Skip to main content
SpringerLink
Log in

Legal Aspects

  • Chapter
  • First Online:
Electronic Identity

Part of the book series: SpringerBriefs in Cybersecurity ((BRIEFSCYBER))

  • 1056 Accesses

Abstract

This chapter examines the core legal and regulatory issues regarding electronic identity (eID) in the European Union. It is structured into five sections. Section 1.2 explains the terminology employed in the field of eID, defining the main concepts and terms of eID and electronic identity management systems (IDMs). Section 1.3 describes the rising socioeconomic relevance of eID, emphasizing its role as key enabler of economic growth. More specifically, this section assesses the importance of eID for citizens, governments, and business. Section 1.4 examines how eID is currently regulated in Europe, focusing on Directive 1999/93/EC on electronic signatures (eSig directive). Within such analysis, the chapter explains the Directive’s current shortcomings and the reasons for the unsuccessful uptake of electronic signatures in the EU. Section 1.5 provides a succinct analysis of the revision process of the eSig directive, which is currently in progress. The chapter outlines the main elements and novelties of the recently proposed Regulation on electronic identification and trust services for electronic transactions in the internal market. This section notes how the scope of the existing eSig directive will be considerably expanded, describing the establishment of a mutual recognition of notified electronic identifications schemes and electronic trust services in the EU. Section 1.6 looks at the main and common objective behind eID regulatory initiatives and projects developed in the EU: the creation of a pan-European eID legal framework. In this context, it elaborates on the obstacles that are hindering the establishment of such scheme. As a way to overcome these obstacles and move forward, the chapter proposes a conceptual framework of principles that could form the basis of a future EU legal framework for the protection and management of digital identities: the principles of user-centricity, anonymity, and pseudonimity, as well as the principles of multiple identities, identity portability, unlinkability and negotiation, among others.

The views expressed in this chapter are purely those of the author and may not in any circumstances be regarded as stating an official position of the European Commission.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Specifically, we will focus on issues relevant to the management of human digital identities. Issues surrounding the online identities of objects (namely through RFID tags) and other nonhuman entities fall outside the focus of this chapter, though they are increasingly important.

  2. 2.

    Proposal for a Regulation on electronic identification and trust services for electronic transactions in the internal market COM (2012) 238.

  3. 3.

    The term “identity” is quite difficult to define. James Fearon notes 14 different definitions. See Fearon (1999). On identity as sense of self, see Hildebrandt (2008). For our purposes, we will define identity as “sameness”—recognition that an individual “identified” at one point is the same as the person identified later. On this epistemological meaning of identity, see Davis (2009).

  4. 4.

    OECD (2009), p. 6.

  5. 5.

    “Biometrics are measurable biological and behavioural characteristics and can be used for strong online authentication. A number of types of biometrics can be digitised and used for automated recognition. Subject to technical, legal and other considerations, biometrics that might be suitable for IdM use include fingerprinting, facial recognition, voice recognition, finger and palm veins” OECD (2009), p. 7.

  6. 6.

    A PKI (public key infrastructure) is the most common technical manifestation of this process in eID. PKI uses a pair of matched “keys”: a public key used for signing an electronic document, and a private key linked to a certificate that the receiver uses to validate the signature. In this way, PKI can be used to detect if a document has been modified without authorization after it has been sent. In addition, eIDs “may be stored on smart cards or other devices but may also be received from a central authority during an authentication process” Leenes et al. (2008), p. 16.

  7. 7.

    This section relies upon a glossary of terms provided by various studies and projects, such as the FIDIS project, the MODINIS, PRIMELIFE, STORK, and specific contributions like Pfitzmann and Hansen (2010).

  8. 8.

    This distinction between full and partial conveys an alternative nuance to Pfitzmann and Hansen’s understanding: “A partial identity is a subset of attribute values of a complete identity, where a complete identity is the union of all attribute values of all identities of this person”, in ibid., p. 31. For Pfitzmann and Hansen, partial identities may encompass attributes through which a person can be identified. The present definition holds that partial identities cover attributes that do not necessarily identify somebody, whereas those attributes that do identify somebody fall under the purview of full identity. The difference is identifiability: a distinction between information that relates to an identified or identifiable person, and that which does not.

  9. 9.

    Graux et al. (2009), p. 113. Though numbers (such as national register numbers, VAT numbers, certificate numbers, etc.) are the most common (and, in fact, the default) form of unique identifier, “any sufficiently unique set of attributes pertaining to a specific entity can serve the exact same purpose” ibid., p. 113.

  10. 10.

    Leenes et al. (2008), p. 8.

  11. 11.

    Ibid., p. 1.

  12. 12.

    Myhr (2008), p. 77.

  13. 13.

    Graux et al. (2009), p. 113.

  14. 14.

    Ibid., p. 113. Partial authentication enables people to maintain multiple identities, a practice which will be advocated below.

  15. 15.

    Ibid., p. 113.

  16. 16.

    OECD (2007), p. 12.

  17. 17.

    OECD (2009), p. 6.

  18. 18.

    Leenes et al. (2009), pp. 25–26.

  19. 19.

    Myhr (2008), p. 77.

  20. 20.

    Ibid., p. 77.

  21. 21.

    Leenes et al. (2009), p. 15. Stork cites examples of interoperable eID as those cases “ when a citizen of country X can use the electronic identity and authentication scheme of his or her home country for a license application, or when a student from country Y can register for a scholarship in country X with her home authentication scheme, without a need to register herself in country Y.” Ibid., p. 16.

  22. 22.

    Many EU Member States have in the recent times deployed large scale eID projects (such as Germany, see Graux et al. (2009), p. 120.), much of which are presently underway.

  23. 23.

    European Commission (2010b), p. 11. Such strategic document envisages, moreover, specific and concrete actions in the field of eID. This is the case of Key Action 16, according to which the Commission will "[p]ropose by 2012 a Council and Parliament Decision to ensure mutual recognition of e-identification and e-authentication across the EU based on online 'authentication services' to be offered in all Member States (which may use the most appropriate official citizen documents—issued by the public or the private sector). This Key Action has been pursued through the proposition of a Regulation on electronic identification and trust services for electronic transactions in the internal market COM (2012), p. 238.

  24. 24.

    Myhr (2008), p. 77.

  25. 25.

    Leenes et al. (2009), p. 22.

  26. 26.

    Ibid.

  27. 27.

    European Commission (2010d).

  28. 28.

    European Commission (2010c).

  29. 29.

    Such as the Manchester Ministerial Declaration (2005) and the Lisbon Ministerial Declaration (2007).

  30. 30.

    Such as the Communication from the European Commission (2010e).

  31. 31.

    Namely the following studies: European Commission (2005), European Commission (2007).

  32. 32.

    Such as the Stockholm Programme, which lays out the EU frameworks for policing and customs enforcement, rescue services, criminal and civil law cooperation, asylum, migration, and visa policy for the period 2010–2014.

  33. 33.

    http://petweb2.projects.nislab.no/index.php/Main_Page

  34. 34.

    http://www.vaestorekisterikeskus.fi/vrk/fineid/home.nsf/pages/6F4EF70B48806C41C225708B004A2BE5

  35. 35.

    This is the case of the Directive on Services in the Internal Market (2006/123/EC), Article 8 of which demonstrates the need for interoperable eID: “[…] all procedures and formalities relating to access to a service activity and to the exercise thereof may be easily completed, at a distance and by electronic means […].”

  36. 36.

    Fearon (1999).

  37. 37.

    Davis (2009), p. 220. The process of issuing identification credentials is governed by a variety of laws and regulations that fall outside the scope of our present discussion. For a thorough philosophical analysis of the process of verifying identity with passports, see Davis (2009) pp. 219–220.

  38. 38.

    On Social Security Cards, see Davis (2009), pp. 223–224.

  39. 39.

    Ibid, p. 222.

  40. 40.

    Ibid, pp. 221–22.

  41. 41.

    Ibid, p. 222.

  42. 42.

    See Voter Identification Requirements, Nat’l Conference of State Legislators (June 27, 2013) http://www.ncsl.org/legislatures-elections/elections/voter-id.aspx for a list of voting ID requirements. For example, many states accept utility bills with the voter’s name and address as suitable identification for voter registration (see Alabama, Alaska, and others). Ibid. Arizona voters can identify themselves car insurance cards. Florida accepts credit and debit cards at the polls. Ibid.

  43. 43.

    Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.

  44. 44.

    See Directive 1999/93/EC, art. 5.

  45. 45.

    Dumortier et al. (2003), pp. 4–8.

  46. 46.

    European Commission (2006).

  47. 47.

    For a discussion of the high percentage of smartcard usage, see Dumortier et al. (2003).

  48. 48.

    European Commission (2006), p. 6.

  49. 49.

    Ibid.

  50. 50.

    Directive 1999/93/EC, supra note 42, art. 5, at 15.

  51. 51.

    See Directive 1999/93/EC, pp. 19–20, at 13.

  52. 52.

    Ibid. art. 2(1), at 14.

  53. 53.

    Directive 1999/93/EC, art. 2(2), at 14.

  54. 54.

    Ibid.

  55. 55.

    Directive 1999/93/EC, art. 4, at 15.

  56. 56.

    Commission Report on the Operation of Directive 1999/93/EC, Sect. 3.3.2, at 7.

  57. 57.

    Directive 1999/93/EC, p. 5, at 12.

  58. 58.

    Ibid. art. 6, at 15–16.

  59. 59.

    Ibid.

  60. 60.

    Ibid. arts. 6(3)–6(4), at 16.

  61. 61.

    Ibid. art. 6(5), at 16.

  62. 62.

    Ibid. at 4.

  63. 63.

    Commission Report, 3.3.2.

  64. 64.

    Commission Report on the Operation of Directive 1999/93/EC, Sect. 3.3.2, at 7–8; Legal and Market Aspects, Sect. 1.2.1, at 4–8.

  65. 65.

    Directive 2004/17/EC of the European Parliament and of the Council of 31 March 2004 Coordinating the Procurement Procedures of Entities Operating in the Water, Energy, Transport and Postal Services Sectors, 2004 O.J. (L 134) 1; see also Directive 2004/18/EC of the European Parliament and of the Council of 31 March 2004 on the Coordination of Procedures for the Award of Public Works Contracts, Public Supply Contracts and Public Service Contracts, 2004 O.J. (L 134) 114.

  66. 66.

    For a similar argument, see Legal and Market Aspects, Sect. 4.3, at 134.

  67. 67.

    Commission Report on the Operation of Directive 1999/93/EC, Sect. 3.3.2, at 7–8.

  68. 68.

    One might speculate about other reasons too. For instance, governments’ insistence on maintaining backdoor access to many of these systems discouraged users from enrolling. See Froomkin (2011), p. 37.

  69. 69.

    Graux et al. (2009), p. 118.

  70. 70.

    Graux et al. (2009), pp. 108–109. As stated in this report: “This is an issue which is not resolved by the Directive, which assumes a prior resolution of the identity question without offering specific guidance”.

  71. 71.

    Proposal for a Regulation on electronic identification and trust services for electronic transactions in the internal market COM (2012) 238.

  72. 72.

    Andrade (2012b).

  73. 73.

    The proposal is currently going through the ordinary legislative procedure for its adoption by co-decision of the European Parliament and the Council.

  74. 74.

    The draft Regulation clarifies this point: “The Regulation does not oblige Member States to introduce or notify electronic identification schemes.” Paragraph 2 of Article 4 clarifies that the mutual recognition and acceptance principle applies only to those Member States that have notified their eID schemes.

  75. 75.

    Article 5—Mutual recognition and acceptance: “When an electronic identification is required under national legislation or administrative practice to access a service online, an electronic identification mean issued in another Member State which is included in the list published by the Commission pursuant to the procedure referred to in Article 34 shall be recognised and accepted to access this service.”

  76. 76.

    These mainly address eGovernment, eJustice, eHealth, and other public services applications.

  77. 77.

    Studies and research initiatives led by the Porvoo e-ID Group, Stork, MODINIS, and the IDABC program are exemplary cases, as are studies like those prepared by the eGovernment subgroup of the eEurope Advisory Group. European Commission (2005), p. 6.

  78. 78.

    We will not delve into the finer details of the legal gaps in European eID regulation law by law or directive by directive. If one were to conduct such an analysis—especially of the Data Protection Directive, the eSignatures Directive, and the Services Directive—it would be helpful to emphasize the shortcomings of the current identifiability model and the need to regulate the processing of certain instances of non-personal data in the data protection framework. For further details, see Andrade (2011). For the eSignature Directive, and further to the ones already examined, one might review the absence of standardized issuing procedures and poor definitions of suitable eID content and verification as barriers to the successful implementation of a pan-European eID scheme. In this sense, see Myhr (2008).

  79. 79.

    For a more detailed analysis of the legal barriers to the construction of a pan-European eID framework and the proposition of new legal solutions (principles) to attain this framework, see Andrade (2012b)

  80. 80.

    This is hardly the first call for a balance between technology and law, which is often captured in the term “privacy by design.” In this regard, the European Commission noted in 2003 that “…the use of appropriate technological measures is an essential complement to legal means and should be an integral part in any efforts to achieve a sufficient level of privacy protection.” In the context of eID, and taking into account the need to achieve a sufficient level of identity protection, technology should also contribute to an “identity by design.” European Commission (2003).

  81. 81.

    Microsoft, Shibboleth, Liberty Alliance, Passel, Sxip, and other technology companies and consortia have devoted efforts to building digital identity management systems and tools.

  82. 82.

    In effect, as the Modinis Interim Report observed: “A commonly heard remark is that for any given technical difficulty in the IDM sector the problem is not the unavailability of technical solutions, but rather an overabundance of possible solutions. Overlooking legal, cultural and socio-political perspectives, from a strictly technical point of view most hurdles to interoperate IDM systems would be fairly easy to overcome,” Modinis-IDM-Consortium (2006), p. 7. One may therefore conclude that the most difficult impediments to a pan-European eID are not technical. Rather, they are the result of the different legal approaches and sociopolitical sensitivities of EU member states.

  83. 83.

    In other words, we are less concerned with the technical facets of interoperable eID systems and more concerned with the legal framework that must be put into place for sustainable, harmonized technical solutions to emerge.

  84. 84.

    In effect, “[t]he Internet has a ID infrastructure often identifying only the endpoint of a communication: IP addresses. These are often unreliable to identify users.” Leenes et al. (2008), p. 1.

  85. 85.

    Ibid., p. 1.

  86. 86.

    Graux et al. (2009), p. 106, Leenes et al. (2009), p. 25.

  87. 87.

    That is to say that unique identification numbers should be used only in restricted contexts, not that they cannot be used at all. Discrete sectoral identifiers (namely for tax and social security purposes) are good examples of such restricted use. Sector based identifiers are increasingly popular, partly owing to the aforementioned constitutional restrictions.

  88. 88.

    There are four primary models of identity management system amid the exploding pantheon of eID systems: “siloed” systems, centralized systems, the federated systems and “user-centric” systems. For a detailed explanation of these forms, see OECD (2009), p. 16–17.

  89. 89.

    Ibid., p. 17.

  90. 90.

    Ibid., p. 17.

  91. 91.

    Graux et al. (2009), p. 119. Occasionally, one actor can occupy multiple roles. For example, an identity provider can also be an authentication authority, and a registration authority might also be an identity provider.

  92. 92.

    Myhr (2008), p. 81.

  93. 93.

    Leenes et al. (2009), p. 32.

  94. 94.

    Ibid., p. 32.

  95. 95.

    Leenes et al. (2008).

  96. 96.

    The basic principle underpinning legal basis was expressed in Case 45/86, Commission v. Council (Generalised Tariff Preferences) where the ECJ expressed the opinion that: “the choice of a legal basis for a measure may not depend simply on an institution’s conviction as to the objective pursued but must be based on objective factors which are amenable to judicial review.”

  97. 97.

    In the case of delegated legislation, those references are located in an enabling legislative act.

  98. 98.

    In more detail, such three categories are the following ones:

    • Exclusive competence, according to which only the European Union can legislate and adopt legally binding acts, the Member States being able to do so only if empowered by the European Union or for the implementation of EU acts;

    • Shared competence, which constitutes a ‘general residual category,’ (Craig 2008), as it provides that the European Union shall share competence with Member States where the Treaties confer on it a competence which does not relate to the areas referred in articles 3 and 6 TFEU. Such dispositions deal, respectively, with the category of exclusive competence and with the competence according to which the European Union is restricted to taking action to support, co-ordinate or supplement the action of the Member States;

    • Competence to support, co-ordinate or supplement. This category of competence allows the European Union to take action to support, coordinate, or supplement the actions of the Member States, without thereby superseding their competence in these areas, and without entailing harmonisation of Member State law (Article 2 (5) TFEU).

  99. 99.

    As a proposal for legal solutions to these questions, see Andrade (2012a). This article argues that the legal basis for the regulation of eID should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.

  100. 100.

    OECD (2009), p. 18.

  101. 101.

    This is the case of the Modinis-IDM-Consortium (2006). Modinis Deliverable: D.3.9 Identity Management Issue Interim Report II1. In addition, the Modinis project developed a specific Terminology Paper, Modinis-IDM-Consortium (2005).

  102. 102.

    Graux et al. (2009), p 118.

  103. 103.

    Ibid., p. 118.

  104. 104.

    Ibid., p. 128.

  105. 105.

    Ibid., p. 119.

  106. 106.

    Myhr (2008), p. 77.

  107. 107.

    van Rooy and Bus (2010), p. 403.

  108. 108.

    Ibid., p. 403.

  109. 109.

    The basic principles are listed in Article 6 of the Data Protection Directive (DPD), and include the requirements that personal data must be:

    (a) processed fairly and lawfully;

    (b) collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical, or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

    (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

    (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

    (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

    A part from these basic principles, Article 7 of the DPD delineates the conditions under which personal data may be processed, amidst which we stress the requisite that “the data subject has unambiguously given his consent”.

  110. 110.

    Such as the EU/EC programmes, commissioned studies, action plans, agendas and research projects promoted in the eID area and mentioned in Sect. 1.3.

  111. 111.

    Dumortier (2003), p. 69.

  112. 112.

    In terms of concrete proposals for the achievement of a pan-European electronic ID scheme, Thomas Myhr presents two concrete action proposals that the European Commission could take into consideration in order to achieve cross-border interoperability: (i) setting up requirements for Validation Authorities and self-declaratory schemes and (ii) setting up a quality classificatory system, where different national security levels can be mapped against neutral requirements adopted by the European Commission. See Myhr (2008).

  113. 113.

    European Council (2010), p. 43.

  114. 114.

    OECD (2009), p. 17.

  115. 115.

    Ibid., p. 17.

  116. 116.

    Ibid., p. 17.

  117. 117.

    That is, “the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes”, European Commission (2010a), p 8.

  118. 118.

    Mary Rundle lists the following examples of legitimate governance reasons for accessing and sharing citizens’ personal data: “For example, in fighting cybercrime, governments want authority to require Internet service providers to hand over subscriber information, among other data. To facilitate travel, governments have agreed to certain standards for a global system of electronic identity information. For taxation of international e-commerce, OECD members are seeking reliable ways to identify taxpayers. To counter the financing of terrorists or other criminals, governments seek to ensure that information on originators of wire transfer is available” Rundle (2006).

  119. 119.

    Jones and Martin (2010), p. 1.

  120. 120.

    Nabeth (2009), p. 38.

  121. 121.

    Leenes et al. (2008), p. 9.

  122. 122.

    The PRIME research project, in its technical proposals and prototypes for privacy-identity management tools, envisaged three central means of controlling multiple partial identities: tracking one's data trail, support for rights enforcement and policy enforcement. See ibid., p. 9.

  123. 123.

    Poullet (2010), p. 11.

  124. 124.

    Ibid., p. 11.

  125. 125.

    Leenes et al. (2008), p. 5.

  126. 126.

    The TURBINE project aims to develop innovative digital identity solutions. They employ electronic fingerprint authentication to ensure secure, automatic user identification and apply advanced cryptography technologies to reliably protect biometric data. For further information, see http://www.turbine-project.eu/

  127. 127.

    http://www.turbine-project.eu/

  128. 128.

    “… anonymous, or pseudonymous interactions are the default within PRIME … PRIME supports different forms of pseudonymous with different characteristics with respect to linkability .” Leenes et al. (2008), p. 8.

  129. 129.

    As remarked in the PRIME project White paper: “If I know your name, I can try to get data about you through all sort of channels, which is much more difficult if I only know your transaction pseudonym ghT55897” ibid., p. 8.

  130. 130.

    Mechanisms exist to reveal the identity of users when warranted and under strict conditions. As a concrete proposal, it is suggested that “[o]ne of these conditions would be the use of a trusted third party that is contractually bound to reveal the civil identity of the user under certain circumstances.” ibid., p. 11.

  131. 131.

    De-anonymisation of data is becoming a recurrent phenomenon, posing new risks to privacy. In this respect, see Ohm (2009).

  132. 132.

    Graux et al. (2009), p. 115.

  133. 133.

    In also observing the principle of unlinkability, the same study points out that the Czech republic plans to implement a similar system to the Austrian one, “based on the introduction of a 'basic personal identifier', which will be used to derive a set of personal identifiers for specific contexts, so that each individual will be identified by a different identifier in each context” ibid., p. 115., avoiding thus for different eIDs to be cross-related and linked.

  134. 134.

    Dumortier (2003) p. 69.

  135. 135.

    Leenes et al. (2008), p. 3.

  136. 136.

    Ibid., p. 7.

  137. 137.

    Ibid., p. 10.

  138. 138.

    In this sense, see Andrade (2011a, b).

  139. 139.

    Graux et al. (2009), p. 112.

  140. 140.

    Ibid., p. 81. For more information on which countries surveyed in the PEGS study subscribed to an authentication source principle and to what extent this principle has impacted their identity management policies, see ibid., pp. 81–84.

  141. 141.

    Ibid., p. 112.

  142. 142.

    Leenes et al. (2009), p. 32.

  143. 143.

    In this context, see Poullet’s construction of a “new privacy right: the right to a privacy compliant terminal with a transparent and mastered functioning by its users” Poullet, “About the E-Privacy Directive: Towards a Third Generation of Data Protection Legislation?,” 27. Such right, as heavily based on technological components and technical requisites embedded into terminal equipments, constitutes what I would call a derivation of the principle of technological assistance.

  144. 144.

    Article 29 Data Protection Working Party (1999).

  145. 145.

    European Commission (2010d), p. 19.

  146. 146.

    European Commission (2010d), p. 18.

  147. 147.

    Graux et al. (2009), p. 115. Member States have also implicitly introduced in their legislation the already alluded authentic source principle.

References

  • Andrade NNG (2011a) Data protection, privacy and identity: distinguishing concepts and articulating rights. In: Fischer-Hübner S, Duquenoy P, Hansen M, Leenes R, Zhang G (eds) Privacy and identity management for life: 6th Ifip Wg 9.2, 9.6/11.7, 11.4, 11.6/Primelife International Summer School, Helsingborg, 2–6 Aug 2010, Revised Selected Papers. Springer, Heidelberg, pp 90–107

    Google Scholar 

  • Andrade NNG (2011b) The right to privacy and the right to identity in the age of ubiquitous computing: friends or foes? A proposal towards a legal articulation. In: Akrivopoulou C, Psygkas A (eds) Personal data privacy and protection in a surveillance era: technologies and practices. Information Science Publishing, Hershey, pp 19–43

    Google Scholar 

  • Andrade NNG (2012a) Regulating electronic identity in the European Union: an analysis of the Lisbon Treaty’s competences and legal basis for eID. Comp Law Secur Rev: Int J Technol Law Prac 28(2):152–163

    Google Scholar 

  • Andrade NNG (2012b) Towards a European eID regulatory framework. Challenges in constructing a legal framework for the protection and management of electronic identities. In: Gutwirth S, De Hert P, Leenes R, Poullet Y (eds) European data protection: in good health?. Springer, Dordrecht, The Netherlands, pp 285–314

    Google Scholar 

  • Article 29 Data Protection Working Party, “Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware,” 1999

    Google Scholar 

  • Craig P (2008) The treaty of Lisbon, process, architecture and substance. Eur Law Rev 33(2):137–166

    MathSciNet  Google Scholar 

  • Davis S (2009) A conceptual analysis of identity. In: Ian K, Valerie S, Carole L (eds) Lessons from the identity trail, p 213

    Google Scholar 

  • Dumortier J (2003) Legal considerations with regard to privacy protection and identity management in the information society. 112e rapport annuel, Hochschüle für Technik und Architektur Biel, Tilt, no. 15:66–69

    Google Scholar 

  • Dumortier J et al (2003) The legal and market aspects of electronic signatures, p 127. http://skilriki.is/media/skjol/electronic_sig_report.pdf

  • European Commission (2003) First report on the implementation of the data protection directive (95/46/Ec), Brussels

    Google Scholar 

  • European Commission (2005) Signposts towards Egovernment 2010

    Google Scholar 

  • European Commission (2006) Report of 15 March 2006 on the operation of directive 1999/93/EC on a community framework for electronic signatures, at 6, COM, 120 final (15 Mar 2006)

    Google Scholar 

  • European Commission (2007) A roadmap for a Pan-European Eidm framework by 2010—V.1.0

    Google Scholar 

  • European Commission (2010a) A comprehensive approach on personal data protection in the European Union. In: European Commission, Brussels

    Google Scholar 

  • European Commission (2010b) A digital agenda for Europe. Brussels

    Google Scholar 

  • European Commission (2010c) Delivering an area of freedom, security and justice for Europe’s citizens: action plan implementing the Stockholm programme, Brussels

    Google Scholar 

  • European Commission (2010d) Europe 2020: a strategy for smart, sustainable and inclusive growth, Brussels

    Google Scholar 

  • European Commission (2010e) Towards interoperability for European public services

    Google Scholar 

  • European Council (2010) Reflection group on the future of the EU 2030. Project Europe 2030. Challenges and Opportunities

    Google Scholar 

  • Fearon JD (1999) What is identity (as we now use the word)? 4–5, 7 (unpublished manuscript). http://www.stanford.edu/~jfearon/papers/iden1v2.pdf. Accessed 3 Nov 1999

  • Froomkin MA (2011) Lessons learned too well (Miami Law Research Paper Series No. 2011-29) (unpublished manuscript). http://ssrn.com/abstract=1930017

  • Graux H, Majava J, Meyvis E (2009) Eid interoperability for pegs—update of country profiles—analysis and assessment report

    Google Scholar 

  • Hildebrandt M (2008) Profiling and the identity of the European citizen. In: Mireille H, Serge G (eds) Profiling the European citizen 303

    Google Scholar 

  • Jones A, Martin T (2010) Digital forensics and the issues of identity. Information security technical report, pp 1–5

    Google Scholar 

  • Leenes R, Schallaböck J, Marit Hansen (2008) Prime (Privacy and Identity Management for Europe) White Paper

    Google Scholar 

  • Leenes R, Priem B, van de Wiel C et al (2009) Stork—towards Pan-European recognition of electronic Ids (Eids) - D2.2—report on legal interoperability. STORK-eID Consortium, Den Haag

    Google Scholar 

  • Modinis-IDM-Consortium (2005) Modinis study on identity management in Egovernment. Common terminological framework for interoperable electronic identity management—consultation paper V.2.01

    Google Scholar 

  • Modinis-IDM-Consortium (2006) Modinis study on identity management in Egovernment, identity management issue interim report Ii1

    Google Scholar 

  • Myhr T (2008) Legal and organizational challenges and solutions for achieving a pan-European electronic Id solution: or i am 621216-1318, but i am also 161262-43774. Do you know who i am? Information security technical report 13, no. 2, pp 76–82

    Google Scholar 

  • Nabeth T (2009) Identity of identity. In: Kai R (eds) The future of identity in the information society: challenges and opportunities. Springer, Berlin, pp 19–69

    Google Scholar 

  • OECD (2007) OECD recommendation on electronic authentication and OECD guidance for electronic authentication

    Google Scholar 

  • OECD (2009) The role of digital identity management in the internet economy: a primer for policy makers

    Google Scholar 

  • Ohm P (2009) Broken promises of privacy: responding to the surprising failure of anonymization. University of Colorado Law Legal Studies Research Paper No. 09–12

    Google Scholar 

  • Pfitzmann A, Hansen M (2010) A terminology for talking about privacy by data minimization: anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (Version V0.34).

    Google Scholar 

  • Poullet Y (2010) About the E-Privacy directive: towards a third generation of data protection legislation? In: Gutwirth S, Poullet Y, de Hert P (eds) Data protection in a profiled world. Springer Science + Business Media B.V, Dordrecht, pp 3–30

    Chapter  Google Scholar 

  • Rundle M (2006) International personal data protection and digital identity management tools, Berkman Center Research Publication No. 2006–06

    Google Scholar 

  • van Rooy D, Bus J (2010) Trust and privacy in the future internet: a research perspective. Ident Inf Soc 3(2):397–404

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Society Unit, European Commission - Joint Research Centre (JRC), IPTS, Seville, Spain

    Norberto Nuno Gomes de Andrade

Authors
  1. Norberto Nuno Gomes de Andrade
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Norberto Nuno Gomes de Andrade .

Rights and permissions

Reprints and permissions

Copyright information

© 2014 The Author(s)

About this chapter

Cite this chapter

de Andrade, N.N.G. (2014). Legal Aspects. In: Electronic Identity. SpringerBriefs in Cybersecurity. Springer, London. https://doi.org/10.1007/978-1-4471-6449-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-1-4471-6449-4_1

  • Published:

  • Publisher Name: Springer, London

  • Print ISBN: 978-1-4471-6448-7

  • Online ISBN: 978-1-4471-6449-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation