Digital rights groups warn EU over privacy risks in new eIDAS rules
Civil society organisations have urged the European Commission to strengthen privacy safeguards in upcoming rules for the European Digital Identity Wallet.
A group of digital rights and consumer protection organisations has issued an open letter to the European Commission raising concerns about new implementing rules for the European Digital Identity Wallet (EUDI Wallet) under the revised eIDAS Regulation. The letter, dated 10 March 2026, warns that the latest draft rules could weaken privacy protections and undermine trust in the EU’s digital identity system.
The EUDI Wallet is designed to allow people in the European Union to store and share digital identity credentials, such as proof of age or identity, when accessing online services. The system is expected to support a wide range of digital services, including age verification for online platforms and other forms of secure digital identification.
In their submission, the organisations argue that several elements of the proposed implementing acts could pose risks to users’ privacy and control over their personal data.
One concern relates to registration certificates for services using the wallet. These certificates would require online services to declare what information they intend to request from users. According to the organisations, making these certificates optional could allow some services to request more personal data than necessary without triggering automatic warnings in the wallet system.
The letter also highlights the importance of pseudonym use, meaning users should be able to interact with online services without revealing their full legal identity when identification is not legally required. The groups warn that the draft rules could allow services to request a person’s legal identity even when it is unnecessary.
Another issue concerns the proposed inclusion of a mandatory facial image in the wallet’s identification data set. The organisations argue that making biometric information compulsory could significantly expand the processing of sensitive personal data and change the privacy implications of the digital identity system.
The submission also raises concerns about technical standards that could allow very large online platforms to rely on proprietary authentication systems rather than properly integrate the EU digital identity wallet. According to the signatories, this could weaken user protections and undermine the goal of a unified European identity system.
Finally, the letter calls for stronger safeguards to ensure that the wallet’s use remains ‘unlinkable,’ meaning that different online transactions cannot be easily connected to a person’s identity or tracked across services. This protection is considered important for maintaining trust in the digital identity infrastructure.
The organisations conclude that the success of the European Digital Identity Wallet will depend on embedding privacy, user control and strong security protections into both the legal and technical design of the system. They urge EU institutions to address these issues as discussions on the implementing rules continue.
