Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD examines the implications of treating identity as a service rather than a fundamental right

On June 20, 2024, the Spanish data protection authority (AEPD) published a blog post examining the implications of treating identity as a service rather than a fundamental right.

Identity as a fundamental right

The AEPD outlined that identity is recognized in international law through various declarations and conventions, such as the Universal Declaration of Human Rights, and not having a legal identity can have a significant impact on individuals, such as education, access to employment, and health care. Identity can encompass elements such as first name, last name, date of birth, gender, or nationality and is usually recognized through documents such as a birth certificate.

The AEPD further explained that there is also a strong connection between legal identity and the right to privacy, control, and use of personal data linked to this identity, in particular, regarding defending the right to privacy. The General Data Protection Regulation (GDPR) explicitly refers to identity theft or fraud in several recitals, with Recital 88 of the GDPR establishing the importance of effectively evaluating technical measures for the protection of personal data to effectively limit the probability of identity theft.

Identity management systems

The AEPD highlighted that there are cases where the implementation of identity management systems driven by an 'as a service' identity approach can have negative effects. The AEPD provided examples of digital identity systems without the appropriate infrastructure, regulations, or governance mechanisms, including explicit models for the necessary public-private collaboration.

In particular, the AEPD outlined that identity must be guaranteed for all users, even without an internet connection, the latest mobile phone, a digital fingerprint, or the possibility or willingness to undergo the creation process. However, when identity is a service, the person is considered a client or consumer who must adapt to the way in which said service is offered, often by a third party.

Lastly, the AEPD stressed the complexity and potential adverse outcomes when identity management systems are not carefully designed to support a fundamental right while ensuring privacy and equity.

You can read the press release, only available in Spanish, here.