How Latin America and the Caribbean Can Leverage the New European Identity and Data Market For Their Benefit
Introduction
The COVID-19 pandemic was a catalyst, expediting digital transformation initiatives in both public and private sectors worldwide. This unprecedented situation propelled the emergence of cutting-edge digital services with a strong emphasis on enhancing security, efficiency, and reliability in electronic interactions. It also drove the facilitation of real-time verifiable data and asset transfers domestically and across borders.
Concurrently, legislators and regulators in various regions have been formulating novel legal and regulatory frameworks to facilitate the widespread adoption of digital identification, digital signatures, and digital assets. Particularly in the European Union, there has been a lot of activity to enable a new techno-legal framework for the next generation of digital interactions.
On the asset side, the Markets in Crypto-Assets (MiCA)¹ Regulation entered into force in June 2023 to regulate the crypto-asset ecosystem, including digital asset issuers and service providers. In relation to data, identity, and credentials, the European Commission enacted the Electronic Identification and Trust Services for Electronic Transactions (eIDAS2) Regulation² which, together with the European Digital Identity (EUDI)³ Architecture and Reference Framework⁴, will enable a new user-centric data market where EU citizens can manage their digital identity and data using a digital identity wallet⁵.
Unlike Europe, the Latin America and the Caribbean (“LAC”) region lacks a unifying organization to establish common standards and regulations relating to digital interactions. This has limited cross-border verifiability of digital identities and credentials related to education, health, travel, and trade, among other areas. It has also hindered the development of solutions for easier, faster, and less expensive cross-border digital transactions. However, eIDAS2 could be integrated in part or whole into the legal frameworks of the LAC countries, on a country-by-country basis, to address domestic needs and enable digital interoperability within LAC, and between LAC countries and Europe.
Europe’s Digital Identity Framework
For many years, the European Commission has sought to develop a robust digital ecosystem, positioning the EU as the global digital leader. The crux of this vision has been the European Digital Identity (“eID”) framework — a sustainable regulatory scheme that enables secure, confidential, and seamless digital interactions⁶. The eID framework ensures the mutual recognition of national electronic identification schemes across Member States, allowing EU citizens to identify and authenticate themselves online with an electronic identity card⁷.
In 2000, the EU enacted the Electronic Signature Directive (“Directive”)⁸. The Directive authorized a new digital form for doing business using electronically generated signatures. Before then, only hand-written signatures were legally valid in the European Union. The Directive laid the building blocks for a digital Pan-European ecosystem.
Six years later the European Union repealed and replaced the Directive with the Electronic Identification, Authentication and Trust Services (“eIDAS”) Regulation⁹. Unlike the Directive, the Regulation directly applied to the Member States, making the eIDAS Regulation mandatory for all Member States.
The eIDAS Regulation enabled individuals to securely access public services and carry out transactions online and across borders in the EU. Specifically, it authorized:
- Harmonization of electronic signatures across the EU;
- Electronic seals (which are like electronic signatures, but for business entities);
- Electronic registered delivery services;
- Qualified trust services for issuing and verifying digital identity credentials;
- Certificate services for website authentication; and
- National Trusted Lists which compile the private and public trust service providers in each Member State¹⁰.
The eIDAS Regulation had twin objectives: to enable the cross-border recognition of government-issued digital identification for accessing public services, and to establish a single market for trust services, to ensure that digital credentials have the same legal effect as traditional verification methods across the EU¹¹.
The Next Generation of eIDAS
A few years later, the European Commission noticed a shift in the way people were thinking about and using digital credentials, noting that people no longer wanted to use “rigid digital identities” (such as national identification cards) but instead preferred to rely on “specific attributes related to those identities” (such as professional or educational credentials or health records) which was not addressed by eIDAS. The European Commission also noted an increased demand for identity solutions that allow users to maintain control over their own personal data (which also was not addressed by eIDAS). So, the European Council requested that the European Commission propose a more flexible techno/legal framework for digital identification and authentication to give individuals more control over their credentials.
eIDAS2 and the Introduction of a Digital Identification Wallet
In line with the European Council’s request, the European Commission adopted a Recommendation requesting that Member States develop a toolbox to provide a technical architecture and reference framework for a European Digital Identity Wallet (“EUDI Wallet”) concept. This recommendation was accomplished in short order¹². According to the EUDI Architecture and Reference Framework, the EUDI Wallets will link users’ national digital identities to other personal attributes, including certifications, and credentials, such as driving licenses, professional licenses, diplomas, and bank accounts, among many other things. It will also allow users to share electronic documents with third parties.
Using an EUDI wallet, it is expected that EU citizens will be able to:
- Register for an online service, such as purchasing a plane ticket or requesting a birth certificate;
- Order medical documents;
- Open a bank account;
- File tax returns;
- Prove their age;
- Rent a car; and
- Check into a hotel..
In June 2023, the Council presidency and European Parliament representatives agreed on core elements for a new European Digital Identity (eID) regulatory framework to revise the eIDAS Regulation (“eIDAS2”)¹³.
Under eIDAS2, Member States are responsible for offering digital wallets and/or licensing issuers of digital wallets. Further, the electronic identification systems in the digital identity wallets will be offered with a “high” assurance level. Assurance levels characterize the degree of trust or confidence one has in the electronic identification offered to demonstrate that the person is who they say they are. Digital transactions sent with a “high” level of assurance are the most trustworthy.
Moreover, eIDAS2 expands the scope of trust services offered by qualified trust service providers (QTSP) to include:
- Electronic archiving;
- Electronic attestation of attributes;
- Seal creation devices; and
- Electronic ledgers.
Under eIDAS2, citizens will use their digital identity wallets to access services online, share digital documents, and prove a specific personal attribute, such as age, without revealing other personal details¹⁴. Importantly, eIDAS2 mandates that private parties and public sector actors meeting certain criteria accept qualified credentials from the EUDI Wallets.
Get Blerify Inc.’s stories in your inbox
Join Medium for free to get updates from this writer.Subscribe
Remember me for faster sign in
The eIDAS2 Regulation was enacted in February 2024.
LAC’s Digital Landscape
Similar to the EU, several countries in Latin America and the Caribbean (LAC) have enacted laws and regulations pertaining to digital identification, electronic-signatures, and digital signature certificates, the pillars of any digital identity ecosystem. Most LAC countries also regulate trust service providers which offer authentication services for verifying digital identification credentials. These service providers offer a critical piece of the verification and issuance infrastructure for digital identities and credentials that engenders trust in digital interactions.
However, there are two critical roadblocks in the region. First, there is no regional organization with the mandate to establish common regulatory frameworks for digital interactions. Second, the longstanding requirements in LAC pertaining to the use of public deeds, notaries, and ink signatures for certain processes present limitations for the region’s transformation to a seamless and inclusive digital ecosystem¹⁵.
There is an opportunity in LAC to leverage the new European techno-legal framework to address these two hurdles. Ideally, using eIDAS2 as a guide, regional LAC legislation could be developed collaboratively by representatives of different governments and become a treaty of sorts, binding the countries to each other to ensure mutual recognition and non-repudiation of digital credentials, and taking steps to develop a singular digital LAC market for trust services. Realistically, however, this type of collaboration is not likely to occur, at least not in the short term¹⁶.
However, until a LAC consortia for this purpose can be formed, there are other alternatives worth exploring, such as the possibility of LAC countries participating in the EU’s digital ecosystem and trust marketplace independently¹⁷. In particular, they could seek to have their local trust service providers recognized by the EU as legally equivalent to EU-based qualified trust service providers, and vice versa (have the EU service providers recognized in the participating LAC countries)¹⁸. By doing so, LAC countries would agree to mutual recognition and non-repudiation of attestations provided by trust service providers certified bilaterally under the European framework in the EU and LAC.
The more countries that establish a partnership with the EU, the stronger the regulatory infrastructure would become for digital interactions between the governments of LAC and the EU, and within LAC itself. Further, as more LAC countries adopted the eIDAS2 regime, the LAC market would become stronger with digital interactions between the citizens of all the participating countries using digital identity wallets to transact business across borders.
But, even if individual countries in LAC were not inclined to join the EU marketplace, they could still adopt core pieces of the eIDAS2 Regulation, namely those that mandate the issuance of digital identity wallets and require private and that public actors to accept digital credentials which have been verified by a trust service provider, and include:
- Criteria for a comprehensive digital identification scheme;
- Standards for the development of digital identity wallets through which digital credentials, and other data would be transmitted between and among members of the public and government actors; and
- Requirements for trust services to issue and verify identity and other credentials.
Conclusion
The digital transformation is underway, but it is still in its infancy. It will require innovative and comprehensive regulations to ensure digital interactions are secure, seamless, and inclusive. The European Union is a first mover in the development of digital identity regulations and the use of a digital identity wallet for the provision of services in the private and public sectors. LAC countries should build on the work already done by lawmakers and regulators in the EU, to safely expand and fortify their domestic digital ecosystems and grow a strong and secure digital network across LAC and internationally.
ENDNOTES & FOOTNOTES
2 https://www.europarl.europa.eu/legislative-train/spotlight-JD22/file-eid
6 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31999L0093
8 Directive 1999/93/EC, of the European Parliament and of the Council of 13 December 1999 on a Community Framework for Electronic Signatures, 2000 O.J. (L 13) 12.
9 Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC, 2014 O.J. (L 257) 73 [hereinafter eIDAS]. The European Union uses the acronym eIDAS whereby “e” stands for electronic, “ID” for identification, “A” for authentication, and “S” for trust services. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG
10 https://digital-strategy.ec.europa.eu/en/policies/egovernment
11 https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation
12 EU Digital Identity Wallet Process, https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-toolbox; https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2663
15 See e., g., Thomson Reuters Practical law. https://Mexico.practicallaw.thomsonreuters.com/w-012-0309?contextData=(sc.Default)&transitionType=Default&firstPage=true
16 See discussion of Latin American and Its Multilateral Arrangements. https://www.yalejournal.org/publications/history-remains-latin-america-and-its-multilateral-arrangements
17 See Article 14 of eIDAS2, setting forth the provisions related to international participation by qualified trust service providers.
18 This would entail the individual country’s obtaining an EU implementing decision or entering into an agreement with the European Union.
