At its meeting on 22 November 2023, the Federal Council adopted the dispatch on the Federal Act on Electronic Proof of Identity and Other Electronic Evidence – the e-ID Act for short. According to the Federal Council’s press release, the new electronic identity (“e-ID”) should enable users to “identify themselves digitally in a secure, fast and uncomplicated manner” in future. In the following article, we explain how the federal government intends to guarantee the best possible data protection.
Main features of the template
According to the dispatch on the e-ID Act, the draft law provides for the introduction of a free and voluntary state electronic proof of identity (“e-ID”) for holders of an identity document issued by the Swiss authorities (a Swiss identity card, a Swiss passport or a foreigner’s identity card issued by Switzerland).
Unlike the previous bill, which was rejected by the people (see our article from 4 February 2021 ” The E-ID Act goes before the people”), the federal government is now responsible for issuing the e-ID and operates the necessary (trust) infrastructure. The Confederation will thus operate the necessary basic system itself (“basic register”, “trust register”) and provide a state electronic wallet in the form of a mobile application that can contain the e-ID and other electronic proofs of identity. Or to put it more simply: the federal government offers an app for smartphones in which the e-ID can be managed securely. In this way, the state continues to fulfil its central task of verifying a person’s identity and issuing the corresponding electronic proof. Contrary to what was envisaged in the consultation, it is not the cantons but the Confederation itself that will also provide support for users.
The draft law stipulates that the e-ID can be used both on the Internet (e.g. when ordering an extract from the criminal record electronically) and in an analogue context (e.g. when purchasing alcohol as proof of age). The Federal Council then proposes that the state infrastructure created for the purpose of the e-ID should also be available to cantonal and communal authorities as well as private individuals in the sense of an “ecosystem”. Documents such as confirmations of residence, business register extracts, diplomas, tickets or membership cards, which are usually issued physically or as PDF documents today, should also be able to be managed as digital proof on smartphones in future. However, according to the Federal Council’s press release, it is important that all federal services for which the e-ID can be used continue to be offered in analogue form. At the same time, all authorities, including those of the cantons and municipalities, must accept the e-ID when they carry out electronic identification, for example when issuing a confirmation of residence or an extract from the debt collection register.
Data contained in the E-ID
Article 14 of the draft of the proposed e-ID Act lists the data that the e-ID should contain. On the one hand, this is personal identification data of the holder: the official surname, first names, date of birth, gender, place of origin, place of birth, nationality, facial image and OASI number. This data is available in the official federal registers. Secondly, it is data that is generated by the Confederation (specifically fedpol) when the e-ID is issued (so-called E-ID data): the e-ID number, the date of issue, the expiry date, details of the ID card used in the e-ID issuing process (including the type and period of validity of this ID card) and details of the issuing process. However, the e-ID may also contain additional data, provided that it is listed in the holder’s (physical) ID card, namely the name of the legal representative, alliance name or artist’s name. The dispatch emphasises that the personal identification data is queried directly in the federal registers and is not stored in the fedpol information system.
E-ID and data protection?
The top priority of the bill is to guarantee the greatest possible protection of this personal data. Data protection is to be guaranteed in particular through decentralised data storage. Accordingly, the e-ID will be stored exclusively on the user’s smartphone. Even if, according to the dispatch, the bill expressly refrains from referring to the relevant provisions of the Swiss Data Protection Act(DSG; SR 235.1), the Confederation will also adhere to the recognised principles of data protection law:
Self-Sovereign Identity (“SSI”):
Users of an E-ID have the greatest possible control over their data. For example, the e-ID is only stored on the smartphone and the user decides for themselves when and where they use the e-ID. Self-Sovereign Identity or SSI is a decentralised approach in which a person is not dependent on a third party. Information about their identity can be stored securely on their personal device using cryptographic methods. In addition, the user can specifically disclose personal data to third parties such as service providers. Conventional systems often store their users’ data in centralised databases that are susceptible to cyberattacks or similar cyber incidents.
Privacy by design:
According to the media release, this principle is implied in that data protection is considered from the very beginning of the development of the overall system. This means that the hardware and software are designed and developed from the ground up in such a way that the relevant data protection requirements are taken into account. For example, the issuer of the E-ID (nota bene fedpol) has no knowledge of when and where someone uses their e-ID.
Privacy by default:
Although not emphasised in the media release, the principle of privacy by default is also mentioned in the dispatch. This serves to protect users who are less tech-savvy and means that hardware and software are pre-set to be data protection-friendly on delivery.
Principle of data minimisation:
The necessary data flows are minimised. This means that only the e-ID data that is absolutely necessary for a specific purpose is transmitted during use. For example, in the case of a purchase that requires a minimum age of 18, a web shop only receives the information that the customer has reached this minimum age. Other personal data such as date of birth is not transmitted.
With regard to data protection, the Federal Council is proposing a further measure based on the results of the consultation: In order to emphasise the principle of data minimisation, it should be made public if someone requests more e-ID data than is necessary in a specific case.
The draft law is basically formulated in a technology-neutral manner; the choice of technical solution is only regulated if this is absolutely necessary to achieve the legislative objectives. This is intended to ensure that the design of the e-ID and the federal government’s trust infrastructure corresponds to the current state of the art and thus guarantees a high level of data security and data protection.
Timetable of the Federal Council
The Federal Council plans to offer the e-ID from 2026. The preparatory work for setting up the necessary infrastructure has therefore already been initiated. First, however, the ball is in Parliament’s court: the current draft bill will now be submitted to Parliament together with the dispatch and discussed by the Councils one after the other. If the e-ID Act is adopted in the final vote by the National Council and the Council of States, the people could still call for an optional referendum and – as in the failed first attempt – a popular vote would be held. In contrast to the new bill and a major point of criticism of the first bill, however, it was envisaged that the e-ID would be issued by private individuals rather than the federal government.
Sources
- Federal Council press release dated 22 November 2023, E-ID: Federal Council adopts dispatch, last accessed on 30. November 2023.
- Dispatch on the Federal Act on Electronic Proof of Identity and Other Electronic Evidence, last accessed on 30. November 2023.
- Draft law on the Federal Act on Electronic Proof of Identity and Other Electronic Evidence, last accessed on: November 2023: 30. November 2023.
- Website of the Swiss Confederation on the electronic identity E-ID, last accessed on: November 2023: 30. November 2023.