Mr Butz, the eIDAS Regulation was introduced in 2016 with the aim of creating legal certainty for electronic signatures in all member states. Is this not enough harmonisation?
You would think so, right. In practice, however, there are sometimes considerable differences from state to state. While in Austria we now have 2.7 million digital identities, which represents an overwhelming level of acceptance in relation to the population, Germany, for example, is still a long way off. Then there are the trust centres that work closely with the government but do not follow eIDAS. The picture is similar in the business world. Banks, for example, have created their own identification options. We are still a long way from real harmonisation. This is not how digital Europe works.
Yet the legal framework and the requirements for electronic signatures and trust centres are precisely formulated in the eIDAS Regulation?
If it is all so clear, why has it not yet had the hoped-for widespread effect? There are currently even considerations at EU level to relax these regulations in order to perhaps promote acceptance. We at the ESD believe this is the wrong approach. It would lead to many individual national solutions. In my view, the regulations are not strict enough yet. Only absolute clarity and commitment will ultimately lead to the harmonisation we are striving for in Europe.
In countries like Estonia, we see a more progressive understanding of digitalisation. Acceptance seems to have reached a certain level there. What can we learn from this?
Estonia is an interesting example because comprehensive digitalisation is an integral part of the political agenda. They have 1.3 million inhabitants and possession of a digital identity is required by law. Anyone can make a qualified electronic signature. And that shows a considerable difference in quality: if you just say, “Oh, please get a digital identity, that would be useful”, then it will be difficult. In the end, this only means that there is no serious digitalisation concept – and there cannot be.
“When it comes to digitalisation, politicians are largely in the dark.” – Michael Butz
Which is another way of saying political failure, or at least a certain timidity. Does the ESD also see itself as an advisor to a policy that, alongside climate protection and migration, has identified digitalisation as the third major playing field for the challenges of our time?
Absolutely. In the other two areas, there are specific approaches and a lot of expertise on how to get things moving. When it comes to digitalisation, politicians are largely in the dark. There are far too few experts who can really understand and assess the topic. The mere slogan “We need more digitalisation” is not enough. If you take the fight against cybercrime seriously, for example, then you need to know first: Who is on the other end of the line? This is an example that shows the impact that a comprehensive digital identity can have and how it can help to realise political intentions in practice in Europe. The attempts to achieve greater acceptance with educational programmes, for example, take far too long.
The global situation seems even less clear. Companies such as Google have long been creating their own, barely regulated laws when it comes to processing data.
This is the second major issue to which the ESD is committed. The big hyperscalers offer free cloud solutions and no user really knows what happens to their data. Ultimately, they do what they want. The ESD wants a cloud in Europe with a European infrastructure where everyone can store data, the GDPR is observed, the data belongs to the users and nothing is automatically analysed for marketing purposes. The global systems do not adhere to this at all, zero. They do not know GDPR. The Americans analyse millions of European data records. That is not the case the other way round.
If Europeans want to emancipate themselves, do they need a purely European solution?
A European solution for digital identities is definitely the basis. Perhaps just a small part of the big digital agenda. But to implement it, we need the knowledge and experience of the European trust centres. Otherwise, it will just be declarations of intent on data security and data protection issues.