Regulating electronic identity in the European Union: An analysis of the Lisbon Treaty’s competences and legal basis for eID

This paper discusses the feasibility of EU legal action in the field of electronic identity (eID) within the new distribution of legal competences and the provision of novel legal basis engendered by the Treaty of Lisbon. The article attempts to find a ‘legal anchor’ to the idea of a pan-European electronic identity within EU law, looking at the issues of competences and legal basis. After examining various different areas of competence and the most feasible (and probable) candidates for a legal basis supporting an EU legal framework for eID, the paper argues that the latter should be found in the combination of Article 16 TFEU (concerning the right to the protection of personal data) with Article 3 TUE, and Articles 26 and 114 TFEU (concerning the establishment and functioning of the Internal Market), which also constitute the area of competence where an eID legal initiative can be pursued.     

Trusted notifiers and the privatization of online enforcement

Online content is increasingly enforced by private parties based on private regulation. One recent trend in the takedown of unlawful online content is the emergence of models, where trusted third parties – private or public – are given privileged notification channels for flagging infringing content.Despite increasing practical importance, these arrangements have received little scholarly attention. This article explores the functioning of trusted notifier-models and how they are addressed by the European lawmaker in the context of two intermediaries, online platforms and domain name registries. Depending on intermediary, trusted notifier-models can both be seen as extension of the existing notice-and-takedown regimes and an additional voluntary expedited-enforcement layer. The author argues that these trusted notifier-models are problematic given the broad room of autonomy that the legislator is leaving to private parties. Whereas models involving public authorities are subject to general administrative law principles as well as constitutional and human rights safeguards, the framework for private regulation (i.e. without intervention of public actors) is less clear. In the field of domain names, these legitimacy issues give raise to special concern given the detached relation between domain names and website content. The paper criticizes the lack of insights into existing arrangements and calls for increased transparency. The author concludes that a legislative minimum framework is desirable.     

Normative challenges of identification in the Internet of Things: Privacy,profiling, discrimination,and the GDPR

In the Internet of Things (IoT), identification and access control technologies provide essential infrastructure to link data between a user's devices with unique identities, and provide seamless and linked up services. At the same time, profiling methods based on linked records can reveal unexpected details about users' identity and private life, which can conflict with privacy rights and lead to economic, social, and other forms of discriminatory treatment. A balance must be struck between identification and access control required for the IoT to function and user rights to privacy and identity. Striking this balance is not an easy task because of weaknesses in cybersecurity and anonymisation techniques. The EU General Data Protection Regulation (GDPR), set to come into force in May 2018, may provide essential guidance to achieve a fair balance between the interests of IoT providers and users. Through a review of academic and policy literature, this paper maps the inherent tension between privacy and identifiability in the IoT. It focuses on four challenges: (1) profiling, inference, and discrimination; (2) control and context-sensitive sharing of identity; (3) consent and uncertainty; and (4) honesty, trust, and transparency. The paper will then examine the extent to which several standards defined in the GDPR will provide meaningful protection for privacy and control over identity for users of IoT. The paper concludes that in order to minimise the privacy impact of the conflicts between data protection principles and identification in the IoT, GDPR standards urgently require further specification and implementation into the design and deployment of IoT technologies.