The European Union is in the process of creating the European Digital Identity: a biometric passport, or a central location for all identifying information.  The purpose behind the passport is to enable Europeans to easily identify themselves and share selected information with both the government and private businesses.  Part of the European Union’s motive to create such a passport is in response to citizens’ growing concerns regarding the security of their information.  The concerns extend to both public and private organizations and the data these organizations have access to, because the European Digital Identity will allow Europeans to store their important documents all in one central electronic location.  While this may initially seem contradictory to the purpose, the passport will allow citizens to distinctly select what documents or information to provide to each company.  For example, the passport will enable users to share only small details necessary for verification with public and private entities, such as age, without providing other identifiers, such as name or address.  The digital passport will be able to store documents including a driver’s license, medical records, or educational records.

The General Data Protection Regulation (GDPR) is the European Union’s most significant law protecting data security.  Passed in 2016, it updated older EU legislation which rapidly became outdated as a result of changing technologies and evolving capabilities of the Internet.  The GDPR provides significant protections to Europeans by regulating businesses that offer goods and services to Europeans or process their information.  Each member nation of the EU has its own national Data Protection Authority, which may investigate companies it suspects to be in violation of the GDPR.  Additionally, a citizen who suspects their rights have been violated may either file a civil suit against the company or report the conduct to the citizens’ respective national Data Protection Authority. 

The GDPR applies to all businesses who offer services to European citizens, even if they are not physically located in the EU.  The purpose of the GDPR is to protect personal data of European citizens by minimizing data collection, keeping data collection purposeful, and being transparent in data collection.  The regulation achieves these goals by requiring at least one of a list of factors be met before an organization can collect, store, or sell a European’s data.  These factors include necessary data processing before entering into a contract such as a background check, or  “specific, unambiguous consent” from the subject before an organization may use the individual’s data. The GDPR also provides rights to data subjects’ personal information, such as choosing which entity has access to personal data, the capability to erase their data if it is held by a company, and rectification to parties whose rights were violated. The costs to organizations in violation of the regulation are high; penalties (not including damages) can be up to €20 million or 4% of their global revenue, whichever amount is higher. 

While the idea of a biometric passport may at first seem riddled with privacy or surveillance issues, the GDPR greatly limits the scope of how someone’s data may be used.  Working together, the GDPR legislation and creation of the biometric passport policy will provide a safe manner for European citizens to store, use, and manage their data.  While the digital passport creates a tool to manage personal information, the GDPR greatly restricts what organizations can do with this information, and imposes serious sanctions and significant monetary penalties for violations. Enrollment in the biometric passport program will be optional, which makes it appealing to European citizens.  Individuals who may be more concerned about data privacy or government surveillance will still be able to identify themselves in traditional ways, such as by using a traditional passport. The new biometric passport project will enhance security and improve identity verification for the government and some private businesses while citizens receive the benefit of control over what personal information that is shared with private companies, allowing them to ensure only details required for verification are shared.  The existing GDPR legislation will provide data protections for the information shared within the passport, allowing for a safe and secure manner to store personal data.

Author Biography: Vivian M. Overbeck is a moderator for the International Law and Policy Brief and a J.D. candidate at The George Washington University Law School.  She received a B.A. in History (December 2019) and a B.A. in Economics (May 2020)  from Northern Illinois University. Overbeck competed in cross country and track for Northern Illinois University and completed her eligibility in outdoor track during her 1L year at GW.  Her primary interests are operational law, international law, and military justice.