EU Commission undermines data protection of digital wallet
The need-to-know principle of the upcoming EUDI Wallet for identity documents was one of its strengths. Ironically, EU Commission is now diluting precisely that.
(Image: Ivan Marc / shutterstock.com)
The European digital wallet is actually supposed to be a prime example of data economy: for instance, when buying wine, if you only need to prove your age, you only disclose your age – at least that was the plan. However, the EU Commission is undermining this very principle in its current implementing acts for the eIDAS Regulation. The Austrian non-governmental organization epicenter.works warns in a detailed statement that companies could request far more data than necessary.
At the center of criticism are three current consultation drafts from the EU Commission for so-called implementing acts. The Commission intends to issue a total of 40 such legal provisions before the European Digital Identity Wallet (EUDI Wallet) is available. They regulate the practical implementation of the eIDAS Regulation 2.0, which came into force in May 2024 and forms the legal framework for the digital wallet. The German federal government has announced the launch of the German EUDI Wallet for January 2, 2027, and has already provided a test environment.
Technical Solution Only Optional
The problem lies with the registration certificates for “Relying Parties,” i.e., companies and authorities that want to request data from the wallet. According to the eIDAS Regulation, such trusted parties must register in an EU member state beforehand and specify which data they are requesting and for what purpose. Facebook doesn't need a place of birth; adult sites don't need real names – that makes sense. The registration certificates issued thereafter technically enforce this restriction: they function as a kind of data ID, with which requesting entities legitimize themselves to the wallet.
However, the Commission states in its new drafts that member states “may” issue such certificates but are not required to. Without a certificate, however, a wallet cannot technically verify whether a data request corresponds to the registered purpose. “Companies from countries like Ireland could circumvent the wallet's protection mechanisms, making illegal requests for too much information possible,” warns Thomas Lohninger from epicenter.works at Netzpolitik.org.
Accordingly, a company could simply choose a place of establishment in a member state that does not require certificates and then request more data than necessary from German users as well. According to epicenter.works, this contradicts Article 5b Paragraph 3 of the eIDAS Regulation, which states that trusted parties may only request the data they specified during their registration.
Biometrics instead of Pseudonym
In addition to technical control, the right to pseudonymity enshrined in the eIDAS Regulation is also under pressure. Users should be able to identify themselves in everyday life with self-chosen pseudonyms, provided there is no legal obligation to identify themselves. However, the Commission limits the use of pseudonyms in its drafts to pure authentication processes, such as pseudonymous logins for web services.
epicenter.works criticizes this narrow interpretation: it is negligent, especially against the backdrop of the current debate about age verification on social media, gambling, and pornography sites. Because with such a narrow interpretation, parties potentially very interested in real names could receive complete identity data, despite the lack of a legal basis.
Videos by heise
Particularly explosive: the Commission now also wants to make biometric facial data mandatory in the minimum data set for personal identification (Person Identification Data, PID), which has been deliberately kept minimal. So far, this data set includes name, date of birth, place of birth, and nationality. Biometric data falls under Article 9 of the GDPR and is therefore subject to particularly strict processing rules. Without mandatory registration certificates, this sensitive data could also flow to companies that do not need it. Ten non-governmental organizations, including EDRi and the Chaos Computer Club, therefore called for mandatory registration certificates in an open letter to EU Commissioner Henna Virkkunen on March 10, 2026.
Repeated Pattern
As early as November 2024, the Commission attempted to make the registration of trusted parties voluntary. After protests from civil society organizations, it temporarily corrected its position – only to return to its original demand a few weeks later. epicenter.works describes this approach as unprofessional and warns that it “considerably undermines public trust in the future eIDAS ecosystem.”
Meanwhile, wallet development in Germany is progressing. The Federal Agency for Breakthrough Innovation (Sprind), together with the BSI and the Bundesdruckerei, has demonstrated a functional prototype that can read out the identity card via NFC and store signed identity data locally. BSI President Claudia Plattner publica and emphasized that data protection is a key differentiator compared to commercial providers. The digital driver's license is also to be integrated into the EUDI Wallet by 2030.
Whether the technical protective measures will be effective in practice now largely depends on how the Commission finalizes its implementing acts. epicenter.works calls for registration certificates to be made mandatory EU-wide and for biometric data to be removed from the minimum PID data set. Only then can a uniform level of data protection be guaranteed – and prevent the digital wallet from becoming a free pass for data collectors.
(kki)
