Oireachtas Joint and Select Committees
Tuesday, 28 September 2021
Joint Oireachtas Committee on Transport, Tourism and Sport
Scrutiny of EU Legislative Proposals
Apologies have been received from Senator Buttimer and Deputy Matthews. We are dealing with further scrutiny of the EU proposal COM (2021) 281 to establish a framework for a European digital identity. To preface our discussion, an observation from the Data Protection Commissioner was circulated to members earlier this morning. It is available on our Microsoft Teams portal now. I suggest that members read that document straight away. It is short in length but heavy in content, and relevant to our deliberations today. The document has also been sent to members by email. Following its engagement on the COM (2021) 281, the committee will decide on how it wishes to proceed with its scrutiny of this proposal. We will have a short private meeting immediately after the conclusion of this public session.
I welcome witnesses from the Departments of the Environment, Climate and Communications and Public Expenditure and Reform. I thank them for coming in today at short notice and facilitating this meeting going ahead. From the Department of the Environment, Climate and Communications, I welcome: Ms Mairéad McCabe, principal officer in the telecommunications policy and regulation division; Ms Catherine McDonald, assistant principal officer in the telecommunications policy and regulation division; and Mr. Rory Hinchy, staff engineer in the office of the chief technology officer. From the Department of Public Expenditure and Reform, I welcome: Mr. Barry Lowry, Government Chief Information Officer; and Mr. Declan Hickey, Office of the Government Chief Information Officer, OGCIO.
Witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech that might be regarded as damaging to the good name of the person or entity. Therefore, if their statements are potentially defamatory in relation to an identifiable person or entity, they will be directed to discontinue their remarks and it is imperative that they comply with any such direction. Witnesses attending remotely outside of the Leinster House campus should note that there are some limitations to parliamentary privilege and, as such, they may not benefit from the same level of immunity from legal proceedings as witnesses who are physically present. Witnesses participating in this committee session from a jurisdiction outside the State are advised that they should also be mindful of their domestic law and how it may apply to evidence they give. Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against any person outside the Houses or an official by name or in such a way as to make him or her identifiable.
For anyone watching this meeting, Oireachtas members and witnesses now have the option of being physically present in the committee or to join the meeting remotely via Microsoft Teams. I remind members of the constitutional requirement that they must be physically present within the confines of the Leinster House complex in order to participate in public meetings. Reluctantly, I will not permit members to participate where they are not adhering to this constitutional requirement.
Therefore, any member who attempts to participate from outside the precincts will be asked to leave the meeting. In this regard, I would ask any member participating via MS Teams, prior to making his or her contribution to the meeting, to confirm that he or she is on the grounds of the Leinster House campus. If attending in the committee room, you are asked to exercise personal responsibility to protect yourself and others from the risk of contracting Covid-19. I strongly advise the practice of good hand hygiene and to leave at least one vacant seat between you and others attending. One should also always maintain an appropriate level of social distancing during and after the meeting. Masks should be worn at all times during the meeting except when speaking.
I call on Ms Mairéad McCabe to make her opening statement.
Ms Mairéad McCabe:
I wish the Chairman and members of the committee "Good morning". The Department of the Environment, Climate and Communications is happy to attend the meeting today to discuss the proposed revision of the eIDAS regulation.
I am Mairéad McCabe, principal officer leading the telecommunications policy and regulation division of the Department. Joining me are my colleagues, Ms Catherine McDonald, assistant principal, working in the same division, and Mr. Rory Hinchy, staff engineer of the office of the chief technical officer.
The primary policy focus of our division in the Department is on the telecommunications sector. While the eIDAS regulation is not a telecommunications issue, the EU Telecommunications and Information Society Working Party is currently considering this proposal at European level and this Department is leading discussions in the negotiation. It is expected that the negotiating period will be approximately one year from June of this year.
Our main area of interest in the Department is the oversight of the trust services element of the proposal and we are taking expert inputs from the Office of the Government Chief Information Officer, OGCIO, on the e-identification, eID, aspects of the revision. Inputs from the Department of Justice and the Data Protection Commissioner will also be needed in respect of GDPR and data protection aspects, and other Departments and bodies will be consulted as necessary.
The working party, having held an initial discussion with the European Commission earlier in the summer, is now engaged in ongoing detailed discussions on the proposed revision. This is currently at a very early stage and involvement of a range of stakeholders will be required as we move towards finalising agreement. Planning for implementation, particularly in and around the toolbox which is to be established, will require at national level significant cross-departmental inputs.
Having been fully in force since July 2016, the regulation is now facing a revision, and the intention is that putting new rules in place will pave the way for more successful application of secure digital identities into the future.
The new proposal provides a framework for a European digital identity which will be available to all EU citizens, residents and businesses in the EU. The EU aims to introduce a more harmonised approach to digital identification rather than the current divergent approaches in place across the various member states. Citizens will be able to prove their identity and share electronic documents from their European digital identity wallets, which will be accessible from their phone or other devices. They will be able to access online services with their national digital identification, which will be recognised throughout Europe. Very large online platforms will also be required to accept the use of European digital identity wallets upon request of the user.
For the main proposed revisions to the regulation, the significant changes include: mandatory provision by EU states of digital wallets; improvements to management of remote signature; establishment of a common toolbox for European digital identity; harmonisation with other relevant pieces of EU legislation; adaptation to the much-changed digital landscape since 2014 - the time of the original regulation; and the proposal also foresees four new qualified trust services to meet market demand.
With regard to ensuring the security of the eIDAS regulation, the regulation requires notification regarding cases of security incidents. The supervisory body must currently provide the European Union Agency for Cybersecurity, ENISA, with a summary of notifications of breach of security and loss of integrity received from trust service providers.
While it is the intention of the European Commission that security aspects of the regulation be replaced with rules and procedures under the EU network and information security directive, NIS II Directive, that directive, as the committee will be aware, is currently under active negotiation at EU level. Accordingly, whatever alignment is necessary will only emerge once that legislative file has progressed to an advanced level.
As to trust services in Ireland, there are two qualified trust service providers established here. One provides qualified time stamp services and the other provides qualified electronic signature and electronic seal services. This small market has the potential to grow and is not a hindrance to the development of digital services in Ireland.
Customers can purchase trust service products, such as an e-signature, from any trust service provider in any member state in the EU. If they want a product that is a qualified and therefore a trustworthy product, then they get it from a qualified trust service provider.
In terms of implementation of the 2014 eIDAS regulation in Ireland and formal appointment of a supervisory body for trust services, Article 17 of the regulation requires member states to designate a supervisory body to regulate trust service providers within its jurisdiction. The Minister for the Environment, Climate and Communications has approved the designation of ComReg as the supervisory body under, and for the purposes of, the 2014 regulation. Work is now under way now to progress this designation, including considering the practicalities of formal designation, the legislation necessary to amend ComReg’s statutory functions, either primary or secondary, the provision of appropriate enforcement powers and an appropriate funding mechanism. The Department will engage extensively with ComReg and other stakeholders, as appropriate, with a view to designation as soon as possible.
It should be noted that the fact that a supervisory body has yet to be designated in Ireland under the 2014 regulation does not mean that trust services are not available in Ireland. Such services exist and an oversight mechanism was put in place in 2010, provided for under the Electronic Commerce Act 2000. This is operated by the office of the chief technology officer in the Department. However, formalising the designation under the 2014 regulation now requires a much more comprehensive regulatory regime to be put in place for ComReg, which includes enforcement powers and will necessitate the development of the requisite level of expertise in the body being nominated as supervisor. The regulation sets out certain tasks for the supervisory body, requiring it to supervise trust service providers; investigate breaches of the regulation and take enforcement action as appropriate to remedy such breaches; co-operate with supervisory bodies in other member states; and report annually to the European Commission and ENISA on activities and breaches.
An integral part of the role of the supervisory body is to grant and withdraw qualified status to trust service providers. The term "qualified" is used for those service providers which can prove that the services provided by them fulfil the requirements laid down in the eIDAS regulation. It does this based on the results of audits of trust service providers conducted either by itself or by a conformity assessment body.
As regards the main changes proposed in trust services in the revised regulation, while the proposal is ambitious in terms of the digital wallet, the changes proposed to the trust services element are generally less so. In response to the dynamics of the markets and to technological developments, it is proposed to expand the current eIDAS list of trust services with the introduction of four new additional services, including the provision of electronic attestations of attributes, electronic archiving services, electronic ledgers and the management of remote electronic signature and seal creation devices. The introduction of a trust service framework for the electronic attestations of attributes is significant and will be fundamental to the introduction of a digital wallet.
The other main changes to the trust service provisions of the 2014 regulation include proposing to align the cybersecurity risk management obligations with those in the NIS 2 directive, permitting the Commission to introduce implementing Acts to set out the conditions applicable to trust services established in third countries, a suggestion that the tasks of supervisory bodies could be supplemented by the Commission using implementing Acts, and a requirement on providers of web browsers to facilitate the use of qualified certificates for website authentication. Initial views are supportive of the regulation.
We are happy to take questions on the proposal and to hear the views of members.
Mr. Barry Lowry:
I am the Government chief information officer, based in the Department of Public Expenditure and Reform. I thank the Chairman and committee members for the invitation to meet them today to discuss the European Commission’s draft legislative proposal for the European digital identity framework. I am joined by my colleague from the Office of the Government Chief Information Officer, Mr. Declan Hickey.
As the committee will be aware, one of my responsibilities as Government Chief Information Officer is to take forward the soon to be replaced public service ICT and eGovernment strategies and elements of the Civil Service reform 2030 programme. Another responsibility of my office is to work with our equivalent offices across the EU and EEA in shaping European Commission technical programmes and initiatives and to support Departments and representatives where they are involved in related policy or legislative discussions.
The European digital identity framework is one such project. My colleague, Declan Hickey, and I are both involved in technical meetings related to this initiative and we have also been assisting our colleagues in the Department of the Environment, Climate and Communications with their contributions. On that basis, I would like to take my few minutes to brief the committee on the technical aspects of this programme.
As the committee will be aware, the Next Generation EU recovery package, which is worth €750 billion, was established to complement and support each country’s own national response to the crisis, and to provide the means to invest in the transformation to a more green and digital economy. The EU Digital Compass then sets out the EU’s vision for a digital future in a way in which, the EU claims, will also support it in meeting objectives in the European Green Deal, thus helping Europe to reach its goal of reducing greenhouse gas emissions by at least 55% by 2030. It cites the use of video-conferencing to help reduce flight emissions and digital technologies to help create a greener approach to agriculture, energy use in buildings and more sustainable city planning.
The EU Digital Compass uses the four points of the compass to identify the main goals to reach over the next decade. These are as follows: first, a digitally skilled population and highly skilled digital professionals; second, secure and substantial digital infrastructures; third, digital transformation of businesses; and, fourth, digitisation of public sectors. The EU has stated that the successful delivery of the Digital Compass will require an increased focus from governments on better digital services and better interoperability across all levels of government and across public services. Equally important, they argue, is the concept of a trusted, user-controlled identity, one which allows citizens to control their own online interactions and presence and make full use of online services throughout the EU, while preserving their privacy.
It is this ambition which has led to the EU re-thinking and revising its plans and ambitions for an EU digital identity. Electronic identities, eIDs, or digital identities and related infrastructure are foundational for digital transformation and to enable delivery of services for citizens and businesses. A functional self-sovereign digital eID, which puts citizens in control of their own data and privacy, would be a big step towards transforming a wide range of public services. It is generally recognised by the UN, OECD and EU, among others, that government sponsored digital identities can protect the most vulnerable by ensuring that citizens are protected from personation and receive their entitlements accurately and in full. As the World Bank pointed out: “Robust and inclusive identification systems are crucial for development, as enshrined in Sustainable Development Goal (SDG) Target 16.9, which mandates countries to provide “legal identity for all, including birth registration.”" For individuals, proof of legal identity is necessary to access rights, entitlements, and services. For governments, modern identification systems allow for more efficient and transparent administration and service delivery, faster and more responsive services, and increased security.
The August 2021 G20 Digital Ministers’ declaration acknowledged the growing importance of digital identity, especially where “easily usable, reliable, secure, trusted, and portable”, in providing citizens and businesses with a safe and privacy-compliant access to digital services. The declaration also referenced the potential of digital identity in humanitarian and emergency scenarios and its potential contribution in the attainment of the aforementioned United Nations Sustainable Development Goal, Target 16.9: “to provide legal identity for all”.
The EU eIDAS regulation set out to harmonise the mutual recognition of electronic IDs and trust services in Europe. While approximately half of the member states notified their eIDs for the purpose of mutual recognition across borders, others, including Ireland, were more hesitant, being concerned about the outdated concept behind the architecture and the practicalities of how it would work on a day-to-day basis. The concerns of this group were proven justified when a review of the eIDAS regulation by the Commission highlighted the need to improve upon the regulation, both with regard to trust services and eID.
In particular, the evaluation highlighted several specific challenges with the eID approach, including weak implementation, low uptake by citizens, difficulties in interoperability, limitations to cross-border utilisation, lack of convenience, complexity of the notification process and the limitation of the service to the public sector only. The Commission admitted that only about 60% of the EU population in 14 member states was able to use its national eID cross border and only 14% of key public service providers across all member states allow cross-border authentication with an e-identity system. The number of successful cross-border authentications per year was also very small, although it is on the increase.
The evaluation concluded that a framework for European digital identity was required that both acknowledged and addressed the implementation challenges associated with existing digital identity legislation and, equally, would help deliver a workable and popular self-sovereign identity solution for citizens. On 20 September, in her state of the Union address, Ursula von der Leyen, President of the European Commission, stated:
Every time an App or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality. That is why the Commission will propose a secure European e-identity. One that we trust and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data is used and how.
The ambitions for this European e-identity include that it will be actively used across Europe; will be available to any EU citizen, resident or business in the EU that wants to use it; will be used for public and private sector transactions; will include credentials; will be operated via digital wallets available on mobile phone apps and other devices; and will give full control to users to choose which aspects of their identity, data and certificates they share with third parties and keep track of such sharing.
The new proposal for a new European digital identity framework was published on 3 June 2021. The proposal consists of a regulation amending Regulation (EU) No 910/2014 as regards establishing a framework for a European digital identity, an annexe to the regulation and a recommendation on a common Union toolbox for a co-ordinated approach towards a European digital identity framework.
From an OGCIO point of view, while we have an interest in the development of the legislation, our main focus will be aligning with any technical solution - much as we did recently with the digital Covid certificate. At this stage, while the Commission seems to have a good understanding of timescales and the required resource commitments - about 60 full-time equivalents and €30.8 million estimated for the implementation of the proposal between 2022 and 2027 - the detail on the actual technical approach is thus far limited.
The early draft of the regulation states that the financing will support costs linked to maintaining, developing, hosting, operating and supporting the eID and trust services building blocks and it may also support grants for connecting services to the European digital identity wallet ecosystem and the development of standards and technical specifications. The regulation states that the underpinning technologies should be developed towards the highest level of security, user convenience and wide usability. It states the ambition that all European digital identity wallets should allow users to electronically identify and authenticate online and offline across borders for accessing a wide range of public and private services and also serve the institutional needs of public administrations, international organisations and the Union's institutions, bodies, offices and agencies. Achieving this while making the app a viable alternative to commercial equivalents and one that will encourage substantial uptake will be challenging. The process should be helped by one of the early deliverables, namely, a toolbox for a European digital identity framework. This is planned to include a comprehensive technical architecture and reference framework, a set of common standards and technical references and a set of guidelines and descriptions of best practices.
The technical work regarding technical architecture, references and standards by member states and the Commission has not yet commenced but will start shortly.
In summary, this is an important initiative and aligns well with the discussions we have been having in Ireland with respect to increased use of digital wallets and credentials. However, much needs to be done to move this from being conceptual to successful implementation. I thank the committee.
I apply the word to the Chair. I thank both of the contributors. I read their opening statements last night and again this morning. There is a lot in them. They are quite technical. I do not think I have ever had anybody talk to me about this kind of stuff when I was canvassing a local or general election for a candidate. At the same time, it is important that we are aware of what is being progressed. I note that we can have a political opinion on it but, at this stage, it does not look for any kind of ratification by Parliament.
I thank both contributors for their opening statements. I have a few questions on them. I am looking at the European digital strategy about cutting fuel emissions and allowing more video conferencing. There is a certain irony in the fact that members have to be on the campus to have this meeting and that we cannot do it remotely. This is the exact kind of thing that should be able to do. I appreciate that there are constitutional questions involving that however, over time we should try to make sure that people can work remotely as much as they choose if they are able to do the job appropriately.
First, I have a few questions to Mr. Lowry. Is there any scope for this to be applied to things like the European Health Insurance Card, EHIC, or even in proving one’s identity on platforms such as Facebook or Twitter? We talk about anonymous accounts, bullying, and so on. I know this is a little away from the basic premise of this. Could it be applied so that one has to show one's identity to establish a Facebook or other social media accounts, to eliminate the trolling elements and the anonymous bullying that goes on online?
On the cost and the financing, does that come out of the Central Fund or can Revenue charge for services? Is that part of the scheme? From an individual’s point of view, a digital wallet may be of benefit. However, if that were to be done, what would its benefit be to an ordinary member of the public, or to any of us, our family members or friends? Could we open bank accounts in other countries? Obviously, the digital Covid certificate is working very well. What else can we do with this? What is envisaged that can be done with the eID technology, if we all had these digital wallets?
Mr. Barry Lowry:
I thank the Senator for his questions. I will try to answer them all. First, this at a conceptual stage. As the Senator picked up, it is hard for the public at this moment in time to get an understanding of the benefits of this. However, what members of the public do understand, because they are using the technology, is the concept of downloading a Ryanair or Aer Lingus boarding pass, and putting it on their Apple, Android, or whatever other phone wallet. This is broadly similar to that. In fact, one of the things that the Commission believes is that they have given too much control over this ecosystem to the commercial sector, and not enough control to governments.
I am sure the commercial sector would debate that, but it is certainly one of the things about which people are thinking.
In terms of how one gets benefits out of it, Senator Horkan has given a really good example of how the Commission should be taking this forward, which is the European health insurance card. It would be very easy for people to carry one on a device, like a phone, and simply have fewer things to carry. That is certainly part of it, but also the Commission talks about other things, such as, for example, if you wanted to hire a car in, let us say, France, that you could have your driving licence and insurance documentation on your phone as well. These are documents we carry all the time and we do not have to make a specific point of remembering them because we think we might hire a car for a day while we are on holidays.
In terms of other benefits, Senator Horkan has given a really strong benefit of one of the cross-border dimensions to this, which is opening a bank account. I remember a couple of years ago I was giving a lecture at Trinity College. It was to a master's class in digital marketing. I was asked a question by a young Frenchman who had got a job in Microsoft. He said that when he came over to Ireland, he could not rent an apartment because he did not have a bank account. He could not open a bank account here because he did not have an address in Ireland. That is a case in point whereby his identity could be verified by his own nation, France, and it would make life a lot easier for him. This is the European concept of the free movement of people. Senator Horkan has hit on one of the real potential areas for selling this concept to the public.
The final matter that was raised relates to social media. Of course, this is a completely different debate about whether a government should do this. Senator Horkan's question was whether it would be technically possible. The answer is that it absolutely would be. In fact, one of the things that the President was hinting at in her speech was that often if we go onto a new website it will encourage us to sign up to it using our existing Google, Facebook or Microsoft credentials, if we have those. What they get out of that is they know which websites we are going to and they get a greater understanding about us. The idea is that this European approach would mean that we would control that data and that privacy rather than the commercial entity which is giving us the capability of doing that. We could turn that around the other way and use our European identity to verify ourselves to open social media accounts and so on, but that in itself would require different legislation and a debate about the protection of people online versus the privacy of people who want to go online. I will leave that to experts like Senator Horkan rather than comment on it.
I would not regard myself as an expert at all. As the Chief Information Officer, Mr. Lowry, is definitely the expert over me on that kind of thing. The Facebooks of this world are under pressure to not allow anonymous accounts. They are also under pressure to prevent fake news being put out there as if it is real. There will be a large appetite on the part of lots of people, including criminals and others, who would like to have an anonymous existence and, perhaps, operate out of other jurisdictions. There is an appetite for us to be able to know who is behind what goes up there and the people who are making the comments.
I am conscious of time so I will ask my final question. The committee has discussed the cyberattack on the HSE. In terms of the security of the data, would it be held by each nation or in a big European cloud somewhere? I know it is all in the cloud anyway, but who minds it and how is it protected? We all use online banking, mobile phone data and lots of tools that present a risk. Has anyone been looking at the security aspect of it? Has there been much exploration of that in this particular revision of the regulation, given the access to the identities of 300 million or 400 million people that would be seen as being as verifiable as a passport?
Mr. Barry Lowry:
The Commission understands the problem and it has committed to looking at various options for making sure that its security and usability are enhanced.
To take something like the digital Covid certificate, for example, what happens is that each nation owns its own data and it holds only sufficient data to meet GDPR. There is then an interoperability system that enables any digital Covid certificate to be read in France, Germany or another part of Europe. We could go that way, whereby nations would still control their own data and use standards for interoperability.
One of the strengths of the digital wallet is that it goes a bit further because it allows individuals to carry their own identity with them, and to use it themselves. In other words, a government would provide the credentials. For example, we would provide a digital driving licence credential but we would not actually know why that was used, or that the person had gone to France and hired a car, or whatever. That gives more privacy to the individual. When the term "digital sovereignty" or "private sovereignty" is used, that is what it means, namely, the person is in control of his or her own data. This architectural landscape will be designed following consultation with all parties to try to get a balance between maximum security, maximum usability and maximum privacy for the individual.
Mr. Barry Lowry:
Absolutely. A passport is effectively a paper credential which says something. It says you are a recognised citizen of the State of Ireland and Ireland gives you a credential - a passport - which proves that. A digital passport is no different. What would happen is that, a bit like the digital Covid certificate, Ireland would have its own unique identifier which can be read by other countries, and it would work exactly the same way. It would be perfectly feasible to create a digital equivalent of our Irish passport.
I thank the witnesses for coming before the committee. This is a highly technical area and Senator Horkan has touched on many of the issues I would have raised. I will try to keep the conversation flowing. Mr. Lowry said this is very conceptual at the moment and is in its infancy. Can he explain the next steps in trying to develop a technology like this? What type of inputs will Ireland have? I note Mr. Lowry said we had aligned with Europe in this regard. Can he explain the next steps and how long it will take? Obviously, it is hard to identify that now but the concept is good. Can he explain what input the State will have and how long it will take to roll out those steps that will bring us there?
Mr. Barry Lowry:
I will do my best. The next year is going to be a very important year for the legislation because work will continue on two fronts. First, the legislation itself will be further developed and consulted upon, and our colleagues in the Department of the Environment, Climate and Communications will focus very much on that. Our main focus will be on this idea of a common toolbox. The target is that it will be signed off by September 2022, so we have just less than a year to complete the work.
I think it will be a long and arduous road. The reason I think that is that, as I said in my opening statement, some countries have put a big investment into implementing the eIDAS initiative while others held back a little bit. In regard to those countries that proceeded, eIDAS was largely built on the concept of chip and PIN, and those of us who are using online banking will remember our little card reader and how, in order to transfer money, we had to put our debit cards into the card reader, put in codes and so on. That costs a lot to implement. I know that, for example, in Hungary every citizen owns a chip and PIN reader because of the eIDAS legislation.
They are going to want to try to ensure what they have achieved so far coexists with where the new model is going. To try to get a technical approach that embraces all these is going to be difficult. Other countries, like ourselves and Austria, believed from the outset that this should have been developed using mobile phone technology. However,even then the challenge is going to be great because first of all there is the question of whether we are going to focus this on the main players, that is, the Android operating system for phones, which is Google-oriented, and then of course the Apple operating system as well. Europe is a little reticent to do that because it is giving the two American giants a big say in how the European digital passport will work, so all that must be negotiated.
Finally, the whole point of this is to be inclusive. Some of the difficulty with apps, as members are probably aware, is around people with older phones, less advanced phones or the newer Chinese phones which are emerging and are cheaper but do not meet the same standards. How we actually get apps that work in the same way in every single phone is going to be a big challenge. It might well be we will look at different models for how we do this, to make it easier. For example, the digital Covid certificate is very light-touch. All the processing is done by states in their own infrastructure and what the user gets out of it is simply a credential which is easily read by any phone with a camera on it. It may well be we will look at options like that as well, but all of that is still to be decided.
Returning to the cost, which Senator Horkan asked about, who will bear it? What type of supports will we get? Have we put aside a budget to further develop this? Even within Mr. Lowry's own unit, how many people are working on this? Is there a dedicated unit? Does it have targets?
Mr. Barry Lowry:
From the European perspective, they have identified what they believe they need to drive the central solution and it is €30.8 billion over five years, from 2022 to 2027. That money might include some grant to the member states to do some work on their end. For example, the digital Covid certificate had a small grant to cover some of the cost states committed to it, but not all of it. One of the other options available to us is to use things like Connecting Europe Facility, CEF, funding. We have used that for a number of things.
The underlying premise that an individual can carry his or her own credentials on his or her phone should he or she choose to do that is a very good one and something we have been starting to explore in Ireland as well. I hope some of the investment we might set aside to that in the State will also cover what happens at a European level. For example, if we said to the public that rather than having to remember to carry your driver licence every time you are driving in your car, would you also like a version to have on your phone which gardaí would accept if they stopped you, many people would say they would. Often when going to the gym or somewhere like that, I would not have my jacket and would not have my driver licence with me, but you always seem to have your phone with you wherever you go. There are examples where the people will be very supportive of this. Certainly, there is a consortium within Ireland made up of insurance companies, banking, An Post and various others, which thinks this is a really powerful tool and could be used in many ways. Those organisations will be very keen to see Government sponsor this and make it happen. During Covid we have all gotten used to just touching a screen with our card and having it scanned. Many people now simply carry their card on their phone. Many people are very comfortable with where this technology is going and the opportunities offered.
I think that in Ireland we would be doing much of that anyway regardless of what was happening in Europe. Obviously, the events in Europe will strengthen our determination to move forward as quickly as we can on this.
I thank the Chairman and the witnesses. I will pick up on some of the queries that have been raised with us, particularly in the area of data protection, monitoring and enforcement. I appreciate that there are many questions still to be answered on this matter.
Is it the case that there is a question over the concept of data minimisation and how that will be ensured, and enforced? Is it the case that the proposal allows member states three options to provide the wallet app? Is there the potential that the private sector would have access to highly confidential and sensitive personal data? How is this aspect being considered and how will it be managed?
Mr. Lowry or his office said previously that it is not yet known where responsibility will lie for enforcement of the obligation on the private sector digital service providers. Mr. Lowry, is there any further update on that?
Mr. Barry Lowry:
Yes, I wondered if Ms McCabe was going to answer first on the actual legislative piece.
In terms of the technical design, there are a number ways that we can do this. If I can use the recent digital Covid certificate, because obviously we had a couple of good conversations about that at the time, what we did there was we went to the Data Protection Commissioner and set out a potential proposal that basically was built on a privacy first basis. In that solution the data that is made available for the purpose of travel is different from the data that is made available for the purpose of indoor dining, for example, because it is all very privacy-oriented so we could design this in a very similar way.
What will drive this is how the public want to see it developed as well because, in Ireland, we use this concept for digital Government services where it is not just user-centric - in other words, a group of civil servants deciding what is in the users' interest. It is user-driven - in other words, we meet the users, ask them what they want and we let that drive the solution. What we will certainly be presenting in terms of our input into the EU discussions is what the Irish people tell us they want. The features of the contact tracing app were all chosen by the public. That was the way the Irish public wanted the app to be designed so the Irish app differs slightly from other European apps.
I would like to see us develop our own concept of a digital wallet that is driven by the Irish people but meets European standards and guidelines, and then introduce a degree of inter-operability. In other words, if someone chooses to download their driver licence in the future, and their private sector insurance certificate, because they want to hire a car both of those can be read and understood in France, Germany, Spain or wherever they might want to hire a car. I suspect that is the way we will go. As I said in my opening remarks, the discussions on how the technical model will look are only beginning in the next few days so it is very early in this process.
I also asked about the relationship with the private sector digital service providers and oversight. Are their concerns that sensitive personal data might get into the hands of actors, whatever their intentions, that one did not intend to have control of or access to such data?
Mr. Barry Lowry:
In sketching out how this might work in Ireland we used a concept entirely owned by the Government known as the digital postbox. This is the system that is used in Scandinavia, the Netherlands and a few of the forward-thinking European countries, which is very appealing because it supports what you might do on the phone. In terms of how the digital postbox will work as it becomes more established if, for example, the RSA makes the driving licence available in the digital postbox you can get it transferred there. That digital postbox is entirely personal, it is safe because it is in the cloud and it would be accessed using a MyGovID account. A person could choose to download a credential from a personal digital postbox to his or her phone for a specific purpose. In terms of what we might also do - we have received some feedback on this which the public might be interested in hearing - a person will be able to choose to get his or her motor insurance certificate from, say, Aviva in a version that can be also stored in a his or her digital postbox, but it would mean the insurance provider would not know anything on that digital postbox other than what the person is required by law to reveal to it. There are obligations with regard to a driving record and so on about which a person must tell his or her insurance company, but it would not know anything more than it is entitled to know through the basis of insuring his or her car. As such, the person is controlling the access to his or her data and also the privacy of his or her data. In the case of a phone change, the person can delete everything from the old phone but the information is still safe in the digital postbox and it can be downloaded onto the new phone. That is one model in terms of how we see this might work. We are interested in the Commission's views, and those of member states, on how they might see it working. I am sure we can come up with something that is workable on a pan-European basis. That is really important. One of the things that frustrates people when they travel is that the rules are different in every country. Hiring a car can be so frustrating when it should not be.
Mr. Barry Lowry:
I would hope that they will align. The Government is open to continuously evolving how we do things, even replacing MyGovID if something more popular or more secure comes along. In terms of public uptake, it is very popular; they like it they way it is. I suspect that we would, probably, align with that model. Unlike the rest of EU States, Ireland does not have the concept of the national identity card but it does a State approved electronic ID for use with State services. We have never extended that into private services, but again the public might want to see movement in that space. That is open for political debate then.
I would welcome an update from Ms McCabe on the status of negotiations, the timeline in that regard and if it is anticipated that we will see significant changes in the details of the proposal before us.
Ms Mairéad McCabe:
My understanding is that the negotiation period will be up to one year. In the small number of meetings that have been held at working party to date, so many questions have come in from all of the member states and, in many cases, the Commission is taking them as new questions on which it will reflect such that I would imagine that there will be small but significant adjustments to the text as we proceed. As much of what is proposed in the text is at quite a high level, with not a lot of detail supporting it, there are many questions. For example, today some of the articles dealing with those services are being discussed. There will be many questions coming in the direction of the Commission, which will need to consider the full implication of the new linkages being identified by member states.
I imagine that Mr. Lowry has more information on the technical discussions, but I understand that they will begin towards the end of this week. The Commission is trying to avoid technical-, standards- and specification-related questions coming in at the working-party level, because these should be dealt with in the parallel technical discussions. It will be challenging to marry the legislative discussion that is happening on one train track with the background technical discussions. Mr. Lowry’s point about making it user-friendly, user-driven and workable is the ultimate aim. However, because there are so many different views from different member states, it will be challenging.
On the last question on protection of data, there have been numerous reassurances from the Commission that there be no profiling, no data collection, and no mixing of identification data with personal data from other services. There will be that physical and logical separation of one’s personal data. Trust service providers, TSPs, of attributes cannot receive any information about the use of the attributes. The intention is that there will be in-built protection from a data protection point of view. However, obviously, we will be checking in with the Data Protection Commissioner as the proposal progresses and as the text evolves.
I thank Ms McCabe. I note the correspondence we received from the Data Protection Commissioner in relation to the current stage of progress and on the greater detail that needs to become available before it would be in a position to offer a firm opinion.
I will move on to the Fine Gael slot, which is myself. I want to move onto the purpose of today's meeting, which is to look at COM/2021/281. One of the key things that we, as a committee, have to decide is whether this breaks subsidiarity rules. That is my question for both Ms McCabe and Mr. Lowry. In their professional capacities, and in their respective roles, do they believe that COM/2021/281 breaches subsidiarity rules? I will start with Mr. Lowry and then I will call Ms McCabe.
Mr. Barry Lowry:
I thank the Chair for his question. At this moment in time I do not believe it will. However, it is far too early in the process to give a clear answer to that question. Obviously, in all discussions, we will try to create legislation and a technical solution which meets the interests of Ireland and the Irish people; that reflects our different views on privacy and data control, etc., to many of the other member states; and that makes sure that any solution that is chosen, as well as the legislation, reflects the will and the desires of our own people and how they would use this facility. At this moment in time I do not have concerns, but it is bit early to give a final answer on that.
Ms Mairéad McCabe:
I would reflect the views expressed by Mr. Lowry that it is early. As the proposal evolves in discussions between member states, there will be very much a desire to ensure that subsidiarity rules are not breached. At this stage we cannot say there are any specific concerns, but we probably need to keep a close eye on it as the negotiations progress.
I will return to Ms McCabe.
Not too long ago, in 2019, the Data Protection Commission had issues around the public services card. It found that people accessing public services in Ireland should not be required to have a public services card. It was across a range of areas. That is why I am putting the question.
My second question is more for Mr. Lowry. Ms McCabe is co-ordinating this project. I note that she says in her opening statement:
The primary policy focus of our division in the Department is on the telecommunications sector. While the eIDAS regulation is not a telecommunications issue, the EU Telecommunications and Information Society Working Party is currently considering this proposal at European level and this Department is leading discussions in the negotiation.
That seems a slight contradiction in terms. In one breath, she says it is not a telecommunications issue, yet the EU Telecommunications and Information Society Working Party is dealing with it. We are dealing with personal data. When the public services card came into operation the Data Protection Commission stated at the time that it had concerns with it. What happens if we get to a point whereby this framework progresses, and it is suggested that it is breaching GDPR rules?
Ms Mairéad McCabe:
While I did confirm that our main focus in the telecommunications policy and regulation division is on the telecommunications sector, since we are holding the pen at working party level, there is a concern to ensure that all the relevant inputs are made, including consulting for example with the Data Protection Commission to ensure that what comes out at the end of the legislative discussion is fit for purpose and will not breach any rules. I am afraid I cannot comment on what happened with regard to the public services card. Mr. Lowry may wish to comment on that. I want to reassure the committee that a very close eye will be kept on any new suggestions coming in from the Commission that would in any way go near to breaching GDPR because that is not allowable in European legal terms. We are conscious of the fact that as the technical discussion proceeds, the Commission in a way is giving itself quite a lot of freedom through giving itself power in the revision to produce a number of implementing Acts. It behoves us all from a cross-departmental perspective to ensure that whatever is in the top line of the legislation itself, that the technical detail of what goes into the implementing Acts will not end up breaching in any way what we hold dear in terms of GDPR.
On page 3, Ms McCabe stated:
Article 17 of the [2014 eIDAS] regulation requires member states to designate a supervisory body to regulate trust service providers within its jurisdiction. The Minister for the Environment, Climate and Communications has approved the designation of ComReg.
It looks to me that while it has been approved, there is not a designated body. Given that it is seven years after 2014, why is it that ComReg was not the designated body before now?
Ms Mairéad McCabe:
The reason is that initially a role was given under regulations to the chief technical officer function within the Department and this Department was endeavouring to identify, across all of government, which would be the most appropriate body because it was not initially evident that ComReg would be a neat fit with it. It has taken some time and consideration of a number of options for us to identify that there was potential to appoint ComReg, to enter into discussions with it, and then to move towards the formal designation once we obtained a ministerial decision.
There were some delays encountered from the volume of work due to Covid and the time it took to arrive a decision to appoint ComReg. It is in safe hands in that there is that oversight of trust service providers at the moment. There are only two in the market and there is a very active process in train to designate, ComReg as the supervisory body. Looking to the future we could anticipate that there would be substantial growth in the number of trust service providers, including in Ireland. We need to get it right in the primary or the secondary legislation that we double check back that ComReg is a good fit for this.
My next question is for Mr. Lowry. How does this proposal differ from the digital Covid certificate, DCC? Could I say that the digital Covid certificate is almost a pilot project of what they are proposing? It is a European wide project. The data held under the digital Covid certificate is retained by the host nation or the individual country. How will this differ from the digital Covid certificate and is the DCC the model?
One of the main concerns of the Data Protection Commissioner with the public services card back in 2019 was whether the private sector would be able to get access to data. What is being proposed here would have infinite data on individuals that they can use across the European Union. Knowledge is king, and the controls over it. How will this not be abused? The whole issue comes under cybersecurity. As I understand it , the subsidiarity point effectively supersedes the rights under various EU treaties for an individual state with regard to control of its affairs. The questions concern the digital Covid certificate versus what is being proposed here, the whole area of access to data and who will own the data, and can it be open to abuse. Perhaps Mr. Lowry will flesh this out. Reference is made to banking facilities. Has the Central Bank been consulted on this particular communications directive? I am trying to get the point where I am happy that it does not breach subsidiarity.
Mr. Barry Lowry:
The digital Covid certificate is probably a template for how interoperability can work across the EU and the EEA member states. The digital Covid certificate itself is what we would call a "credential". In other words, it is a proof given by the Government of Ireland that an individual who is resident in Ireland, has received two vaccinations, or has recovered from Covid, or has successfully had a negative test, either a PCR test or whatever it happens to be. This is what we call a credential. In the same way that a person's driver's licence is proof that he or she has passed the driver test and has not driven such a way that it has been taken back for a regulatory breach of driving rules. In much the same way in the private sector, a car insurance certificate is proof that a person has been through the process of insuring his or her car, which means that should the person have an accident and is at fault then the other driver is protected. We call all of these things credentials. The digital wallet seeks to find a way to safely collect all of these credentials together and can use them in a way where the individual has full choice and full control.
That is important. When this idea of individual sovereignty or self-sovereignty is talked about, it means you control what happens to your data. That is obviously compliant with the GDPR and it is how we have always understood data works. If I decide to go and get health insurance I would have to reveal information about my health to that provider because it is entitled to know it for the purposes of how it insures me and how much it will cost. That is what the GDPR call proportionality and specificity. The insurer does not need to know other information about me, such as my bank details and so on but obviously if I took out a car loan it would be entitled to know some of that information, and so on. The purpose of this is to ensure that for every transaction I wish to complete, parties involved in that transaction, whether it be a public service or a private one, only see the information relevant and pertinent to that transaction. If I no longer require that transaction with them, they no longer see that information about me. Those are really the underlying GDPR principles that have to be applied in this model. If they are not successfully applied in this model then the European data protection commissioners will insist they revise the model until it is acceptable.
I have not read the input into this session from our Data Protection Commissioner but I suspect that is broadly what it said because it can see how it works. However, it will be ensuring all principles of GDPR will be adhered to right through the process. Mainly, those are that as an individual I can participate in this, entirely through my own choice, and I can cease to participate in this through my own choice and my data will be removed.
I will come back on that. On the Data Protection Commission, a deputy commissioner, Mr. Dale Sunderland, wrote to us this morning because we wanted to get the commission's input. In summary, it states that:
In conclusion, at this preliminary stage and taking account of the formal assessment carried out by the EPDS, the DPC along with the EDPS and other EU data protection authorities now awaits the advancement of the draft proposal both at EU level and in terms of proposed implementation in Ireland. As noted above, the development of the technical architecture and the implementing acts will provide an opportunity to more fully assess the data protection implications of the framework for a European Digital Identity.
What is the timeframe on this? Where do we go from here? How long will this take? What is the next stage of the process? When does Mr. Lowry anticipate it will be in place?
Mr. Barry Lowry:
As Ms McCabe said, the Commission hopes to draw the legislation to a conclusion within a year. That is hugely ambitious but that is its hope. That means it needs, fairly early on in the process, to get a reasonably detailed draft it can send to the European data protection commissioners to get their response and adjust the legislation accordingly. We have seen it, for example, with the European Data Governance Act, DGA, where they were quite late going to the European data protection commissioners and their input has required some very significant changes to that legislation. That is the way it must work.
I understand the EU is proposing to make this mandatory. Does Mr. Lowry believe it to be proportionate? Can countries opt in or out? For argument's sake, let us say it is up and running and we have a cyberattack on Ireland. Can we come along unilaterally and say we are not using the app or the wallet anymore for a period? Is the fact the EU is looking for it to be mandatory proportionate or should countries be able to opt in or out? We had a cyberattack not too long ago on the HSE and there are probably others we are not aware of. Do we then have the capacity to unilaterally decide at that moment in time that we are not using this European-wide digital wallet app?
I call on Mr. Lowry to respond, please.
Mr. Barry Lowry:
I suspect that the Commission will try to come forward with legislation and a technical solution that no member state will opt out of. If several member states opt out then the legislation and the technical solution is not meeting the basic European principles of the free movement of people which this is seeking to underpin.
When the Commission speaks about monetary aspects of the legislation, it seems to be talking about what is mandatory in respect of service providers. In other words, if a service provider wants to get involved in this, it will have to follow specific rules because that is the only way that the Commission can give its citizens, the citizens of Europe, the reassurance that this ecosystem is privacy-centric and secure. It will not be mandatory for citizens to use it as they will still have alternatives. That is why what it needs to be is very compelling. In other words, it is much more convenient and even safer-----
My apologies for interrupting, Mr. Lowry, but if there was a cyberattack on Ireland, could the Irish State say that it would be discontinuing the recognition of this wallet in respect of our national and cyber security?
Gabhaim buíochas, a Chathaoirligh. I thank the witnesses for appearing before the committee today. The committee has already gone into a great deal of the detail. I want to check a particular matter. I understand that we are talking about the electronic identification, ID, and the wallet. In fairness to Mr Lowry, he said that the whole idea for this to be successful is that it has to be a sellable entity that makes people’s lives easier and that it is easy to use by end-users, depending on with whom one is trying to interoperate with. Security and privacy then have to be perfect and we hope that we can ensure all of that.
Ms McCabe spoke about a one-year negotiation. At that stage we then have something that is closer to an end-deal or proposal with whatever questions remain, whereas the legislation is going to be carried out on the basis of the information known now over the next three to four months or so. How exactly is this and the interaction with the Commission going to work? What is the foreseen timeline on talking about something being an end product and when we can look at solutions? I accept what Mr. Lowry has said earlier in that there are certain technical issues that people will want to use, such as legacy technologies they have already invested in, whereas we are looking for something like the digital Covid certificate, DCC, where one has multiple DCCs, whether those relate to banking, passports or whatever else, on one’s phone.
Ms Mairéad McCabe:
I thank the Chairman. While the Commission has identified a one-year negotiation period, it could go longer. In the meantime there are regular working party discussions, where article-by-article consideration takes place. That negotiation will be twin-tracked with the technical discussions that are just kicking off at the end of this week.
It is geared towards the preparatory work that must be done on the technical standards, specifications and so forth. In the meantime, the Department will reach out to various stakeholders to ensure that there is a common understanding of the text as it involves and that Ireland’s inputs in this regard will hit home. In a way, the whole purpose of the working party negotiations is to allow member states to challenge the Commission's thinking and to double-check that there are no unforeseen consequences in what is being proposed. Active dialogue will be ongoing at national level and that will feed into the working party discussions. At certain points, the Commission will refer back to the working party on areas of concern.
The ongoing discussions are geared towards the development of a toolbox. In respect of developing the end product, pilot implementation projects will be undertaken in various member states and representatives from those will all be talking to each other concerning the architecture and standards. Turning to the implementing acts that were mentioned several times this morning, the devil in those details will have to be worked out at the level of technical subgroups. Therefore, we are looking at the deployment of the digital wallet and the Commission is striving for that to happen within 12 months. Again, that seems ambitious regarding whether it is doable. An assessment will be conducted by the Commission some 18 months after the deployment of the new digital wallet to see whether it is working well in practice and what, if any, changes might be needed.
That is brilliant. In a perfect world, then, everything would get sorted out between the individual member states and the Commission and the digital wallet would be ready to go. People moving to Spain, for example, or elsewhere, will be facilitated in opening bank accounts. Like any good system, it would then be assessed and reviewed six months later and any required fixes will be undertaken. That makes complete sense.
Ms McCabe and Mr. Lowry mentioned that there are only two trust providers within the State now. ComReg is likely to be the supervisory body. There may be issues with an over-reliance on the private sector. This point brings us back to the information security scenario and how it is foreseen that that aspect will be dealt with. I do not suppose that it is beyond our ability to employ software engineers and designers to ensure that we can come up with something that does the business, even if that involves using an outside firm. I imagine there would be some capacity in that regard because there is no shortage of such firms in the State. I ask Mr. Lowry to respond to those points.
Mr. Barry Lowry:
I thank the Deputy for his questions. He is absolutely right. Regarding how we can progress a technical solution, our eID infrastructure, which we propose that we use, that is the MyGovID infrastructure, is entirely owned, end-to-end, by the State. It is unique in Europe and globally because there was no private sector involvement in its design and ownership. We obviously used contractors and companies-----
Mr. Barry Lowry:
It would be built with ownership and control entirely in the hands of the Government, but using our partners. If we take an example such as the creation of the digital Covid certificate, we used an Irish partner based in Waterford for that project. It is very good and probably one of the leading technology companies in Europe. The Department of Health and the HSE, however, retained ownership and control of the rules for how the system works and the processes involved, etc. Delivery was undertaken by several technology partners, including the OGCIO, the Revenue Commissioners and private sector companies. I foresee this project working in the same way.
Mr. Barry Lowry:
You can use any European trust adviser. I suspect, as this starts to take off, that more capability will be introduced from Ireland in itself. People in Ireland have been watching how eIDAS has developed. It has been slow. As I said in my opening remarks, the technology solution did not take the phone into account, whereas even in 2016, people generally thought that the phone was the future of carrying your identity. We used it and it was something we were comfortable with. As I said earlier, we now are using it for shopping and so on. In Ireland, we will see growth in this area as it is recognised that this will move forward quite quickly.
All of us have had questions in the last while. People are consistently on and a kid might end up using a YouTube account connected to an email address, then information about a person's bank card number is requested, which that person might not be happy to provide. People are already uploading information such as passports, driving licences and so on as a means of informing companies about age or other details, as second checks. It is probably happening on some level. If we had something that was secure and you only provided the company with the information that you wanted to provide, as opposed to the means of allowing an 11 or 12-year-old to spend €400 in one day, which has not happened but is a consistent, constant worry.
Mr. Barry Lowry:
I think the Deputy is right. The underlying principle that the Commission is using is that regulation can be used to try to moderate the behaviour of commercial companies and multinational commercial companies. There may be some areas where we need to own the identification process ourselves and that is where we can maximise control and assurance. That principle is absolutely right. Then there is the challenge of how you open that up and in what way. We are seeing it in Ireland with our own electronic identity, where it is only used for public services but people are asking why they cannot use it for banking or things of their choice. That is reasonable. We are moving into the next iteration of the digital world, which is the individual understanding it better and wanting control of it, and wanting to see what a company does with a person's data, such as an airline when a person books a flight online. People might ask if the airline is doing something that it is not entitled to. GDPR and all of these things are all layers of the same underlying principle, which is that no one should know anything about a person unless entitled to for the purpose of that transaction and the individual should always have control over what those transactions are, when they stop, and when data are deleted.
I agree. We are back to easy-to-use systems which deal with security and privacy. It makes sense that it is owned by the State rather than subcontracted to a third party, while accepting that third parties will have the technical capacity to be part of the build and the maintenance. That is a different kettle of fish. I add my voice to what was said earlier, that if we are looking at creating better circumstances regarding anonymous accounts on Facebook and Twitter, the eIDAS infrastructure could provide a means to facilitate them to do it while also requiring an element of leverage from the Government and the EU. That should happen anyway. I do not think anyone would dispute that.
This is something which is often thrown at me. While I have Mr. Lowry here, can he detail some of the issues which have arisen in getting the digital Covid certificate portal online for people who are living in the North and those who are living in the South and were vaccinated in the North. My understanding is we are nearly there. If I was to take a guess, I would say that service will be open for those two cohorts this week. Can Mr. Lowry explain? I would very much appreciate if he could give an absolute timeline.
Mr. Barry Lowry:
As of last night, I was told we hoped that it would be launched on Thursday. We are going through the final security aspects. The difficulty was we have to be able to prove that an individual is an Irish citizen, in a way that does not compromise his or her privacy and so on. The transaction is that one has an Irish citizen in the North who has been vaccinated there and we are not entitled to see his or her health record in the North, so what we are-----
Mr. Barry Lowry:
Yes. There are two parts to this. The first is to be able to have the Northern Ireland digital Covid certificate and the second is we can basically run a minimum data set to the Department of Foreign Affairs and it can confirm that person is an Irish passport holder. We were putting significant emphasis on the security of that part, for obvious reasons. As of last night, I understand everything is well progressed and barring some unforeseen problem or disaster, the portal will be up this week.
I thank the speakers. It has been a most informative morning. We are in the process of trying to put together our cybersecurity network in Ireland. We have an abysmal system in place with an acting director in place and no director appointed.. We are in a pretty sorry state for a country that hosts some of the largest information technology companies in the world. Are we putting the cart before the horse by talking about digital wallets when we are not in a position to guarantee those data will be safe? The Minister of State, Deputy Smyth, told us last week that every Minister's telephone was encrypted and yet a Minister's telephone was in someway compromised. We are not 100% how, but it was compromised. I am excited by what Mr. Lowry is talking about. I have been in information technology for most of my working life. We are talking about a huge step forward and we can all agree the benefits are incredible. However, the architecture of the entire infrastructure will be vitally important. We cannot have a single server or location managing all these data.
Data is going to have to be distributed. You can imagine what would happen if I had to rely on my medical records, for example, being available through this information system. If I was in Spain, for example, and there was a power outage or something like that in Dublin, then I could find myself in serious trouble.
With the best will in the world, the sharing of data across different sectors, particularly the public service, is an issue. One of my colleagues has mentioned travelling to Spain and opening a bank account there. We have seen how successful the Criminal Assets Bureau has been at identifying people who are in receipt of social welfare and who are driving around in Bentley cars. Those cars were repossessed to the benefit of the State. Can we rest assured that this type of data would not be shared across Departments? I refer, for example, to the Department of Social Protection sharing data with the Revenue Commissioners? While I see huge benefits in being able to share such information, the rights of citizens have to be put first.
It was stated that most countries in Europe have a citizen's identity card. A digital identity would subvent the identity card or allow us to have digital IDs on our telephones. Will the latter give rise to a constitutional issue for Ireland?
Finally, I am sure that serious legislation will be required to get this scheme up and running. It is a really exciting step forward and will provide citizens with a huge amount of flexibility as regards their data. Do the witnesses agree that the scheme poses serious loopholes and risks? Most of my questions are for Mr. Lowry.
Mr. Barry Lowry:
I thank the Senator for his questions. On the first question, you could argue that this is putting the cart before the horse. As the Senator will know, with any good idea, you need to get an understanding of what the potential is for the idea in order to start to get robust questions about it, which is what he has just given me. What the Commission has tried to do in the statements and communications it put out is to get people to understand what it is trying to achieve and then to hear user concerns in order to shape the regulation. I have absolutely no doubt that in due course the European data protection commissioners will take a detailed look into what is planned and will comment in a very detailed way on any modifications that would be required. That relates the Senator's second question on how the scheme will be designed.
The one thing that this scheme will not do is create a huge bucket in which every single public and private piece of information about us will be held and can be disclosed to anybody who is interested. That is what it will not do. I think it will be a distributed data model. We are used to that, conceptually in any event, because in Ireland, for example, our driving data is with the Road Safety Authority, our tax data is with Revenue, our welfare data is with the Department of Social Protection and so on. Any data that is shared in Ireland must be underpinned by a data-sharing agreement that has to be written in line with the GDPR. Under the new process, there is a data protection officer in each public service body who must basically confirm that he or she is satisfied with GDPR compliance before it is allowed to proceed. I know from the digital Covid certificate that we had to go through reviews by the data protection officer in the HSE, the data protection officer in the Department of Health and our own data protection officer in the Department of Public Expenditure and Reform before we could even go to the Data Protection Commission to get its views on the way forward. So I think that we have a very robust data governance system in Ireland. We will absolutely uphold that as we introduce this initiative or any other initiative.
In terms of the actual broader sharing of data, the key point is the idea of individual sovereignty. I understand that if I want to buy a car, I may need a driving licence.
I may need them to know that I am legally entitled to drive that car. They may need to know that I have proper insurance and so on. All of that requires data sharing. We were used to doing it by simply bringing along forms. This might be a way in which it can be done more conveniently, for example, on the day when one is supposed to be picking up keys or whatever that happens to be. We need to make sure that people are not retaining data for longer than they need to. If a person moves from one insurance company to another, the previous insurance company cannot keep the same levels of detail and so on. We need to protect that.
On the constitutional issue around the citizen's identity card, the one thing that underpins the MyGovID at the moment is that it is not mandatory. It is a choice by people who want to receive their public services online. Obviously, where that happens the State has an obligation to protect all of its citizens by making sure that personation is not taking place. The State has designed a process that enables this to happen but it is not a mandatory process. If a person wants to carry out the old manual process then he or she is very much entitled to do so. We are seeing, however, that more and more people want the digital process because it is simply so much faster. I do not see any compromise with the Constitution. It will not be mandatory and people do not have to opt in. It is entirely their own choice. They can opt in for a period of time and then opt out again. Again, that is entirely of their own choice.
I thank Mr. Lowry. Today we have spoken a lot about the use of the digital Covid certificate. It is only anecdotal, and I have nothing to back it up, but after the majority of the population registered for the Covid vaccination we suddenly saw a spike in scam calls to mobile phones and so on. I have always wondered whether there was a correlation. Has any research being carried out into that area? It is rather peculiar. Either these criminals were all people who had nothing to do during Covid and exchanged their outside criminal activities for inside criminal activities, or else something else went crazy. During that period we started to get these scam calls.
The great thing about the public service is that my PPS number allows me to access every public service and I can immediately be recognised. I can see how this could develop in time and how a person's PPS number could tie all of the services together. It is the one solid number that identifies the person.
On the personation issue, even with the best will in the world it can happen. Reference was made to social media here. I have been impersonated on social media and I believe that most public representatives have at some stage or other. Anything that will secure that element is something we want.
On the voluntary aspect of opting in or opting out, to a certain degree we are being pushed into a situation from a digital perspective where we really have to opt in. It is becoming more and more difficult to deal with human beings in a bank, for example. Even now when I go into my local branch across the road on Grafton Street there are more machines than people to talk to. The opt in will slowly become mandatory. The Department constantly talks about how comfortable we are with mobile technology and with digital technology. That is a good thing but it is also a bad thing insofar as this comfort has put it into a situation where we no longer question things. Back in the good old days when I was teaching IT I used to say that for every keystroke one makes on a computer somebody somewhere is watching it. This is one of the crucial aspects we are going to have to look at as we move into this digital wallet: who is watching who, and can we guarantee that when I get on my mobile phone I am not going to be scammed with every keystroke I make?
I do not see a subsidiarity issue with this. I see us coming in line with the EU, but I would hope that as we do we take all of the cybersecurity and security issues into account. I thank all of the witnesses for their attendance this morning.
I thank Senator Craughwell. Is Senator Dooley still online? No, he is not there currently.
I wish to clarify one point with Mr. Lowry. Could private or public facilities, operators, institutions or businesses insist on the use of a European digital wallet in order for people to perform transactions with them? That moves into the area in which the Data Protection Commissioner in Ireland had issues. The fundamental issue is that people should not be barred from accessing services if they do not have a public services card. How does one deal with that in a European context? Could private operators and state institutions insist on the use of a digital wallet in order for people to carry out any form of transactions with them? Would that breach general data protection regulation rules?
Mr. Barry Lowry:
That is an important question. Some of the writings and analysis carried out by the media on the whole concept of the European digital wallet have stated that there is an element of tension or a catch-22 situation. Private sector organisations will not invest in supporting the European digital wallet if there is not going to be uptake. They will want assurances from the Commission that the public want to and, indeed, will use it. I do not envisage the regulation will require that if a person wants to hire A car, he or she can only do that using an EU digital wallet. That would be difficult to implement because no two smartphones are the same. It is a big step to assume that, for example, we could write an app called the EU digital wallet, make it available to everyone with a phone, and that it would be used successfully. We will have to come up with alternatives and offer people choice. I suspect that is where the legislation will end up. As I said earlier, it is early days, but people are right to be concerned and that needs to be represented in the discussions.
I will now flip the other side of the coin. If I were a consumer shopping in another European country or in Ireland who wanted to use the wallet, could that shop or state institution refuse to use it by saying it does not recognise it and request another form of identification or whatever? The corollary or the flip side of my previous point also needs to be asked. Will Mr. Larry address that point?
Mr. Barry Lowry:
We have already seen the introduction of standards by the body that supported the introduction of the credit card, including Mastercard and others. They came together and established a set of rules which all users, including retailers, of Mastercard or Visa card are expected to use. People are familiar with that. By extension, they can choose to carry their physical card into a shop and use contactless payment or the phone equivalent as the shop will accept either form because the technology enables them to do that. This will progress using choice. If a person keeps his or her credit card on their EU digital wallet - the intention is to enable that - and wishes to proffer that in a shop, I do not think it will cause problems for the shop because, at the end of the day, credit transactions are underpinned by the infrastructure already in place.
I apologise for that. I see everyone smiling; being on mute is a fairly regular occurrence by now. I wish to come back at this stage, because I was conscious of time constraints at the start. In the end, we have reached 11.30 a.m. with everyone contributing, including some being afforded a good bit of time.
I do not know if any of our contributors has-----
Since 1992 we have been talking about the euro pass and the idea of a European identity card. The British were aghast at the concept of it. It was said it would bring down the government. There is a touch of that about some of this and how possible it is. On balance, having listened to the last two hours there is a lot of potential for it to go well but it requires buy-in. Everyone said we would not do chip and pin and now all we see are people tapping cards and phones. People are not carrying cash even though only a couple of years ago when I, along with the Chairman, was a member of the finance committee the chief executive of Bank of Ireland said at the time that Irish people like cash and want to have cash in their pocket. Now most businesses tell me they are taking in a fraction of the amount of cash compared to pre-pandemic times.
The public service card was voluntary but mandatory. It was voluntary if one wanted to have one but it was mandatory if one wanted to get social welfare benefits. There were certain aspects to it. There is always a fine line when it comes to data sharing. I benefited from being on the finance committee where we discussed such legislation in the last term. Equally, there are issues with freedom of information and GDPR. There are a lot of conflicts going on. I am not necessarily sure that I subscribe to Senator Craughwell's conspiracy theories on scam calls. I presume his 5G improved once he got his vaccines sorted.
In terms of where we are going with this, do we have a timeline? There will be a year of consultation. I anticipate that just like metro and lots of other things it can be delayed. The roll-out of the digital Covid cert was very rapid. When will we see this? Is there an appetite right across the EU, including the Commission and member states, to say that this is positive and to get a verifiable EID so that people can have their driving licences and passports, open a bank account, get car insurance and properly prove their identity while also having protections in place to ensure that people in Revenue do not know about people's health data and the people in the health system do not know about people's Revenue data and so on? I do not believe they are challenges. I bring my digital Covid cert to a restaurant and staff can verify it is valid without knowing much else about me.
When might we as consumers and members of the public see a tangible benefit from this? I appreciate that there are 27 countries involved, but do the witnesses have any idea of the timeline involved?
Mr. Barry Lowry:
In terms of the technology part, the Commission has said that by 30 October 2022 it will publish the toolbox. In order to publish the toolbox, that means we have basically agreed how it is all going to work. It will take just over a year - 13 months - to agree a technical solution. I believe the legislation is broadly working to the same timetable. It will be ambitious.
Among the 27 member states, several are concerned. Their concern is driven by the technical capability within their countries. In some of the EU member states chip and pin is still very popular, as it was in Ireland five or six years ago. Countries move on. The overall target is aiming at a new euro by 2030. I guess people have realised this will be a slow burner. It depends on which way one looks at it. Eight years can go by in the blink of an eye or seem like an eternity. That is probably a realistic timescale.
They think that by 2030 perhaps 80% of people will be actively using this in some shape or form. If we look at how our society has operated over the past few months in terms of going into restaurants with electronic certificates and probably paying electronically, a figure of 80% is probably about right. I do not think every nation will achieve 80%, but I certainly think Ireland will.
Do any members wish to comment further?
I thank Ms McCabe and Mr. Lowry for their contributions. I also thank Ms McDonald, Mr. Hinchy and Mr. Hickey for their attendance and for engaging so comprehensively with the committee. They have given us much food for thought. This initiative appears to be very ambitious and, if done in the correct way, very worthwhile but there are still a number of obstacles to overcome. I think that would be a fair comment. We might have Ms McCabe and Mr. Lowry back in as this issue progresses. Mr. Lowry got the DCC correct. He did a very good job on it in a very short period of time so he has a track record and good form on this. We will be guided by him and Ms McCabe and we look forward to further engagement. We want to get this right. We have to move to the digital age but at the same time we must protect the rights of citizens, particularly our own citizens here in Ireland. Is it agreed the committee will now go into private session to decide our next steps? Agreed. I thank everyone for attending today at such short notice.