In the spring session, the National Council endorsed on 20 March 2019 the Draft Federal Act on Electronic Identification Services (D-FAEIS), and thus took an important step towards a state-recognised electronic identity in Switzerland.
In a nutshell:
- The Draft Federal Act on Electronic Identification Services creates the legal basis for a state-recognised, electronic identity and enables natural persons to identify themselves securely and easily in electronic transactions with companies and authorities.
- In contrast to physical identity, the E-ID Act assumes a collaboration between the state and the private sector for the provision of electronic identity. The state continues to play a pivotal role and remains responsible for verifying and confirming the identity of a person. The development and issuance of electronic means of identification, however, will be undertaken by state-recognised and supervised private enterprises known as Identity Providers (IdPs).
- Data Security is a key concern when it comes to electronic identity. A distinction is made between the data-security levels high, substantial and low. The security levels differ primarily in the number of attributes and the technical and operational requirements for registration and authentication.
- The D-FAEIS has been designed to be compatible with existing international regulations and to allow notification under the eIDAS regulation. In view of the high level of business and social interdependence with most EU Member States, it can be assumed that there is a fundamental Swiss interest in being integrated into the European system for the sake of international interoperability of the E-ID in the future.
- Access to the E-ID should be made easier by making it possible to apply for E-ID not only at the fedpol but also at every passport office. Identity Providers that already operate a physical branch network (e.g. banks) can also offer support for the physical application of the E-ID.
- Data protection is of paramount importance for electronic identity. In certain areas, the Draft Federal Act on Electronic Identification Services goes beyond the current level of data protection under the current Swiss Federal Act on Data Protection (FADP). With the expected total revision of the current FADP, major implications for the E-ID can be expected going forward. More Information at: D-FADP – Revision of the Swiss Federal Act on Data Protection.
- Further important aspects around the application and implementation of E-ID remain open and will be regulated in the respective ordinance. The Federal Council therefore has a major responsibility in terms of implementing the ordinances. First, however, the submission is to be dealt with by the Legal Commission of the Council of States and then by the small chamber itself. The bill is not expected to enter into force until 2020/2021 at the earliest, unless a referendum is held.
What does the introduction of an electronic identity mean for your company?
The main requirements regarding the E-ID are set out in the Draft Federal Act on Electronic Identification Services, but there are other requirements that need to be met. In addition to the legal questions, the introduction of an electronic identity into a company's business activities has a far-reaching transformational impact at different levels:
- What role does my company play in the E-ID ecosystem? How do I position my company and with whom do I enter into which (contractual) relationships?
- How does electronic identity change my product distribution and pricing strategy?
- What effects does electronic identity have on my on-boarding and authentication processes and what cost savings can be realised?
- What adjustments are necessary in my technology stack?
More Information on the E-ID and the debate in the National Council
The necessity of a state-recognised electronic identity is undisputed
In view of the steadily increasing number of digitally processed transactions, the need for an electronic identity was largely undisputed in the National Council. The field of application is broad and ranges from e-commerce and opening a bank account to the use of government services such as obtaining a criminal record.
The Draft Federal Act on Electronic Identification Services now creates the legal basis for a state-recognised electronic identity and enables natural persons to identify themselves securely and easily in electronic business transactions with companies and authorities. The bill regulates the entire life-cycle of electronic means of identification from issuance to revocation and defines the rights and obligations of the various actors in the ecosystem of an electronic identity.
The cardinal question in the E-ID Ecosystem is the role of the State
The basic thrust of the Draft Federal Act on Electronic Identification Services, with a division of roles between the state and the private sector, was discussed controversially in the National Council's entry debate. The issuance of physical means of identification such as the Swiss passport, ID or foreign national identity card is an exclusive task of the Confederation. In the case of the E-ID, the Draft Federal Act on Electronic Identification Services assumes cooperation between the state and the private sector.
The state continues to play a pivotal role and is responsible for the official verification and confirmation of a person's identity. An identity is to be verified by a newly created identity office at fedpol based on data from existing government information systems. Unlike in physical space, electronic means of identification are to be developed and issued by state-recognised and supervised private companies, so-called IdPs.
A minority voted in favour of rejecting the submission to the Federal Council with the mandate to draw up a new bill in which the issuance of an E-ID is stipulated as a public task that can be transferred to private companies by means of a concession process. The majority of the large chamber, however, was in favour of cooperation between the state and the private sector and rejected the minority's proposal by 131 votes to 53 with two abstentions. The combination of confidence-building state recognition and private-sector dynamism is intended to enable a secure and user-friendly solution to be reached and thus ensure the success of the E-ID.
Access to the E-ID is to be facilitated
In the detailed debate on the Draft Federal Act on Electronic Identification Services, the National Council advocated for easier access to the E-ID and supported two minority proposals. According to Art. 6 para. 1 D-FAEIS, an E-ID is issued at the request of the user to fedpol via the Identity Provider. In addition, it should now also be possible to apply for the E-ID at the passport office in order to facilitate access to the E-ID system for technically less experienced users. It should be noted here that it is in principle also possible for an Identity Provider to support the physical application of the E-ID. In particular, for identity providers such as banks that already operate a physical branch network, this could accelerate the dissemination of electronic identity. People with disabilities should not be disadvantaged when applying for an E-ID. A corresponding minority proposal was also supported by the Federal Council and accepted by the National Council.
Three different security levels are envisaged
The draft E-ID Act distinguishes between the security levels high, substantial and low, since not all business processes have identical security requirements. A simple ticket purchase for public transport does not require the same level of security as opening a bank account or e-voting. Unnecessarily strict security requirements can be perceived as a burden by users and jeopardise the dissemination of the E-ID. The security levels differ primarily in the number of attributes, the frequency with which attributes are updated and the technical and operational requirements for registration and authentication. The higher the security level, the more sensitive the applications for which the E-ID can be used.
Data protection is of paramount importance for electronic identity
When an electronic identity is issued and used, sensitive and personal data is processed. Data protection and data security are therefore afforded the highest priority in the National Council. This is also reflected in the Federal Council's draft. In certain areas, the Federal Act on Electronic Identification Services even goes beyond the current level of protection of the Swiss Data Protection Act. For example, the Identity Provider may only pass on the personal identification data to so-called Relying Parties (e.g. online mail-order shop) for which the Identity Owner has consented. Protocol data resulting from the usage of the E-ID must be deleted by the Identity Provider after six months. A minority request for immediate deletion was rejected for reasons of traceability. In addition, personal identification data, usage data and other data must be kept segregated. The current Swiss Data Protection Act is also currently undergoing a total revision and could have important implications for the E-ID when it comes into force.
More Information at: D-FADP – Revision of the Swiss Federal Act on Data Protection
The Federal Council has great responsibility in the implementation
The current draft of the E-ID Act contains an unusually high number of delegation norms. Important aspects such as the procedure for verifying identity documents (Article 3 (2), D-FAEIS) or the technical and organisational requirements for the recognition of identity providers (Article 13 (4), D-FAEIS) and security levels (Article 13 (4), D-FAEIS) are to be regulated at ordinance level. In principle, this is appropriate in view of the dynamic environment and the high technical complexity in many areas. However, the Federal Council thus has a great responsibility to take into account the various concerns of all parties involved in the implementation of the ordinance. In this context, the Federal Council has also announced that it will open a consultation procedure for the ordinances.
How PwC Switzerland can support your business
Our PwC experts can help you fully exploit the potential of electronic identity while complying with all relevant regulations:
- Assessment and analysis of the need for action
- Development of an action plan
- Implementation of the transformation
- Implementation of compliance measures
Further information on the Draft Federal Act on Electronic Identification Services can be found in our previous (German) newsletter