Press Release 11/2021.
Graz/Vienna, 18.11.2021 – As former CEO of the trust center A-Trust, Michael Butz did pioneering work for electronic signatures. He now chairs the European Signature Dialog, which he launched in 2017. XiTrust CEO Georg Lindsberger has been vice president since 2021. Trust service providers from ten nations, including Germany, Italy, Poland, Austria and Romania, are working in the ESD to achieve true harmonization for digital identities at EU level. An interview with Michael Butz about the challenges of successful digitization.
Mr. Butz, the eIDAS Regulation was introduced in 2016 with the aim of creating legal certainty for electronic signatures in all member states. Isn’t that harmonization enough?
You would think so, yes. In practice, however, there are sometimes considerable differences from state to state. While we in Austria, with 2.7 million digital identities in the meantime, have seen overwhelming acceptance measured against the size of the population, Germany, for example, is still a long way off. Then there are the trust centers that work closely with the government but do not follow eIDAS. In business, the picture is similar. Banks, for example, have created their own identification options. We are still a long way from true harmonization. This is not how digital Europe works.
Yet the eIDAS regulation precisely formulates the legal framework and the requirements for electronic signatures and trust centers?
If all this were so clear, why has it not yet led to the hoped-for widespread effect? At the EU level, there are currently even considerations to relax the regulations described in order to perhaps promote acceptance. We at the ESD think this is the wrong way to go. It would lead to many individual national solutions. In my view, the regulations are not yet strict enough. Only absolute clarity and bindingness will ultimately lead to the harmonization we are striving for in Europe.
f.l. Georg Lindsberger (CEO XiTrust) Michael Butz (former CEO A-Trust)
In countries like Estonia, we see a more progressive understanding of digitality. Acceptance there seems to have reached a level. What can be learned from this?
Estonia is an interesting example because comprehensive digitization is an integral part of the political agenda. They have 1.3 million inhabitants and possession of a digital identity is required by law. Anyone can sign a qualified electronic document. That describes a significant difference in quality: If you just say, oh, please get a digital identity, that would make sense, then it will be difficult. In the end, this only means that there is no serious digitalization concept – and there can’t be.
Which is another way of saying policy failure, or at least a certain timidity. Does the ESD also see itself as an advisor to a policy that, along with climate protection and migration, has identified digitization as the third major playing field for the challenges of our time?
Absolutely. In the other two areas, there are concrete approaches and a lot of acquired know-how on how to get things moving. In digitization, politics is largely bare. There are far too few experts there who can really penetrate and assess the topic. The mere slogan “We need more digitization” is not enough. If, for example, the fight against cybercrime is to be taken seriously, then I first need to know: Who is sitting at the other end of the line? This is an example that shows the impact that a comprehensive digital identity can have and how it can help Europe to implement what is politically desired in practice. The approaches to achieving greater acceptance, for example through educational offerings, are taking far too long.
The global constellation seems even less clear. Companies like Google have long since created their own, barely regulated laws for processing data.
This is the second major set of issues that ESD is committed to. The big hyperscalers offer free cloud solutions and no user really knows what happens to their data. They ultimately do what they want. The ESD wants a cloud in Europe with a European infrastructure, where everyone can store data, the DSGVO is observed, the data belongs to the users and nothing is automatically evaluated for marketing purposes. The global systems do not adhere to this at all, zero. They do not know DSGVO. The Americans evaluate millions of European data records. The reverse is not the case.
If Europeans want to emancipate themselves, a purely European solution is needed?
A European solution for digital identities is definitely the basis. Maybe just a detail of the big digital agenda. But to implement it, we need the knowledge and experience of the European trust centers. Otherwise, we will be left with declarations of intent on data security and data protection.