Joint Letter of 67 Civil Society Organizations to the Prime Minister
Yesterday, together with 66 other Civil Society Organizations and Networks, we joined our voices and co-signed a joint letter initiated by ActionAid Hellas to Prime Minister Kyriakos Mitsotakis, in response to recent statements by government officials that disparage, in their entirety, the work and transparency of CSOs.
The letter, titled “The disparagement of Civil Society Organizations undermines society itself and the institutional functioning of Democracy”, is a collective effort that sends a strong message in every direction.
Civil Society is all of us. We deserve respect, cooperation, and open dialogue. Read our open letter here.
The new annual report of EDRi is here, with important references to the work of Homo Digitalis
European Digital Rights (EDRi), our dynamic network working to defend and promote digital rights across Europe, has published its 2024 Annual Report!
Read more about the network’s major actions and achievements over the past year! Special references are, of course, made to the contribution of Homo Digitalis. From hosting the 2024 General Assembly in Heraklion, Crete, to raising awareness around the Predator spyware and related legislative reforms, to filing a legal challenge against the retention of electronic communications metadata in Greece, and to the imposition of significant fines regarding the KENTAVROS and YPERION systems in the closed facilities of the Ministry of Migration—2024 was a year full of progress and impact!
We submitted our views to the European Commission’s public consultation on Article 30(5) GDPR
Yesterday, Homo Digitalis submitted its views as part of the European Commission’s public consultation on Article 30(5) of the GDPR.
In our submission, we call on the Commission to withdraw the proposed amendment and stress the need to ensure that the GDPR is not reopened or modified through broader deregulatory initiatives. The priority must remain on the effective application and enforcement of the existing framework, rather than on reducing the safeguards that are essential for protecting fundamental rights in the digital age.
You can read our full position here.
The 9th NGI TALER funding Open Call is here!
08/08/2025
The ninth funding call of NGI TALER is here! Make sure to apply until October 1st 2025 12:00 CEST (noon)
A short intro about NGI TALER
The NGI TALER project is funded as a pilot under the NGI initiative within the European Commission’s Horizon Europe research funding program. It is operated by a consortium of 11 partners from 8 European countries (Belgium, France, Germany, Greece, Hungary, Luxembourg, Switzerland and The Netherlands) with the mandate to roll out an innovative, best-in-class electronic payment system that benefits everyone: end-consumers, merchants, banks, financial authorities, auditors and anti-corruption researchers! The project builds upon the strong foundations of GNU Taler — the privacy-preserving digital payment system developed by the GNU community and Taler Systems SA with support from the NGI initiative. Read more on NGI TALER’s website, here.
What is this funding call about?
Part of the budget of NGI TALER is reserved for open calls to fund additional free software efforts that are aligned with the topics and approach of NGI TALER. We invite your contributions to help reshape the state of play of digital payment systems, and to help create an open, trustworthy and reliable internet for all! You can contribute exciting new capabilities to GNU Taler itself, build auxiliary tools or work on user experience, but you could also be developing integrations into FOSS applications and open standards, or work on improvements to infrastructure components like merchant back-ends. See more info about the wide range of activities that qualify for financial support and the eligibility criteria here.
How to apply?
The open call is open since 01/08/2025 and the deadline to submit your application is October 1st, 2025, 12:00 CEST! You can apply only with proposals between 5.000 and 50.000 euro (60.000 euro is the cumulative absolute hard limit for any applicant for the program). To apply you need to fill in a specific form! From our end we will provide a transparent and efficient selection process. More info in the links below:
Homo Digitalis spoke on smart farming and the AI Act
In the beginning of july, the AgriDataValue project hosted an in-depth online workshop dedicated to data privacy, legal, and ethical dimensions within the context of smart farming. Organized by Netcompany, the event brought together AgriDataValue partners, Advisory Board members, legal experts, as well as representatives from related EU-funded projects.
Homo Digitalis participated in the workshop, giving a legal presentation on the topic “Smart Agriculture from a GDPR and AI Act Perspective”. Many thanks to Ioannis Chrysakis for the kind invitation! Our Executive Director, Eleftherios Chelioudakis, represented us.
The objective of the workshop was to identify and validate key ethical, legal, social, and privacy-related topics linked to the AgriDataValue platform. It also served as an opportunity to review data flow mappings between the project’s technologies, user types, and integrated services, a vital exercise for ensuring compliance, transparency, and responsible data governance.
We filed a complaint against Alphabet before the European Commission under the provisions of the DMA, together with five organizations.
European Digital Rights, ARTICLE 19, Free Software Foundation Europe (FSFE), Gesellschaft für Freiheitsrechte e.V., Vrijschrift.org, and Homo Digitalis filed a formal complaint against Alphabet Inc. under the Digital Markets Act (DMA) before the European Commission.
Despite the DMA’s clear gatekeeper rules:
On Android, users still cannot truly uninstall Google’s pre-installed apps; they can only disable them, which leaves them on the device. Yet Alphabet misleads users by claiming this is the same as removing an app. It is not.
The disable option is buried deep in the settings and, when users do find it, Android displays vague and intimidating warnings that discourage them from switching to alternative apps, making it harder to move away from Google’s ecosystem.
We are facing a textbook case of deceptive design, which restricts user choice and reinforces Alphabet’s gatekeeper position.
With our complaint, we call on the European Commission to investigate Alphabet’s practices and order the company to fully respect end-user rights under the DMA.
You can read our complaint on EDRi’s website here.
Homo Digitalis contributes to two EU consultations on the Data Strategy and high-risk AI systems
Last Friday, July 18th, Homo Digitalis submitted detailed input to two public consultations launched by the European Commission.
The first consultation focused on collecting targeted input from stakeholders regarding the implementation of the AI Act (2024/1689) rules for high-risk AI systems. According to Article 6(5) of the AI Act, the Commission must publish guidelines on the practical implementation of the high-risk classification rules by February 2, 2026, accompanied by a list of practical examples of both high-risk and non-high-risk AI systems. Additionally, Article 96(1)(a) requires the Commission to provide guidelines on the application of obligations and responsibilities for high-risk AI systems, including those across the AI value chain, as defined in Article 25. In its submission, Homo Digitalis provided practical examples of AI systems from Greece and other countries, and highlighted key issues that should be clarified in both the classification and compliance guidelines.
The second consultation addressed the EU Data Strategy. Its three goals are to: 1) boost investment in data technologies and promote data sharing through voluntary or funded initiatives; 2) streamline existing rules and develop data tools to reduce administrative burdens; and 3) shape an international data strategy that ensures safeguards for data transfers outside the EU and encourages data inflows into the EU.
In its response, Homo Digitalis raised strong concerns about potential undermining of personal data protection under the pretext of simplification, flexibility, and competitiveness. The organisation reaffirmed its position that fundamental rights must be strengthened through the use of new technologies and rejected the framing of existing legal frameworks as a barrier to innovation. According to Homo Digitalis, the challenges lie primarily in the lack of enforcement and resources, not the laws themselves.
You can read our full submission for the first consultation here.
We thank the drafting team, Stavrina Chousou, Niki Georgakopoulou, Sofia Antonopoulou, and Eleftherios Chelioudakis, for their valuable contributions.
You can read our full submission for the second consultation here, edited by our Executive Director, Eleftherios Chelioudakis.
European Digital Identity Wallet (EUDI Wallet): The Uncomfortable Truth Behind the Innovation
By Giannis Konstantinidis*
Note: This is the English translation of the original article which was written in Greek.
A critical look at the EU’s new “wallet” and the hidden risks it poses to personal data protection and privacy in the digital age.
What are digital identities?
Digital identities are the set of information (e.g. name, professional status, address, telephone number, password) that characterise us when we use digital services on the Internet. In simple words, they are our “digital selves” when we connect to social networking platforms, e-government services, e-banking systems, etc. In practice, digital identities contain personal data which in many cases are also sensitive (e.g. in the case of e-health services). Therefore, digital identities must enable fast and trouble-free access to digital services and meanwhile be accompanied by strict safeguards regarding information security and data protection.
How have digital identities evolved?
There are three main models for organising digital identities (Figure 1). In the centralised model, an organisation maintains a central database with the digital identities of all users. A key disadvantage of the centralised model is that users must maintain a separate account for each digital service they use. In contrast, in the federated model, organisations cooperate with each other and exchange digital identity information using a common protocol. For example, if a user has an account with a central provider (e.g. Facebook, Google, Microsoft or gov.gr), then they can log-in to another compatible digital service with the same information. Therefore, the federated model is quite easy to use, although the overall management of digital identities and their attributes is carried out by a few providers (who might be aware of the users’ activities).
Figure 1: In the centralised model, users have separate accounts (and passwords) for each service they use. In contrast, in the federated model, there are a few providers that act as single “gateways” to services. Finally, in the decentralised model, users use their digital wallets and ideally choose the specific information they want to share with service providers. (Creator Giannis Konstantinidis)
Therefore, in both the centralised and the federated model, a major concern is the concentration of a large amount of data in central locations that are considered attractive to malicious attackers (see massive data breaches). As an “antidote”, the decentralised model has been proposed, which is often associated with the concept of “self-sovereign identity” (SSI). In this model, the user controls all the identity elements that are to be used by the services. Instead of relying upon a few providers, each user holds a set of “credentials”, which have been issued by trusted entities, and maintains them in an application called a digital wallet or digital identity wallet. When the user needs to prove something (e.g. their age), the digital credential is directly presented (signed beforehand by a trusted organisation that serves as the issuer). Ideally, the presentation of that digital credential reflects the minimum amount of the required data and does not reveal the entire personal data of the user.
Figure 2: In the decentralised model, the issuer generates and delivers a credential to the user (holder) who stores it in the digital wallet. The user then presents the credential to a verifier, i.e. an organisation that requests confirmation of the user’s identity and/or status. The validity of the credential is verified based on the information found in a registry.(Creator Giannis Konstantinidis)
What is happening in the EU with digital identities?
With the revision of the eIDAS Regulation (2024/1183), the European Commission has established that each EU Member-State must offer its citizens a digital identity wallet. This will be an application for mobile devices in which each user will be able to store documents in digital form (e.g. ID cards, driving licenses, educational qualifications, social security documents and other travel documents). The user's interaction with the respective services will be done through the wallet, i.e. the user will select the credentials they wish to share. As mentioned earlier, the entire documents are not sent by each user, but a selected presentation of certain data in combination with the appropriate digital evidence that cryptographically proves the validity of those documents. Admittedly, the original vision of a “sovereign identity” seems to be significantly limited in the current design of the EUDI Wallet. In particular, the draft architecture (i.e. Architecture and Reference Framework - ARF) foresees the use of a traditional Public Key Infrastructure (PKI). Simply put, instead of leveraging a fully decentralised system, the European Commission chooses to leverage existing infrastructures that collect digital identity data. As such, it is more of a cross-border federated model in which users are responsible for managing and sharing their credentials on their own, rather than a fully decentralised model.
Is the protection of privacy and personal data enhanced or undermined?
Based on current developments, several risks related to data protection and privacy arise. First, the wallet can generate unique identifiers for each user (although theoretically this is necessary to identify the user when accessing cross-border services in the EU) and several experts express fear that these identifiers will allow for the continuous monitoring and correlation of all user activities.
In particular, according to the position of a group of distinguished academics (specialists in cryptography), the proposed architecture does not include sufficient technical measures to limit the “observability” and prevent the “linkability” of user activities. This means that even if user activities are carried out through the use of pseudonyms, there is no special care to prevent service providers from collecting usage patterns and correlating them with each other. So, in practice, this gap allows the tracing of user activities. The latest version of the architecture (ARF 2.3.0) recognises these risks, however, the integration of appropriate mechanisms remains at the level of discussion and has not yet been implemented (due to complexity and certain technical limitations). The European Telecommunications Standards Institute (ETSI) recognises the importance of technical measures, such as zero-knowledge proofs (ZKPs), but it is shown that (for the time being) the complete elimination of tracking is not feasible due to the technical complexity and lack of interoperability.
Regarding the overall “flexibility” and accountability of the ecosystem, there are also several negative comments. For example, if a service decides to request more data than necessary, there is no mechanism for prevention or even control. At the same time, it is considered that a huge share of responsibility will be shifted to users, because they will be constantly asked to approve the credentials that will be shared with service providers. In fact, if something goes wrong (e.g. in the event of theft of the user’s device or electronic fraud), there are no sufficient protection measures and therefore the user bears a large share of the responsibilities. In fact, there is no provision (so far) for any kind of recovery or restoration process.
Finally, an additional concern relates to the expansion of the wallet's functionalities, as it is going to gradually collect all kinds of electronic documents and certificates (e.g. even travel credentials and electronic payment details). Thus, the risk of a "surveillance dossier" emerges, where a malicious analyst or attacker could discover an extensive set of information about a person through a single medium.
Towards a cautious acceptance or questioning of the framework?
Although the EUDI Wallet is an important step in the development of modern digital services on the Internet, it comes with several challenges. If citizens are to trust such a technological solution, they must do so with full awareness of the advantages as well as the potential risks involved. At the same time, experts must further develop and document the mechanisms that contribute to security and privacy, otherwise we risk moving from a “wallet that empowers users to protect their data” to a “wallet that exposes data arbitrarily”. Finally, the contribution of experts and civil society organisations is extremely important, as gaps and possible omissions can be identified and corrected before the final implementation.
*Giannis Konstantinidis (CISSP, CIPM, CIPP/E, ISO/IEC 27001 & 27701 Lead Implementer) is a cybersecurity consultant and member of Homo Digitalis since 2019.
Homo Digitalis Participates in the 1st Consultation Forum of the Ministry of Digital Governance on the AI Act
On July 2, 2025, Homo Digitalis participated in the 1st Consultation Forum titled: “The Implementation of the AI Act in Greece”, organized by the Ministry of Digital Governance and Expertise France.
The event was held in the context of the TSI Technical Support action “Integrating AI Technologies in the Greek Public Administration”, funded by the European Commission (SG REFORM). Its aim was for the Ministry to gather valuable information, exchange views with stakeholders, explore best practices, challenges, and prospects, and present its proposal for the implementation of the AI Act and AI governance in the country.
Homo Digitalis was invited to participate in the roundtable discussion of the thematic session “Artificial Intelligence in the Public Sector”, which focused on the challenges and opportunities of implementing AI systems by public sector entities in Greece.
During the event, we submitted our written views on the questions raised in the thematic session to the Ministry, distributed copies of our statements to relevant decision-making bodies, and presented them orally as part of our contribution during the roundtable discussion.
We sincerely thank the organizers and speakers of the event for including us and giving us the opportunity to share our positions! Homo Digitalis was represented by Eleftherios Chelioudakis, Co-founder and Executive Director of Homo Digitalis, who also is the editor our statements.
You can view our written positions here (in EL).