European Parliament legislative resolution of 29 February 2024 on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity (COM(2021)0281 – C9-0200/2021 – 2021/0136(COD))
(Ordinary legislative procedure: first reading)
The European Parliament,
– having regard to the Commission proposal to Parliament and the Council (COM(2021)0281),
– having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C9‑0200/2021),
– having regard to Article 294(3) of the Treaty on the Functioning of the European Union,
– having regard to the opinion of the European Economic and Social Committee of 20 October 2021(1),
– having regard to the opinion of the Committee of the Regions of 13 October 2021(2),
— having regard to the provisional agreement approved by the responsible committee under Rule 74(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 6 December 2023 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,
– having regard to Rule 59 of its Rules of Procedure,
– having regard to the opinions of the Committee on the Internal Market and Consumer Protection, the Committee on Legal Affairs and the Committee on Civil Liberties, Justice and Home Affairs,
– having regard to the report of the Committee on Industry, Research and Energy (A9-0038/2023),
1. Adopts its position at first reading hereinafter set out;
2. Takes note of the statements by the Commission annexed to this resolution;
3. Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;
4. Instructs its President to forward its position to the Council, the Commission and the national parliaments.
Position of the European Parliament adopted at first reading on 29 February 2024 with a view to the adoption of Regulation (EU) 2024/… of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework
(As an agreement was reached between Parliament and Council, Parliament's position corresponds to the final legislative act, Regulation (EU) 2024/1183.)
ANNEX TO THE LEGISLATIVE RESOLUTION
Statement by the Commission on Article 45 on the occasion of the adoption of Regulation (EU) 2024/1183(1)
The Commission welcomes the agreement reached, which, in its view, clarifies that web browsers are required to ensure support and interoperability for the qualified website authentication certificates (QWACs) for the sole purpose of displaying the identity data of the owner of the website in a user-friendly manner. The Commission understands this obligation as not prejudging the methods used to display such identity data.
The Commission welcomes the agreement reached, which, in its view, clarifies that the requirement for the web browsers to recognise QWACs does not restrict browsers own security policies and that Article 45, as proposed, leaves it up to the web browsers to preserve and apply their own procedures and criteria in order to maintain and preserve the privacy of online communications using encryption and other proven methods. The Commission understands draft Article 45 as not imposing obligations or restrictions on how web browsers establish encrypted connections with websites or authenticate the cryptographic keys used when establishing those connections.
The Commission recalls that, in line with point 28 of the Interinstitutional Agreement between the European Parliament, the Council of the European Union and the European Commission on Better Law-Making of 13 April 2016, the Commission will make use of expert groups, consult targeted stakeholders and carry out public consultations, as appropriate.
Statement by the Commission on unobservability on the occasion of the adoption of Regulation (EU) 2024/1183(2)
The Commission welcomes the agreement reached, which in its view, confirms that this amending Regulation does not allow for the processing of personal data contained in or arising from the use of the European Digital Identity Wallet by the Wallet providers for other purposes than delivering wallet services.
The Commission also welcomes the inclusion of the concept of unobservability in Recital (11c) of the draft amending Regulation, which should prevent wallet providers from collecting and seeing the details of user’s day-to-day transactions. The Commission is of the view that this concept means that there should not be correlation of data across different services for the purposes of user tracking or tracing or for determining, analysing and predicting personal behaviour, interests or habits.
At the same time, the Commission acknowledges that, in full compliance with Regulation (EU) 2016/679, the providers of European Digital Identity Wallets may access certain categories of personal data with the user’s explicit consent, such as in order to ensure continuity in the provision of wallet services or to protect users from disruptions in their provision. That data should be limited to what is necessary for each specific purpose.