Data Protection by Design for Cross-Border Electronic Identification: Does the eIDAS Interoperability Framework Need to Be Modernised?

  • Niko TsakalakisEmail author
  • Sophie Stalla-Bourdillon
  • Kieron O’Hara
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 547)


This paper contributes to the discussion on privacy preservation methods in the context of electronic identification (eID) across borders through interdisciplinary research. In particular, we evaluate how the GDPR principle of ‘Data Protection by Design’ applies to the processing of personal data undertaken for identification and authentication purposes, suggesting that, in some cases, unlinkable eIDs should be a key requirement in order to facilitate data minimisation and purpose limitation. We argue that in an attempt to welcome diverse types of architectures, the Interoperability Framework could have the effect of reducing the data protection level reached by some national eID schemes, when transacting with services that do not require unique identification. We consequently propose that data minimisation and purpose limitation principles should be facilitated through the implementation of two methods, pseudonymisation and selective disclosure, through an addition to eIDAS’ technical specifications.


Electronic identification eIDAS GDPR Privacy by Design Data Protection by Design Unlinkability Selective disclosure Pseudonymisation 



This research was partly funded by the Research Councils UK Digital Economy Programme, Web Science Doctoral Training Centre, University of Southampton, EP/L016117/1 and partly funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 700542. The authors would like to thank the DG CONNECT, the DG DIGIT and the eIDAS Technical sub-group for their invaluable feedback during the review process of this paper. This paper reflects only the authors’ views; the Commission is not responsible for any use that may be made of the information it contains.


  1. 1.
    32nd International Conference of Data Protection and Privacy Commissioners: Resolution on Privacy by Design. Approved in October 2010, Jerusalem, Israel (2010).
  2. 2.
    ABC4Trust: Privacy-ABCs and the eID Regulation. Position paper, ABC4Trust (2014).
  3. 3.
    Arapinis, M., Chothia, T., Ritter, E., Ryan, M.: Analysing unlinkability and anonymity using the applied Pi calculus. In: 23rd IEEE Computer Security Foundations Symposium, pp. 107–121, July 2010.
  4. 4.
    Article 29 Data Protection Working Party: statement on the role of a risk-based approach in data protection legal frameworks. WP 218, 30 May 2014Google Scholar
  5. 5.
    Article 29 Data Protection Working Party: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. WP 248 rev 0.1, 4 April 2017Google Scholar
  6. 6.
    Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., Rost, M.: A process for data protection impact assessment under the european general data protection regulation. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 21–37. Springer, Cham (2016). Scholar
  7. 7.
    Bishop, M.: Introduction to Computer Security. Addison-Wesley Professional, Boston (2004)Google Scholar
  8. 8.
    Burkert, H.: Balancing informational power by informational power or Rereading Montesquieu in the internet age. In: Brousseau, E., Marzouki, M., Méadel, C. (eds.) Governance, Regulation and Powers on the Internet, Book Section 4, pp. 93–111. Cambridge University Press, Cambridge (2012)CrossRefGoogle Scholar
  9. 9.
    Castro, D.: Explaining international leadership: electronic identification systems. Technical report, ITIF (2011).
  10. 10.
    Cavoukian, A.: 7 Laws of identity: the case for privacy-embedded laws of identity in the digital age. Information and Privacy Commissioner of Ontario (2006).
  11. 11.
    Cavoukian, A.: Privacy by design: the 7 foundational principles. Information and Privacy Commissioner of Ontario (2009).
  12. 12.
    Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, New York (1990). Scholar
  13. 13.
    Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–90 (1981). Scholar
  14. 14.
    CNIL: Privacy Impact Assessment (PIA): Methodology (How to Carry out a PIA). Commission Nationale de l’Informatique et des Libertés (2015).
  15. 15.
    Conference of the Independent Data Protection Authorities of the Bund and the Länder: the standard data protection model. V.1.0 - Trial version (2017).
  16. 16.
    Dhamija, R., Dusseault, L.: The seven flaws of identity management: Usability and security challenges. IEEE Secur. Priv. 6(2), 24–29 (2008). Scholar
  17. 17.
  18. 18.
    eIDAS Technical Sub-group: eIDAS SAML Attribute Profile, 20 June 2015.
  19. 19.
  20. 20.
  21. 21.
    European Commission: Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions: EU eGovernment Action Plan 2016–2020 - Accelerating the digital transformation of government. COM(2016) 179 final, Brussels, 19 May 2016.
  22. 22.
  23. 23.
    Federal Office for Information Security [BSI]: Innovations for an eID Architecture in Germany (2011).
  24. 24.
    Federal Office for Information Security [BSI]: Technical Guideline TR-03127: Architecture electronic Identity Card and electronic Resident Permit (2011).
  25. 25.
    Federal Office for Information Security [BSI]: eIDAS Notification of the German eID, February 2017.
  26. 26.
    Federal Office for Information Security [BSI]: German eID based on Extended Access Control v2: Overview of the German eID system. version 1.0, 20 February 2017.
  27. 27.
    Government Digital Service: GOV.UK Verify Technical Guide: Architecture Overview, October 2014.
  28. 28.
    Hansen, M.: Marrying transparency tools with user-controlled identity management. In: Fischer-Hübner, S., Duquenoy, P., Zuccato, A., Martucci, L. (eds.) Privacy and Identity 2007. ITIFIP, vol. 262, pp. 199–220. Springer, Boston, MA (2008). Scholar
  29. 29.
    Hansen, M., Jensen, M., Rost, M.: Protection goals for privacy engineering. In: 2015 IEEE Security and Privacy Workshops, pp. 159–166. IEEE, San Jose (2015).
  30. 30.
    Hes, R., Borking, J. (eds.): Privacy-Enhancing Technologies: The Path to Anonymity, Revised edn. Registratiekamer, The Hague (2000)Google Scholar
  31. 31.
    Hornung, G., Schnabel, C.: Data protection in Germany I: the population census decision and the right to informational self-determination. Comput. Law Secur. Rev. 25(1), 84–88 (2009). Scholar
  32. 32.
    Horsch, M., Tuengerthal, M., Wich, T.: SAML privacy-enhancing profile. In: Hühnlein, D., Roßnagel, H. (eds.) P237 - Open Identity Summit 2014, pp. 11–22. Gesellschaft für Informatik e.V, Bonn (2014)Google Scholar
  33. 33.
    Hühnlein, D., et al.: Futuretrust - future trust services for trustworthy global transactions. In: Hühnlein, D., Roßnagel, H., Schunck, C.H., Talamo, M. (eds.) P264 - Open Identity Summit 2016, pp. 27–41. Gesellschaft für Informatik eV, Bonn (2016)Google Scholar
  34. 34.
    Hühnlein, D., et al.: SkIDentity - Trusted Identities for the Cloud (2015).
  35. 35.
    ISO/IEC 15408–1:2009: Information technology - security techniques - evaluation criteria for it security - part 1: Introduction and general model, International Organization for Standardization, Geneva, CH (2009)Google Scholar
  36. 36.
    ISO/IEC 27002:2013: Information technology - security techniques - code of practice for information security controls, International Organization for Standardization, Geneva, CH (2013)Google Scholar
  37. 37.
    ISO/IEC 29134:2017: Information technology - security techniques - guidelines for privacy impact assessment, International Organization for Standardization, Geneva, CH (2017)Google Scholar
  38. 38.
    Khatchatourov, A., Laurent, M., Levallois-Barth, C.: Privacy in digital identity systems: models, assessment, and user adoption. In: Tambouris, E., et al. (eds.) EGOV 2015. LNCS, vol. 9248, pp. 273–290. Springer, Cham (2015). Scholar
  39. 39.
    Koning, M., Korenhof, P., Alpár, G.: The ABC of ABC - an analysis of attribute-based credentials in the light of data protection, privacy and identity. In: Balcells, J. (ed.) Internet, Law & Politics : A Decade of Transformations. Proceedings of the 10th International Conference on Internet, Law & Politics, Universitat Oberta de Catalunya, Barcelona, 3–4 July, pp. 357–374. Huygens Editorial, Barcelona (2014).
  40. 40.
    Le Métayer, D.: Privacy by design: formal framework for the analysis of architectural choices. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy (CODASPY), San Antonio (2013)Google Scholar
  41. 41.
    Pfitzmann, A., Hansen, M.: Anonymity, Unlinkability, Unobservability, Pseudonymity and Identity Management - A Consolidated Proposal for Terminology. Version v0.34, 10 August 2010.
  42. 42.
    Poller, A., Waldmann, U., Vowe, S., Turpe, S.: Electronic identity cards for user authentication - promise and practice. IEEE Secur. Priv. 10(1), 46–54 (2012). Scholar
  43. 43.
    Roßnagel, H., et al.: FutureID - shaping the future of electronic identity. In: Annual Privacy Forum 2012, Limassol, Cyprus, 10–11 October 2012Google Scholar
  44. 44.
    Servida, A.: Principles and guidance on eID interoperability for online platforms. Revised draft version of January 2018.
  45. 45.
  46. 46.
    Tsakalakis, N., O’Hara, K., Stalla-Bourdillon, S.: Identity assurance in the UK: technical implementation and legal implications under the eIDAS regulation. In: Proceedings of the 8th ACM Conference on Web Science. WebSci ’16, pp. 55–65. ACM, New York (2016).
  47. 47.
    Tsakalakis, N., Stalla-Bourdillon, S.: Documentation of the legal foundations of trust and trustworthiness. FutureTrust deliverable D2.8 v. 1.00, 29 June 2018.
  48. 48.
    Tsakalakis, N., Stalla-Bourdillon, S., O’hara, K.: What’s in a name: the conflicting views of pseudonymisation under eIDAS and the general data protection regulation. In: Hühnlein, D., Roßnagel, H., Schunck, C.H., Talamo, M. (eds.) P264 - Open Identity Summit 2016, pp. 167–174. Gesellschaft für Informatik e.V., Bonn (2016)Google Scholar
  49. 49.
    Veeningen, M., de Weger, B., Zannone, N.: Data minimisation in communication protocols: a formal analysis framework and application to identity management. Int. J. Inf. Secur. 13(6), 529–569 (2014). Scholar
  50. 50.
    Yee, G.O.M.: Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards. IGI Publishing, Hershey (2011)Google Scholar
  51. 51.
    Zwingelberg, H.: Necessary processing of personal data: the need-to-know principle and processing data from the new German identity card. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IAICT, vol. 352, pp. 151–163. Springer, Heidelberg (2011). Scholar
  52. 52.
    Zwingelberg, H., Hansen, M.: Privacy protection goals and their implications for eID systems. In: Camenisch, J., Crispo, B., Fischer-Hübner, S., Leenes, R., Russello, G. (eds.) Privacy and Identity 2011. IAICT, vol. 375, pp. 245–260. Springer, Heidelberg (2012). Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Web and Internet Science, ECSUniversity of SouthamptonSouthamptonUK
  2. 2.Institute for Law and the WebUniversity of SouthamptonSouthamptonUK

Personalised recommendations