European Digital Identity Wallet (EUDI Wallet): The Uncomfortable Truth Behind the Innovation

By Giannis Konstantinidis*

Note: This is the English translation of the original article which was written in Greek.

A critical look at the EU’s new “wallet” and the hidden risks it poses to personal data protection and privacy in the digital age.

What are digital identities?

Digital identities are the set of information (e.g. name, professional status, address, telephone number, password) that characterise us when we use digital services on the Internet. In simple words, they are our “digital selves” when we connect to social networking platforms, e-government services, e-banking systems, etc. In practice, digital identities contain personal data which in many cases are also sensitive (e.g. in the case of e-health services). Therefore, digital identities must enable fast and trouble-free access to digital services and meanwhile be accompanied by strict safeguards regarding information security and data protection.

How have digital identities evolved?

There are three main models for organising digital identities (Figure 1). In the centralised model, an organisation maintains a central database with the digital identities of all users. A key disadvantage of the centralised model is that users must maintain a separate account for each digital service they use. In contrast, in the federated model, organisations cooperate with each other and exchange digital identity information using a common protocol. For example, if a user has an account with a central provider (e.g. Facebook, Google, Microsoft or gov.gr), then they can log-in to another compatible digital service with the same information. Therefore, the federated model is quite easy to use, although the overall management of digital identities and their attributes is carried out by a few providers (who might be aware of the users’ activities).

Figure 1: In the centralised model, users have separate accounts (and passwords) for each service they use. In contrast, in the federated model, there are a few providers that act as single “gateways” to services. Finally, in the decentralised model, users use their digital wallets and ideally choose the specific information they want to share with service providers. (Creator Giannis Konstantinidis)

Therefore, in both the centralised and the federated model, a major concern is the concentration of a large amount of data in central locations that are considered attractive to malicious attackers (see massive data breaches). As an “antidote”, the decentralised model has been proposed, which is often associated with the concept of “self-sovereign identity” (SSI). In this model, the user controls all the identity elements that are to be used by the services. Instead of relying upon a few providers, each user holds a set of “credentials”, which have been issued by trusted entities, and maintains them in an application called a digital wallet or digital identity wallet. When the user needs to prove something (e.g. their age), the digital credential is directly presented (signed beforehand by a trusted organisation that serves as the issuer). Ideally, the presentation of that digital credential reflects the minimum amount of the required data and does not reveal the entire personal data of the user.

Figure 2: In the decentralised model, the issuer generates and delivers a credential to the user (holder) who stores it in the digital wallet. The user then presents the credential to a verifier, i.e. an organisation that requests confirmation of the user’s identity and/or status. The validity of the credential is verified based on the information found in a registry.(Creator Giannis Konstantinidis)

What is happening in the EU with digital identities?

With the revision of the eIDAS Regulation (2024/1183), the European Commission has established that each EU Member-State must offer its citizens a digital identity wallet. This will be an application for mobile devices in which each user will be able to store documents in digital form (e.g. ID cards, driving licenses, educational qualifications, social security documents and other travel documents). The user's interaction with the respective services will be done through the wallet, i.e. the user will select the credentials they wish to share. As mentioned earlier, the entire documents are not sent by each user, but a selected presentation of certain data in combination with the appropriate digital evidence that cryptographically proves the validity of those documents. Admittedly, the original vision of a “sovereign identity” seems to be significantly limited in the current design of the EUDI Wallet. In particular, the draft architecture (i.e. Architecture and Reference Framework - ARF) foresees the use of a traditional Public Key Infrastructure (PKI). Simply put, instead of leveraging a fully decentralised system, the European Commission chooses to leverage existing infrastructures that collect digital identity data. As such, it is more of a cross-border federated model in which users are responsible for managing and sharing their credentials on their own, rather than a fully decentralised model.

Is the protection of privacy and personal data enhanced or undermined?

Based on current developments, several risks related to data protection and privacy arise. First, the wallet can generate unique identifiers for each user (although theoretically this is necessary to identify the user when accessing cross-border services in the EU) and several experts express fear that these identifiers will allow for the continuous monitoring and correlation of all user activities.

In particular, according to the position of a group of distinguished academics (specialists in cryptography), the proposed architecture does not include sufficient technical measures to limit the “observability” and prevent the “linkability” of user activities. This means that even if user activities are carried out through the use of pseudonyms, there is no special care to prevent service providers from collecting usage patterns and correlating them with each other. So, in practice, this gap allows the tracing of user activities. The latest version of the architecture (ARF 2.3.0) recognises these risks, however, the integration of appropriate mechanisms remains at the level of discussion and has not yet been implemented (due to complexity and certain technical limitations). The European Telecommunications Standards Institute (ETSI) recognises the importance of technical measures, such as zero-knowledge proofs (ZKPs), but it is shown that (for the time being) the complete elimination of tracking is not feasible due to the technical complexity and lack of interoperability.

Regarding the overall “flexibility” and accountability of the ecosystem, there are also several negative comments. For example, if a service decides to request more data than necessary, there is no mechanism for prevention or even control. At the same time, it is considered that a huge share of responsibility will be shifted to users, because they will be constantly asked to approve the credentials that will be shared with service providers. In fact, if something goes wrong (e.g. in the event of theft of the user’s device or electronic fraud), there are no sufficient protection measures and therefore the user bears a large share of the responsibilities. In fact, there is no provision (so far) for any kind of recovery or restoration process.

Finally, an additional concern relates to the expansion of the wallet's functionalities, as it is going to gradually collect all kinds of electronic documents and certificates (e.g. even travel credentials and electronic payment details). Thus, the risk of a "surveillance dossier" emerges, where a malicious analyst or attacker could discover an extensive set of information about a person through a single medium.

Towards a cautious acceptance or questioning of the framework?

Although the EUDI Wallet is an important step in the development of modern digital services on the Internet, it comes with several challenges. If citizens are to trust such a technological solution, they must do so with full awareness of the advantages as well as the potential risks involved. At the same time, experts must further develop and document the mechanisms that contribute to security and privacy, otherwise we risk moving from a “wallet that empowers users to protect their data” to a “wallet that exposes data arbitrarily”. Finally, the contribution of experts and civil society organisations is extremely important, as gaps and possible omissions can be identified and corrected before the final implementation.

*Giannis Konstantinidis (CISSP, CIPM, CIPP/E, ISO/IEC 27001 & 27701 Lead Implementer) is a cybersecurity consultant and member of Homo Digitalis since 2019.


Homo Digitalis Speaks Once Again at CPDP!

Homo Digitalis participated once again in the largest international conference on data protection, Computers, Privacy and Data Protection (CPDP), with a talk on the panel “Protecting the Digital Rights of Asylum Seekers and Refugees”, organized by the Centre for Fundamental Rights – Hertie School!

Eleftherios Chelioudakis, Co-Founder and Executive Director of Homo Digitalis, represented us as a speaker on the panel, alongside Francesca Palmiotto (IE University), Derya Ozkul (University of Warwick), and Joanna Parkin (EDPS – European Data Protection Supervisor) on Friday, May 23.

Congratulations to the organizing team at the Hertie School and to Ida Reihani for the excellent collaboration!


Homo Digitalis at Startup Europe Week 2025 of JOIST Park

Στις 13 Μαΐου, σε περιμένουμε στο JOIST Innovation Park, εκεί όπου η καινοτομία συναντά τις ευκαιρίες.
Το φετινό event συγκεντρώνει πρωτοπόρους στην τεχνητή νοημοσύνη, την κυβερνοασφάλεια, την επιστημονική έρευνα και την επιχειρηματικότητα χωρίς σύνορα – για μια ημέρα γεμάτη τολμηρές ιδέες και ουσιαστικό αντίκτυπο.

Τι περιλαμβάνει το πρόγραμμα;
AI, Cybersecurity, and the Future of Startups
• Λαμπρινή Γυφτοκώστα – Homo Digitalis
• Αναστάσιος Αραμπατζής – Ειδικός Κυβερνοασφάλειας
• Παναγιώτης Πιέρρος – TicTac S.A.

Bridging the Gap: Turning European Scientific Research into Startups
• Ιωάννης Κουρούτζης – Πανεπιστήμιο Θεσσαλίας
• Φώτης Τέκος – Foodoxys / Olea Fortius
• Κέλλυ Παπαδοπούλου – Pi tech
• Κωνσταντίνος Ακρίβος – Indeex

Scaling Startups Across Borders in Europe
• Λάμπρος Κούρτης – Επενδυτής & Μέλος VC
• Manuel Seuffert – IMP³ROVE Academy
• Αχιλλέας Μπαρλάς – Enterprise Europe Network Hellas

Είσαι έτοιμος να συνδεθείς με το ευρωπαϊκό startup οικοσύστημα;

Κάνε εγγραφή εδω.

 


Developments Regarding the Programmatic Agreement Between the Ministry of Health and Private Entities Concerning the Provision of Newborns’ Genetic Material

There are new developments concerning the significant revelations published by Reporters United in early April, regarding the programmatic agreement between the Ministry of Health and private entities, which involves the provision of newborns’ genetic material for testing purposes and the potential creation of a biobank—as well as the complaint submitted by Homo Digitalis to the Hellenic Data Protection Authority (HDPA) on the matter.

On Friday, May 9, the HDPA issued a press release, stating that it has taken up the case and is awaiting the Ministry of Health’s response to a relevant official document it has sent.

On the same day, the Advisory and Compliance Tools Department of the HDPA, following up on our communication on April 25, informed Homo Digitalis that the case is currently under preliminary investigation, based on Article 57(1)(a) and (h) of the GDPR.
According to these provisions, the HDPA monitors and enforces the application of the GDPR in Greece and may conduct investigations, including those based on information received from other supervisory or public authorities.

To further raise awareness about the challenges arising from the processing of genetic data, our member Anastasios Arampatzis has prepared an article on the 23andMe case in the U.S., describing the events surrounding a major data breach affecting approximately 6.9 million users.

Read more here.


We Submitted a Request to the Hellenic Data Protection Authority (HDPA) to Investigate the Programmatic Agreement Between the Ministry of Health and the Company Real Genix and the NGO Beginnings - Newborn Sequencing Initiative

On Friday, April 11, the newspaper Efimerida ton Syntakton and the network Reporters United revealed the programmatic agreement between the Ministry of Health and the company Real Genix along with the NGO Beginnings – Newborn Sequencing Initiative.

The agreement concerns the privatization of neonatal screening and involves the processing of special categories of personal data, specifically genetic data.

Based on the content of the programmatic agreement, there appears to be insufficient reference to compliance with data protection legislation. The roles of the involved parties are not clearly defined, and there is no information provided to inspire public trust regarding the seriousness with which research projects involving special categories of personal data should be handled.

For this reason, on April 14, we submitted a request before the Hellenic Data Protection Authority (HDPA) to investigate the matter, as significant challenges arise regarding the protection of sensitive personal data under this agreement. You can read our full submission here.

Furthermore, following our request to the Data Protection Authority, on April 15, we sent an electronic letter to the DPO (Data Protection Officer) of the Ministry of Health, in which we call on him to:

A) Inform us of the actions taken in the context of their duties as DPO of the Ministry of Health, specifically regarding this programmatic agreement:

  1. Let us know whether they have issued guidance or provided information to the Minister of Health or other relevant departments of the Ministry concerning this agreement;

  2. Inform us whether they have provided advice regarding the need for a Data Protection Impact Assessment (DPIA) in relation to this project, either to the Minister or other competent services within the Ministry;

  3. Inform us whether they have contacted the HDPA about this programmatic agreement and the associated project.

Additionally, if the DPO has issued any written guidance or communications to the Minister or other Ministry departments in relation to points A1 and A2, we respectfully request access to these documents, in accordance with our right as Greek citizens to access public records, as defined in Article 5(5) of the Code of Administrative Procedure (Law 2690/1999, A’ 45), as currently in force, taking into account the relevant Ministerial Decision of the Minister of the Interior (No. 21797/31-12-2024).

We look forward to receiving the relevant responses.


Homo Digitalis co-organized and participated in the event "Cybersecurity and Data Protection: Resilience, Compliance, Innovation" at JOIST

Two weeks ago, Homo Digitalis co-organized and participated in the event “Cybersecurity and Data Protection: Resilience, Compliance, Innovation” at JOIST Innovation Park, in Larissa, Greece.

Our Director on Human Rights & AI, Lamprini Gyftokosta represented us there, while our member Anastasios Arampatzis representing Bora – Cybersecurity Marketing moderated the discussion!

With a focus on raising awareness among SMEs and entrepreneurs on data protection and cybersecurity, our panel brought together key experts to explore security, compliance, and innovation, ensuring a privacy preserving digital future.

The list of our esteemed co-panelists included:

-Michail Bletsas Governor, National Cybersecurity Authority

-Panagiotis Soulos – ISC2 Hellenic Chapter, Audit Committee Member, Information Security GRC Senior Manager, STEELMET Corporate Services

-Yiannis Koukoùras – ISC2 Hellenic Chapter Member, Managing Director, TwelveSec

-Karina Iskandarova – Founder, CharismaWorks

A huge thank you to JOIST’s team and the rest of co-organizers, speakers, and participants for this wonderful evening.


We co-sign an CSO Open Letter on the proposed GDPR Procedural Regulation

As the trilateral negotiations at the EU level continue regarding the proposed regulation on additional procedural rules for the enforcement of the GDPR, we, together with European Digital Rights and 34 other Civil Society organizations, join our voices in an open letter to lawmakers!

We urge them to prioritize strong enforcement mechanisms that ensure individuals can effectively exercise their rights while highlighting the systemic weaknesses in the enforcement of GDPR provisions.

Read the open letter  here.


Interview of Our President at Women in Digital

Elpida Vamvaká, President of Homo Digitalis and General Legal Counsel at Papaki, spoke to Women in Digital about the need to protect digital rights in Greece, the importance of technology that places people at the center, and the ways in which artificial intelligence can operate responsibly and ethically.

 

With a focus on the challenges of cybersecurity, the importance of education, and the promotion of gender equality in the tech field, Elpida highlights her vision for a fair, sustainable, and inclusive digital society in her interview. You can read her interview here.

 

Women In Digital is the editorial and conference initiative of Smarpress. The foundation was laid with the first Women In Digital conference on 8/3/21, where 40 prominent “strong women” from Technology, IT, Startups, and Digital Marketing took the stage. Readers can follow the content through the monthly newsletter or the dedicated website. WID draws its topics from the work of women, both Greek and international, who are active in the STEM sector or apply their digital skills in more traditional fields.


The Hellenic Data Protection Authority Investigates DeepSeek

In a letter addressed to Homo Digitalis on February 5, following our January 30, 2025 request, the Audit and Security Department and the rapporteur auditor, Ms. F. Karvela, informed us that the Authority “has already initiated an ex officio investigation into the companies Hangzhou DeepSeek Artificial Intelligence Co., Ltd. and Beijing DeepSeek Artificial Intelligence Co., Ltd., in accordance with the provisions of Articles 57(1)(a), 58(1)(b) of the GDPR and Articles 13(1)(h) and 15(1) of Law 4624/2019.”

We eagerly await further information regarding the HDPA’s ex officio investigation, the progress of the procedure, and any developments in this case in the near future.