European Digital Identity Wallet (EUDI Wallet): The Uncomfortable Truth Behind the Innovation
By Giannis Konstantinidis*
Note: This is the English translation of the original article which was written in Greek.
A critical look at the EU’s new “wallet” and the hidden risks it poses to personal data protection and privacy in the digital age.
What are digital identities?
Digital identities are the set of information (e.g. name, professional status, address, telephone number, password) that characterise us when we use digital services on the Internet. In simple words, they are our “digital selves” when we connect to social networking platforms, e-government services, e-banking systems, etc. In practice, digital identities contain personal data which in many cases are also sensitive (e.g. in the case of e-health services). Therefore, digital identities must enable fast and trouble-free access to digital services and meanwhile be accompanied by strict safeguards regarding information security and data protection.
How have digital identities evolved?
There are three main models for organising digital identities (Figure 1). In the centralised model, an organisation maintains a central database with the digital identities of all users. A key disadvantage of the centralised model is that users must maintain a separate account for each digital service they use. In contrast, in the federated model, organisations cooperate with each other and exchange digital identity information using a common protocol. For example, if a user has an account with a central provider (e.g. Facebook, Google, Microsoft or gov.gr), then they can log-in to another compatible digital service with the same information. Therefore, the federated model is quite easy to use, although the overall management of digital identities and their attributes is carried out by a few providers (who might be aware of the users’ activities).
Figure 1: In the centralised model, users have separate accounts (and passwords) for each service they use. In contrast, in the federated model, there are a few providers that act as single “gateways” to services. Finally, in the decentralised model, users use their digital wallets and ideally choose the specific information they want to share with service providers. (Creator Giannis Konstantinidis)
Therefore, in both the centralised and the federated model, a major concern is the concentration of a large amount of data in central locations that are considered attractive to malicious attackers (see massive data breaches). As an “antidote”, the decentralised model has been proposed, which is often associated with the concept of “self-sovereign identity” (SSI). In this model, the user controls all the identity elements that are to be used by the services. Instead of relying upon a few providers, each user holds a set of “credentials”, which have been issued by trusted entities, and maintains them in an application called a digital wallet or digital identity wallet. When the user needs to prove something (e.g. their age), the digital credential is directly presented (signed beforehand by a trusted organisation that serves as the issuer). Ideally, the presentation of that digital credential reflects the minimum amount of the required data and does not reveal the entire personal data of the user.
Figure 2: In the decentralised model, the issuer generates and delivers a credential to the user (holder) who stores it in the digital wallet. The user then presents the credential to a verifier, i.e. an organisation that requests confirmation of the user’s identity and/or status. The validity of the credential is verified based on the information found in a registry.(Creator Giannis Konstantinidis)
What is happening in the EU with digital identities?
With the revision of the eIDAS Regulation (2024/1183), the European Commission has established that each EU Member-State must offer its citizens a digital identity wallet. This will be an application for mobile devices in which each user will be able to store documents in digital form (e.g. ID cards, driving licenses, educational qualifications, social security documents and other travel documents). The user's interaction with the respective services will be done through the wallet, i.e. the user will select the credentials they wish to share. As mentioned earlier, the entire documents are not sent by each user, but a selected presentation of certain data in combination with the appropriate digital evidence that cryptographically proves the validity of those documents. Admittedly, the original vision of a “sovereign identity” seems to be significantly limited in the current design of the EUDI Wallet. In particular, the draft architecture (i.e. Architecture and Reference Framework - ARF) foresees the use of a traditional Public Key Infrastructure (PKI). Simply put, instead of leveraging a fully decentralised system, the European Commission chooses to leverage existing infrastructures that collect digital identity data. As such, it is more of a cross-border federated model in which users are responsible for managing and sharing their credentials on their own, rather than a fully decentralised model.
Is the protection of privacy and personal data enhanced or undermined?
Based on current developments, several risks related to data protection and privacy arise. First, the wallet can generate unique identifiers for each user (although theoretically this is necessary to identify the user when accessing cross-border services in the EU) and several experts express fear that these identifiers will allow for the continuous monitoring and correlation of all user activities.
In particular, according to the position of a group of distinguished academics (specialists in cryptography), the proposed architecture does not include sufficient technical measures to limit the “observability” and prevent the “linkability” of user activities. This means that even if user activities are carried out through the use of pseudonyms, there is no special care to prevent service providers from collecting usage patterns and correlating them with each other. So, in practice, this gap allows the tracing of user activities. The latest version of the architecture (ARF 2.3.0) recognises these risks, however, the integration of appropriate mechanisms remains at the level of discussion and has not yet been implemented (due to complexity and certain technical limitations). The European Telecommunications Standards Institute (ETSI) recognises the importance of technical measures, such as zero-knowledge proofs (ZKPs), but it is shown that (for the time being) the complete elimination of tracking is not feasible due to the technical complexity and lack of interoperability.
Regarding the overall “flexibility” and accountability of the ecosystem, there are also several negative comments. For example, if a service decides to request more data than necessary, there is no mechanism for prevention or even control. At the same time, it is considered that a huge share of responsibility will be shifted to users, because they will be constantly asked to approve the credentials that will be shared with service providers. In fact, if something goes wrong (e.g. in the event of theft of the user’s device or electronic fraud), there are no sufficient protection measures and therefore the user bears a large share of the responsibilities. In fact, there is no provision (so far) for any kind of recovery or restoration process.
Finally, an additional concern relates to the expansion of the wallet's functionalities, as it is going to gradually collect all kinds of electronic documents and certificates (e.g. even travel credentials and electronic payment details). Thus, the risk of a "surveillance dossier" emerges, where a malicious analyst or attacker could discover an extensive set of information about a person through a single medium.
Towards a cautious acceptance or questioning of the framework?
Although the EUDI Wallet is an important step in the development of modern digital services on the Internet, it comes with several challenges. If citizens are to trust such a technological solution, they must do so with full awareness of the advantages as well as the potential risks involved. At the same time, experts must further develop and document the mechanisms that contribute to security and privacy, otherwise we risk moving from a “wallet that empowers users to protect their data” to a “wallet that exposes data arbitrarily”. Finally, the contribution of experts and civil society organisations is extremely important, as gaps and possible omissions can be identified and corrected before the final implementation.
*Giannis Konstantinidis (CISSP, CIPM, CIPP/E, ISO/IEC 27001 & 27701 Lead Implementer) is a cybersecurity consultant and member of Homo Digitalis since 2019.
Schools in Messinia at the Heart of Digital Awareness
From March 31 to May 7, the NGO Homo Digitalis visited 11 primary and secondary schools across Messinia, bringing education and awareness on internet safety closer to students.
During the workshops held in Arfara, Dorio, Eva, Thouria, Kalamata, Kyparissia, Pylos, Filiatra, Finikounda, and Chora, a total of 554 students engaged with key issues of the digital world, such as: cyberbullying, online safety, recognition and understanding of deepfakes, and responsible use of social media.
Raising awareness and informing both children and adults is a vital step toward a safe and healthy experience in the digital space.
The initiative was supported by the “Captain Vassilis and Carmen Constantakopoulos” Foundation and it will continue with new sessions from September to December 2025.
If your school is located in Messinia and would like to host these free educational sessions, please contact the Homo Digitalis team at info@homodigitalis.gr.
I HAVE RIGHTS and Homo Digitalis Publish Report on the Situation in the Samos Closed Controlled Access Centre (CCAC) One Year After the Fine Issued by the Hellenic Data Protection Authority for KENTAURUS and HYPERION Systems
The Hellenic Ministry of Migration (MoMA) continues to violate data protection rights of asylum seekers in the Samos Closed Control Access Centre (CCAC), I Have Rights and Homo Digitalis said in a report released today.
The report, titled “They Never Tell Us Anything”: Ongoing Data Rights Violations in the Samos CCAC analyses the implementation of a compliance order issued by the Hellenic Data Protection Authority (HDPA) in April 2024. In this historic ruling, the HDPA had found that MoMA’s use of surveillance technologies in reception facilities across Greece, including biometric access systems and surveillance infrastructure tools violates EU data protection laws (GDPR).
Ten months after the passing of the implementation period in July 2024, the report finds that MoMA has failed to comply with the order. “The ongoing violations of data protection rights in the Samos CCAC are emblematic of a system where control and surveillance are prioritised over the rights of those seeking protection” said Réka Rebeka Rósa, Legal and Team Coordinator at I Have Rights. “The European Union should press Greek authorities to address prevailing rights violations. Otherwise, these violations risk becoming a blueprint for further (digital) rights abuse of people on the move across Europe.”
The Samos CCAC opened in September 2021 as the first of the now existing five facilities in Greece, following an agreement between the European Commission and the Greek Government in 2020. Since its opening, NGOs, international human rights experts and people held in the facility have consistently raised concerns about the facility’s securitised infrastructure, de facto detention practices, and inadequate living conditions.
These concerns are exacerbated by the overall lack of transparency in the Greek asylum procedure and opaque surveillance system in the Samos CCAC.
As one client explained about the intransparency of biometric data collection: “No, no one explains it. They only take fingerprints and take us from one place to another, and we do it without knowing why. There is no person to explain what is happening.”
Greece has legal and moral obligations to uphold fundamental rights and data protection rights of asylum seekers, as enshrined in the European Charter of Fundamental Rights and GDPR. The European Union, in particular the European Commission – given its central role in conceptualising, financing, operating, and monitoring the CCACs in Greece – bears responsibility to ensure that these standards are fully respected. “The continued lack of GDPR compliance, in terms of transparency and accountability in the deployment of the Centaur and Hyperion surveillance systems, at the Samos CCAC reflects a disturbing erosion of the fundamental rights. By failing to meet even the basic requirements of data protection in practice, MoMA is reinforcing a dangerous trend of surveillance-driven border management that dehumanizes people on the move” said Eleftherios Chelioudakis, Executive Director at Homo Digitalis.
Homo Digitalis Successfully Participates in TEDxPatras Representing NGI TALER
On May 17, Homo Digitalis had the great honor of participating in TEDxPatras at the Conference and Cultural Center of the University of Patras, proudly representing NGI TALER!
We delivered a 40-minute workshop, during which we had the opportunity to discuss digital payments, business models that track consumer behavior for profit, the relevant legal framework, and the importance of reshaping the future of digital payments with a focus on privacy protection and promoting free software solutions like GNU TALER (Taler Systems S.A.).
Our presentation also highlighted the ongoing funding calls under the NGI TALER project, as well as the academic materials that have been developed and are freely available on the NGI TALER website.
Alexandra Giannopoulou and Eleftherios Chelioudakis represented Homo Digitalis at this event.
We warmly thank the organizers for the opportunity to participate!
Homo Digitalis speaks at Digital World Summit Greece
Speaker Announcement | Digital World Summit Greece 2025 – 22/05/2025
We are pleased to announce that Stefanos Vitoratos will represent Homo Digitalis as a speaker on the second panel of Digital World Summit Greece 2025, titled:
“The Future of Artificial Intelligence: The Next Decade in AI Development and Best Practices.”
Register here to attend the conference for free, either in person at Technopolis City of Athens or online.
Stefanos Vitoratos is a Co-founder of Homo Digitalis and Managing Partner at Digital Law Experts (DLE), specializing in data protection compliance, cybersecurity, and artificial intelligence.
He is a member of the European Data Protection Board (EDPB) Pool of Experts for Greece, Co-Chair of the Hellenic Knowledgenet Chapter of the International Association of Privacy Professionals (IAPP), and has been awarded the title Fellow of Information Privacy (FIP) by IAPP, holding both CIPP/E and CIPM certifications.
He is also a member of the Research Group of the Center for AI & Digital Policy (CAIDP) and collaborates with the European Commission as an Ethics Expert for funded projects. In the past, he has served as a consultant for leading companies in Greece as well as at the Permanent Representation of Greece to NATO.
In parallel, he is pursuing his academic path as a PhD Candidate in the Department of Public Administration at Panteion University, focusing on AI in public administration and public-private cooperation in relevant projects. He holds a Law degree from the National and Kapodistrian University of Athens, and two Master’s degrees from City, University of London and Panteion University.
He frequently delivers professional seminars, publishes scholarly articles, and participates in academic conferences as a speaker or moderator.
Homo Digitalis at Startup Europe Week 2025 of JOIST Park
Στις 13 Μαΐου, σε περιμένουμε στο JOIST Innovation Park, εκεί όπου η καινοτομία συναντά τις ευκαιρίες.
Το φετινό event συγκεντρώνει πρωτοπόρους στην τεχνητή νοημοσύνη, την κυβερνοασφάλεια, την επιστημονική έρευνα και την επιχειρηματικότητα χωρίς σύνορα – για μια ημέρα γεμάτη τολμηρές ιδέες και ουσιαστικό αντίκτυπο.
Τι περιλαμβάνει το πρόγραμμα;
AI, Cybersecurity, and the Future of Startups
• Λαμπρινή Γυφτοκώστα – Homo Digitalis
• Αναστάσιος Αραμπατζής – Ειδικός Κυβερνοασφάλειας
• Παναγιώτης Πιέρρος – TicTac S.A.
Bridging the Gap: Turning European Scientific Research into Startups
• Ιωάννης Κουρούτζης – Πανεπιστήμιο Θεσσαλίας
• Φώτης Τέκος – Foodoxys / Olea Fortius
• Κέλλυ Παπαδοπούλου – Pi tech
• Κωνσταντίνος Ακρίβος – Indeex
Scaling Startups Across Borders in Europe
• Λάμπρος Κούρτης – Επενδυτής & Μέλος VC
• Manuel Seuffert – IMP³ROVE Academy
• Αχιλλέας Μπαρλάς – Enterprise Europe Network Hellas
Είσαι έτοιμος να συνδεθείς με το ευρωπαϊκό startup οικοσύστημα;
Κάνε εγγραφή εδω.
Homo Digitalis is once again participating in the Digital World Summit Greece "AI Realities: Policy, Possibilities, Power"
The Digital World Summit Greece returns in 2025, taking place in Athens on Thursday, May 22, to shape the ongoing discussion around the developments and realities of Artificial Intelligence at a technological, political, social, and cultural level.
This year’s conference focuses on three key pillars:
-
Opportunities and challenges for Greece as a hotspot of technological advancement
-
The next steps in AI evolution and best practices
-
Safe development and use of Artificial Intelligence
Renowned speakers and representatives from the government, private and public sector, civil society, as well as the technical and academic community, will gather to discuss and propose solutions regarding crucial aspects of AI use and governance at national, European, and global levels.
The event will conclude with networking drinks.
Thursday, May 22 | 10:00–18:30 at Technopolis City of Athens– “Miltiadis Evert” Amphitheatre & Online
Free admission (registration required). Secure your spot and help shape the Future of Artificial Intelligence here.
Stay tuned to Digital World Summit Greece‘s channels for more updates on themes and speakers!
Article 77 of the AI Act: 6 months after the designation of the Fundamental Rights Authorities
On the first official deadline set by the Artificial Intelligence Regulation (AI Act), it required member states to appoint one or more authorities in accordance with Article 77 for the protection of fundamental rights by November 2, 2024.
Today, May 2, 2025 — six months after the deadline — 25 out of the 27 European countries have appointed a total of 210 authorities, a number that seems staggering and at the same time sends a strong message about how seriously these countries take the issue of fundamental rights. But does it reflect reality?
With this brief study, we aim to provide answers to the following questions:
-
What is the purpose of Article 77 of the AI Regulation?
-
Which authorities have been appointed by the member states to date?
-
What powers does the AI Regulation actually grant to these regulatory authorities, and what obligations arise from Article 78 of the AI Regulation regarding the confidentiality of information?
-
Who are the four national authorities that have taken on this role, what are their existing and new powers under the AI Regulation?
Through a case study, our Director on Fundamental Rights and AI, Lamprini Gyftokosta, attempts to explore how these authorities will cooperate, while also raising some questions that will undoubtedly concern us over time.
You can read our study here (EL).
Homo Digitalis at TEDx Patras
TEDxPatras returns for its 10th anniversary edition, bringing to the forefront powerful ideas, innovative approaches, and experiences that reshape the way we view the future, under the theme “Once Upon Tomorrow.”
On Saturday, May 17, 2025, the Conference and Cultural Center of the University of Patras will host the largest TEDxPatras event to date, featuring a unique program that includes renowned speakers, interactive workshops, networking hubs, and original experiences for all participants.
Homo Digitalis is proud to participate in this year’s event as a Community Partner, and we are excited to be hosting a dedicated workshop presenting the mission of NGI TALER!
The goal of the workshop is to explain the challenges in digital payments and the solutions offered by the NGI TALER payment tool, as well as to highlight funding opportunities available through the NGI – Next Generation Internet programs.
Our representatives at the event will be Eleftherios Chelioudakis and Alexandra Giannopoulou.
We warmly thank the organizing team for the kind invitation and the great collaboration!
Book your ticket here.
More information about the workshop available here.