Authors: Robert Nešpůrek, Pavel Amler, Tomáš Chmelka
At the beginning of summer 2021, the European Commission published a proposal to revise the eIDAS[1] Regulation, nicknamed eIDAS 2.0, in which the European Commission proposes significant changes to the Regulation, in particular in the field of electronic identification, by introducing a so-called European Digital Identity wallet (the “Wallet”).
The Wallet should take the form of an app for mobile phones and other devices and should be based on a national electronic identity. The Wallet should be issued by individual Member States or by an authorised or recognised private entity. Hence, the Wallet will not create a new electronic identity but will ensure cross-border recognition of individual national electronic identities.
In addition to basic personal identification data, the Wallet should also contain other attributes (e.g. driver’s licence, diploma, licence, certificate, professional qualification, or birth certificate). The inclusion of other attributes will not be mandatory, but each citizen, as the holder of their own Wallet, will be able to individually choose which attributes to upload to the Wallet and when and how to use them. The sharing of personal data and attributes should be transparent, traceable and, with the right technical solution, GDPR[2] compliant.
It should also be possible to use the Wallet as a means of creating a qualified electronic signature or a qualified electronic seal, which could bring a new impetus to their wider use in Czech society (they have the same effects as a handwritten signature on paper).
Each EU Member State will have to issue the Wallet to its citizens within 12 months from the date the approved eIDAS 2.0 proposal enters into force. A conservative estimate is that eIDAS 2.0 could be approved by the end of 2022. Even if the legislative process takes longer, we might see the first digital and hopefully truly usable Wallets across EU Member States by 2024 at the latest.
Global internet companies in France have recently received significant fines for non-compliance with rules on user consent to the use of cookies (including, for example, the US company Meta, which operates the social network Facebook). However, similar practices are also standard on the Czech Internet, and so these decisions should be taken into account.
The basic requirement for valid consent to the use of cookies is that it can be freely given or denied, both in the same easy way (i.e. the user must not be forced into either option, directly or indirectly). In a situation where one of the options is significantly easier (one-click so to speak) and the other burdens the user with the need to click through several windows or scroll through a long text, or encourages the user to individually reject each of the many marketing cookies, one can rightfully question the free and equally easy refusal of consent.
On the Czech Internet, this way of obtaining consent has become a standard and even among the professional public there are voices that are willing to promote such a cookie banner as a model case of consent. However, supervisory authorities in Europe are of a different opinion and, given the coordination of European supervisory authorities in the area of data protection, it can be expected that the Czech Personal Data Protection Authority will follow this trend. For this reason, we recommend verifying that the cookie banner you are using does indeed meet the requirements for valid user consent – otherwise, you risk being subject to (unnecessary) sanctions.
Cyber-attacks targeting software application vulnerabilities have been encountered almost on a daily basis lately. The European Union is aware of these events and has decided to fight them, at least in part.
Based on the adopted EU Cybersecurity[3] Act, the European Cybersecurity Certification Framework should soon come into force, the primary objective of which is to guarantee a higher standard of cyber protection and security, both for the products, services and processes offered and for the end user.
The framework also establishes a single system for the certification of cybersecurity products, services and processes. The liaison point of this framework will be the European Union Agency for Cybersecurity (ENISA), which will significantly strengthen its mandate and become the EU’s permanent cybersecurity agency. ENISA will also coordinate the actions of Member States, EU institutions and other stakeholders in the field of cybersecurity.
The European cybersecurity certification system envisages several levels of assurance – “basic”, “significant” or “high”. The level of certification always depends on the level of risk in terms of the likelihood and impact of a security incident associated with the intended use of the product, service or process. Accreditation will be issued for a maximum period of five years and may be renewed under the same conditions. Certification will be voluntary unless otherwise specified by mandatory regulation.
On the basis of the related amendment to the Czech Cybersecurity Act, the NÚKIB[4] is to be designated as the national cybersecurity certification body. The NÚKIB will thus have an expanded scope of powers and will oversee and enforce compliance with the rules included in European cybersecurity certification systems, authorise or empower conformity assessment bodies to issue certifications where appropriate, and address complaints filed by natural or legal persons in connection with European cybersecurity certificates.
Certificates issued within these systems will be valid in all EU countries, creating a single system that will make it easier for end users to gain confidence in the security of these technologies. In turn, it will make it easier for companies to do business across borders and ensure certification across the Union. We therefore certainly recommend following this development and, at the very least, considering implementing this certification as soon as possible.
Our law firm HAVEL & PARTNERS, together with Artinii, has introduced a new innovative blockchain project called Certoo. This service is, in short, a “digital notary” and essentially allows users to obtain secure and unquestionable proof of authorship of documents or data.
With this service, the user can prove his/her authorship with a certificate that contains all the information relevant to prove authorship/ownership. This information is protected from subsequent modifications thanks to the blockchain technology used. The Certoo service thus brings a new standard in the field of intellectual property protection.
Certoo is a very user-friendly and intuitive online tool that can be used by all categories of users. In the first step, the user uploads a file with a work of any nature, which is assigned a unique hash (de facto a digital fingerprint of the uploaded file). This hash is then integrated into the Litecoin network blockchain (a public and transparent blockchain), whereupon the user (author) receives his/her unique certificate to prove his/her authorship/ownership.
Each user also gets access to their own private online storage. In this environment, they can upload additional projects and administer them as needed. This ensures that they always have access to the original file to prove that the user had possession of the file at a specific date and time, which can prove their authorship/ownership in the event of a dispute. Superior security and encryption of the stored data is a matter of course.
[1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
[3] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013.
[4] National Cyber and Information Security Agency.