The E-ID Act from a data protection perspective

01 Feb 2021

On 7 March, the E-ID Act will be put to the vote in Switzerland. Especially in the area of data protection, opponents and supporters disagree on the extent to which the introduction of the law would cause problems.  

As technology advances, the range of digital services is steadily increasing, both in the public and private sectors. The key issue here is to be able to reliably identify the counterparty in a digital process, as is physically possible today with an ID card. Some Swiss cantons and other countries have already introduced their own system with which people can reliably identify themselves digitally (Estonia, canton of Schaffhausen etc). However, the introduction of a nationwide E-ID Act has attracted a lot of criticism, since non-physical identity verification inevitably entails various data protection issues and E-IDs are expected to be handed out by private companies.

Data protection security measures

Regarding data protection standards in the E-ID Act, one thing is particularly important to note: although the E-ID Act forms a legally independent bill, the Swiss Federal Act on Data Protection (FADP) is fully applicable to the entire process, from the issuance to the deletion of the E-ID. This circumstance is also clearly regulated in the E-ID Act itself, since the purpose-defining article of the FADP – ensuring ‘the protection of the personality and fundamental rights of persons about whom data are processed’ – is adopted one-to-one. In addition to these generally applicable provisions of the FADP, there are various ‘hard rules’ in connection with data protection which are specifically anchored in the E-ID Act.

For example, the E-ID Act provides for consent obligations so that the owners must give their explicit consent to the transmission of personal identification data. Moreover, the ‘identity providers’ (i.e. private companies that issue the E-IDs, IdPs) may only process personal identification data transmitted by the Federal Office of Police (FEDPOL) until the E-ID is revoked – and this exclusively for identification purposes in accordance with the law. The use of the personal data for other purposes should therefore be prohibited. In addition, the regulations stipulate that the personal identification data and the usage data of the individual users must be separated both physically and organisationally. As a result, risks of third-party access should be minimised. Last but not least, an identity provider must also guarantee that its own E-ID system meets the requirements laid down and thus take technical and organisational measures to guarantee the general security of the data.

Besides these regulations, there are further safeguards such as an obligation to process and store data in Switzerland, the implementation of a new supervisory authority (called EIDCOM) and various responsibilities such as reporting duties, deletion requirements and information obligations. Consequently, it is easy to see that the E-ID Act has adopted various data protection standards from the FADP – some of which go even further – in order to ensure data protection.

Criticism from a data protection perspective

However, the above-mentioned regulations are not enough to dispel all doubts. On the contrary, despite the implementation of the aforementioned data protection standards, there are multiple points of criticism from a data protection perspective, too.

For example, it is argued that the possibility of an E-ID could lead to more and more online services being accessible exclusively with an E-ID, even though an E-ID would not be absolutely necessary for access. As a consequence, such a development would then practically force people to apply for an E-ID, although they may not want to do so. There is also criticism that the issuing of E-IDs will be carried out by private identity providers because, according to the lawʼs opponents, private companies are harder to control than state authorities – and violations of data protection rules are frequently committed by them. Furthermore, there are doubts whether the supervisory authority EIDCOM would have enough power and the right instruments to control the IdPs effectively.

Moreover, the identity providers have to collaborate with the FEDPOL, which entails storage processes and a regular exchange of information between the FEDPOL and the identity providers in the future. The interfaces created within the framework of this information exchange could thereby create new potential for data protection violations.

In addition, according to the law, the FEDPOL has to govern an information system containing the relevant personal data for the whole process of issuing the E-ID. This central information system itself is also criticised because it brings together data from different sources and could present an opportunity for abuse.

The FDPICʼs role and view

As there are multiple regulations for a safe data protection regime for the E-ID, but also various worries concerning the actual implementation and handling of the new rules, the question of whether the E-ID Act actually guarantees data protection is absolutely relevant.

However, it seems difficult to answer this question. For example, the Federal Data Protection and Information Commissioner (FDPIC), who was involved in the legislative process and must (if the E-ID Act is adopted) also be consulted when new identity providers are approved, comments as follows: “The way the law is now before parliament, the E-ID can be implemented in line with data protection. But I am not naive. Of course, there are risks […].” Probably this statement sums up the dilemma quite well.

Implications

The E-ID Act brings with it many new developments. As a consequence, the decision whether private companies should provide official documents must be taken. In addition, the new technical possibilities challenge our established data protection standards. However, it seems uncertain whether there are better solutions. It thus remains interesting to see whether the law will be adopted or rejected and to what extent the standards guaranteed under the E-ID Act can be effectively enforced in the event of adoption. 

Contact us

Philipp Rosenauer

Philipp Rosenauer

Partner Legal, PwC Switzerland

Tel: +41 58 792 18 56