France: CNIL publishes dossier regarding use of digital identity
The French data protection authority ('CNIL') published, on 23 March 2023, a thematic dossier on digital identity. In particular, CNIL highlighted that the dossier defines the concept of digital identity, the issues surrounding the usage of digital identity, and obligations for organisations using digital identities.
More specifically, the dossier provides that a person's digital identities are their various immaterial identities which will enable them to access products and services, with a set of attributes, such as pseudonym, surname, first name, age, or place of birth, making it possible to link this data with a natural person. Further, the dossier outlines that a digital identity enables individuals to create a certain level of trust for identification, which makes it possible to distinguish one person from another with given identifiers, authentication, which allows individuals to prove that it is one of their identities, and finally, proof of identification, which makes it possible to demonstrate characteristics of one's identity.
In addition, the dossier provides recommendations on the usage of digital identities by organisations, including the avoidance of a single means of identification for all online interactions, which raises concerns about the tracking of individuals. Likewise, the dossier recommends the use of the minimum amount of personal information necessary for the required purposes, particularly for age-verification purposes. Further, the dossier recommends decentralised server architecture because of the free use of electronic identification means without possible systematic monitoring, and the usage of an applied programming interface ('API') to ensure that users only access the data they need. Notably, the dossier also recommends that organisations may use physical alternatives to digital identifiers when they exist.
Finally, the dossier outlines the risks of unique and persistent identifiers, made up of potentially six identity attributes (last name, first names, date of birth, place of birth, etc.), and the potential for permanent profiling, the interconnection of files, and systematic monitoring. Specifically, the dossier outlines the high risk associated with compromise of biometric data, since this may lead to loss of access and a difficult process for gaining a new identifier.
You can read the announcement here and the dossier here, both only available in French.