or quality of a natural or legal person or of an entity, in electronic form;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point i

Regulation (EU) No 910/2014
Article 3 point 45 a (new)

(45 a) ‘zero knowledge attestation’ means an anonymous electronic attestation;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point i

Regulation (EU) No 910/2014
Article 3 point 46

(46) ‘authentic source’ is a repository or system, held under the responsibility of a public sector body or private entity, that contains attributes about a natural or legal person and is ~~considered to be the primary source of that information or recognised~~ as authentic in national law;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point i

Regulation (EU) No 910/2014
Article 3 point 47

(47) ‘electronic archiving’ means ~~a service ensuring the receipt, storage, deletion and transmiss~~the storage, and deletion of electronic data or documents in order to guarantee their integrity, the accuracy of their origin and legal features throughout the conservation period;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point i

Regulation (EU) No 910/2014
Article 3 point 52

(52) ‘credential’ means a proof of a person’s ~~abilities, experience,~~ right or permission;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point i

Regulation (EU) No 910/2014
Article 3 point 53

(53) ‘electronic ledger’ means a tamper proof electronic record of data, providing authenticity and integrity of the data it contains, accuracy of their date and time, and of their chronological ordering;deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 3 – point i

Regulation (EU) No 910/2014
Article 3 point 55

~~(55) ‘unique identification’ means a process where person identification data or person identification means are matched with or linked to an existing account belonging to the same person.’;~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 4

Regulation (EU) No 910/2014
Article 5

P~~seudonyms in electronic transa~~ersonal data protection

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 4

Regulation (EU) No 910/2014
Article 5

1. Processing of personal data shall be carried out in accordance with Regulation 2016/679, as well as Regulation 2018/1725, and Directive 2002/58, where relevant. 1a. Provisions on the processing of personal data contained in this Regulation shall be understood as applying the provisions of the instruments in paragraph 1 to the particular measures of this Regulation. 1b. The interoperability framework in accordance with Article 12 shall enable and facilitate the implementation of the principle of privacy by design; 2. Without prejudice to the legal effect given to pseudonyms under national law, the use of pseudonyms ~~in electronic transactions shall not be prohibited.;~~ shall be enabled under this Regulation

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 4

Regulation (EU) No 910/2014
Article 5a (new)

the following Article 5a (new) is inserted: ‘Article 5a: Specific provisions to safeguard fundamental rights of natural persons' 1. The use of the European Identity Wallet shall not be made mandatory for natural persons. Where essential services are provided and access to those requires the use of the European Identity Wallet, easily accessible alternatives shall be offered by the service provider. 2. Electronic identification of natural persons shall only take place where required by national or Union law; where identification of natural persons is not required by national or union law, no personal identification data shall be disclosed. 3. Relying parties shall use only that data which is necessary for the function and which has a legal necessity. The European Digital Identity Wallets shall only provide minimal selective disclosure of data to relying parties.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 3 point b

(b a) make an informed decision about the sharing of personal information with relying parties. This includes identification of the relying party, the possibility for complete or partial refusal of information requests from relying parties, a full transaction history.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 4 point a

(2 a) for relying parties to be uniquely identified and limited to request information based on their approval of a Member State in accordance with Article 6b(1);

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 4 point a

(4 a) Proxies that act as intermediaries between relying parties and European Digital Identity Wallets shall not obtain knowledge about the contents of the transaction

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 4 point b

(b) ensure that ~~trust service providers of~~ providers of qualified and non-qualified attestations of attributes ~~cannot~~are technologically prevented from receiveing any information about the use of these attributes;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 4 point b

(b a) allow for zero knowledge attestations of attributes

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 4 point b

(b b) ensure an appropriate level of privacy

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 4 point d

(d) provide a mechanism to ensure that the relying party is able to authenticate the user ~~and~~or to receive electronic attestations of attributes; in the form of selective disclosures that are unlinkable to the user and minimise the processing of personal data.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 4 point e

~~(e) ensure that the person identification data referred to in Articles 12(4), point (d) uniquely and persistently represent the natural or legal person is associated with it.~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

(e a) Make it impossible for the issuer of the European Digital Identity Wallet or third-party services connected to them or the Member State to receive any information about the use of the European Digital Identity Wallet;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 6

6. The European Digital Identity Wallets shall be issued under a notified electronic identification scheme of level of assurance ‘high’. The use of the European Digital Identity Wallets shall be free of charge to natural persons. Access to government or other essential services, to the labour market and the freedom obtaining goods and services shall not be restricted or hindered for natural persons not using the European Digital Identity Wallet.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 7

7. The user shall be in full control of the European Digital Identity Wallet. The issuer of the European Digital Identity Wallet shall not collect information about the use of the wallet which are not necessary for the provision of the wallet services, nor shall it combine person identification data and any other personal data stored or relating to the use of the European Digital Identity Wallet with personal data from any other services offered by this issuer or from third-party services which are not necessary f and their data. The technical architecture shall make it impossible for the issuer of the European Digital Identity Wallet or third-party services connected to them or the Member State to collect or obtain information about the use of the wallet by the user. The exchange of information via the European Digital Identity Wallet shall not allow to providers of electronic attestation of attributes to track, link, correlate or othe ~~provision of the wallet services, unless the user has expressly requested it~~rwise obtain knowledge of transactions or user behaviour. Personal data relating to the provision of European Digital Identity Wallets shall be kept physically and logically separate from any other data held. If the European Digital Identity Wallet is provided by private parties in accordance to paragraph 1 (b) and (c), the provisions of article 45f paragraph 4 shall apply mutatis mutandis. The issuer of the European Digital Identity Wallet is the controller according to Regulation (EU) 2016/679 regarding the processing of personal data in the European Digital Identity Wallet.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6a paragraph 7

7 a. Where attestation of attributes does not require the identification of the user, only zero knowledge attestation shall be performed.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6b paragraph 1

1. Where relying parties intend to rely upon European Digital Identity Wallets issued in accordance with this Regulation, they shall ~~communicate it to~~request approval from the Member State where the relying part~~y is~~ies are established to ensure compliance of their intended use and the information they intend to request with requirements set out in Union law or national law for the provision of specific services. ~~When communicating their intention to rely on European Digital Identity wallets, they shall also inform about the intended use of the European Digital Identity Wallet.~~Member States shall scrutinize requested use cases of the European Digital Identity proportionate to the potential privacy implications of the data exchanged and the purpose of the processing of personal information, thereby distinguishing between: (a) anonymous use for selective disclosures; (b) pseudonym use for authentication; (c) unique identification use; (d) attribute attestation of special categories of personal data in accordance with Article 9 of Regulation (EU) 2016/679;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6b paragraph 2

2. Member States shall implement a common mechanism for the authentication ~~of relying parties~~and unique identification of relying parties. Member States may revoke the authorization of relying parties in case of illegal or fraudulent use of the European Digital Identity Wallet in their country.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 7

Regulation (EU) No 910/2014
Article 6b paragraph 3

3. Relying parties shall be responsible for communicating their unique identifier in every interaction with the European Digital Identity Wallet and carrying out the procedure for authenticating person identification data and electronic attestation of attributes originating from European Digital Identity Wallets.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 12

Regulation (EU) No 910/2014
Article 11

(12) the following Article 11a is inserted: ‘Article 11a Unique Identification 1. When notified electronic identification means and the European Digital Identity Wallets are used for authentication, Member States shall ensure unique identification. 2. Member States shall, for the purposes of this Regulation, include in the minimum set of person identification data referred to in Article 12.4.(d), a unique and persistent identifier in conformity with Union law, to identify the user upon their request in those cases where identification of the user is required by law. 3. Within 6 months of the entering into force of this Regulation, the Commission shall further specify the measures referred to in paragraph 1 and 2 by means of an implementing act on the implementation of the European Digital Identity Wallets as referred to in Article 6a(10).’deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 13 – point a

Regulation (EU) No 910/2014
Article 12

~~(a) in paragraph 3, points (c) and (d) are~~ deleted;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 13 – point b

Regulation (EU) No 910/2014
Article 12 paragraph 4 point d

(d) a reference to a ~~minimum~~ set of person identification data necessary to uniquely ~~and persistently~~ representing a natural or legal person;, which is available from electronic identification schemes;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 13 – point c

Regulation (EU) No 910/2014
Article 12 paragraph 6 point a

(a) the exchange of information, experience and good practice as regards electronic identification schemes and in particular technical requirements related to interoperability, ~~unique identification~~ and assurance levels;;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 16

Regulation (EU) No 910/2014
Article 12 b paragraph 2

2. Where private relying parties providing services are required by national or Union law, to use strong user authentication for online identification, or where strong user authentication is required by contractual obligation, including in the areas of transport, energy, banking and financial services, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications, private relying partiesthey shall also accept the use of European Digital Identity Wallets issued in accordance with Article 6a.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 16

Regulation (EU) No 910/2014
Article 12

3Where very large online platforms as defined in Regulation [reference DSA Regulation] Article 25.1. require users to authenticate to access online services, they shall also accept the use of European Digital Identity Wallets issued in accordance with Article 6a strictly upon voluntary request of the user and in respect of the minimum attributes necessary for the specific online service for which authentication is requested, such as proof of age. Where very large online platforms 3. as defined in Regulation [reference DSA Regulation] Article 25.1. require users to authenticate to access online services, they shall also accept the use of European Digital Identity Wallets issued in accordance with Article 6a strictly upon voluntary request of the user and in respect of the minimum attributes necessary for the specific online service for which authentication is requested, such as proof of age. In this case, revocable pseudonyms can be generated and used in connection to an identifiable European Digital Identity Wallets. The combination of person identification data and any other personal data and identifiers linked to the European Digital Identity Wallets with personal or non- personal data from any other services which are not necessary for the provision of the authentication or use of core services, is prohibited unless the user has expressly requested it.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 20 – point a – point 2

Regulation (EU) No 910/2014
Article 17 paragraph 4 point f

(f) to cooperate with supervisory authorities established under Regulation (EU) 2016/679, in particular, by informing them without undue delay, about the results of audits of qualified trust service providers, where there is any reason to believe that personal data protection rules have been breached and about security breaches which are likely to constitute personal data breaches;; This shall be without prejudice to any further obligations stemming from GDPR.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 22 – point b

Regulation (EU) No 910/2014
Article 20 paragraph 2

~~Where personal~~Notwithstanding any further obligations on data controllers or processors resulting from Regulation 2016/679, where there is any reason to believe that data protection rules ~~appear to~~could have been breached, the supervisory body shall inform the supervisory authorities under Regulation (EU) 2016/679 of the results of its audits.;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 25 – point c – point 2

(fb) Notwithstanding any obligations on data controllers or processors resulting from Regulation 2016/679, notify the supervisory body and, where applicable, other relevant bodies of any linked breaches or disruptions in the implementation of the measures referred to in paragraph (fa), points (i), (ii) and, (iii) that has a ~~significant~~n impact on the trust service provided or on the personal data maintained therein.;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 38

Regulation (EU) No 910/2014
Article 45

(38) Article 45 is replaced by the following: ‘Article 45 Requirements for qualified certificates for website authentication 1. Qualified certificates for website authentication shall meet the requirements laid down in Annex IV. Qualified certificates for website authentication shall be deemed compliant with the requirements laid down in Annex IV where they meet the standards referred to in paragraph 3. 2. Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services. 3. Within 12 months of the entering into force of this Regulation, the Commission shall, by means of implementing acts, provide the specifications and reference numbers of standards for qualified certificates for website authentication referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).;’deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45a paragraph 1

1. An electronic attestation of attributes shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form or that it does not meet the requirements for qualified electronic attestations of attributes.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45a paragraph 3a (new)

3 a. Lawfully issued attestations in paper form shall be accepted by relying parties as an alternative to electronic attestation of attributes.

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Section 11

~~SECTION 11~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Section 11

~~ELECTRONIC LEDGERS~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45h

~~Article 45h~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45h

~~Legal effects of electronic ledgers~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45h

1. An electronic ledger shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic ledgers.deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45h

2. A qualified electronic ledger shall enjoy the presumption of the uniqueness and authenticity of the data it contains, of the accuracy of their date and time, and of their sequential chronological ordering within the ledger.deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45i

~~Article 45i~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45i

~~Requirements for qualified electronic ledgers~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45i

1. Qualified electronic ledgers shall meet the following requirements: (a) they are created by one or more qualified trust service provider or providers; (b) they ensure the uniqueness, authenticity and correct sequencing of data entries recorded in the ledger; (c) they ensure the correct sequential chronological ordering of data in the ledger and the accuracy of the date and time of the data entry; (d) they record data in such a way that any subsequent change to the data is immediately detectable.deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45i

~~2. Compliance with the requirements laid down in paragraph 1 shall be presumed where an electronic ledger meets the standards referred to in paragraph 3.~~deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 39

Regulation (EU) No 910/2014
Article 45i

3. The Commission may, by means of implementing acts, establish reference numbers of standards for the processes of execution and registration of a set of data into, and the creation, of a qualified electronic ledger. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).;deleted

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 40

Regulation (EU) No 910/2014
Article 48 a paragraph 2 point b

(b) the type and number of services accepting the use of the European Digital Wallet; including the number of rejected applications including their reasoning;

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 40

Regulation (EU) No 910/2014
Article 48 a paragraph 2 point ba (new)

(b a) the type and number of security incidents, suspected data breaches and affected users

2022/06/13
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1 – point 40

Regulation (EU) No 910/2014
Article 48 a paragraph 2 point bb (new)

(b b) the number of user complaints and suspected consumer protection or data protection incidents relating to relying parties

2022/06/13
Committee: LIBE