On Tuesday 5 April, the EU Member States discussed the French EU Council Presidency’s (FPEU) compromise text on the establishment of the framework for the digital identification portfolio in the EU (see EUROPE 12901/15) in the Telecommunications Working Group.
Several recitals and articles have been added - or reinstated - in the FPEU’s compromise proposal, mainly dealing with trust service providers.
The text now insists that providers of trust services for electronic registers, where data is stored, would be required to comply with the Digital Identity Regulation as well as with other rules in force, depending on the sector concerned. For example, use cases involving the processing of personal data should, inter alia, comply with the text on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Still on the subject of trust services, the text specifies that it should be up to the Member States to define the sanctions applicable in the event of infringements of the regulation, such as practices creating confusion between non-qualified and qualified trust services or the use of the EU trust mark by non-qualified trust service providers.
The FPEU also argues that the future regulation setting the framework for a digital identity for EU citizens, residents and businesses should be based on a harmonised level of “quality, trustworthiness and security” for trust services. A trust service provider outsourcing one of its operations should therefore provide guarantees that monitoring activities and audits can be applied as if these operations were carried out in the Union.
Finally, non-qualified trust service providers should take steps to “manage legal, business, operational and other direct or indirect risks” through measures in the area of registration and on-boarding procedures, procedural or administrative controls, and service management and implementation. The entity concerned should notify the competent supervisory body of any violations or disruptions encountered in the implementation of these measures.
With regard to qualified providers, the supervisory body could withdraw the qualified status of that provider - or the affected service it provides - in the event that any of the requirements set out in the regulation are not met.
See the compromise document: https://aeur.eu/f/19y (Original version in French by Thomas Mangin)