European Digital Identity Wallet (EUDI Wallet): The Uncomfortable Truth Behind the Innovation
By Giannis Konstantinidis*
Note: This is the English translation of the original article which was written in Greek.
A critical look at the EU’s new “wallet” and the hidden risks it poses to personal data protection and privacy in the digital age.
What are digital identities?
Digital identities are the set of information (e.g. name, professional status, address, telephone number, password) that characterise us when we use digital services on the Internet. In simple words, they are our “digital selves” when we connect to social networking platforms, e-government services, e-banking systems, etc. In practice, digital identities contain personal data which in many cases are also sensitive (e.g. in the case of e-health services). Therefore, digital identities must enable fast and trouble-free access to digital services and meanwhile be accompanied by strict safeguards regarding information security and data protection.
How have digital identities evolved?
There are three main models for organising digital identities (Figure 1). In the centralised model, an organisation maintains a central database with the digital identities of all users. A key disadvantage of the centralised model is that users must maintain a separate account for each digital service they use. In contrast, in the federated model, organisations cooperate with each other and exchange digital identity information using a common protocol. For example, if a user has an account with a central provider (e.g. Facebook, Google, Microsoft or gov.gr), then they can log-in to another compatible digital service with the same information. Therefore, the federated model is quite easy to use, although the overall management of digital identities and their attributes is carried out by a few providers (who might be aware of the users’ activities).
Figure 1: In the centralised model, users have separate accounts (and passwords) for each service they use. In contrast, in the federated model, there are a few providers that act as single “gateways” to services. Finally, in the decentralised model, users use their digital wallets and ideally choose the specific information they want to share with service providers. (Creator Giannis Konstantinidis)
Therefore, in both the centralised and the federated model, a major concern is the concentration of a large amount of data in central locations that are considered attractive to malicious attackers (see massive data breaches). As an “antidote”, the decentralised model has been proposed, which is often associated with the concept of “self-sovereign identity” (SSI). In this model, the user controls all the identity elements that are to be used by the services. Instead of relying upon a few providers, each user holds a set of “credentials”, which have been issued by trusted entities, and maintains them in an application called a digital wallet or digital identity wallet. When the user needs to prove something (e.g. their age), the digital credential is directly presented (signed beforehand by a trusted organisation that serves as the issuer). Ideally, the presentation of that digital credential reflects the minimum amount of the required data and does not reveal the entire personal data of the user.
Figure 2: In the decentralised model, the issuer generates and delivers a credential to the user (holder) who stores it in the digital wallet. The user then presents the credential to a verifier, i.e. an organisation that requests confirmation of the user’s identity and/or status. The validity of the credential is verified based on the information found in a registry.(Creator Giannis Konstantinidis)
What is happening in the EU with digital identities?
With the revision of the eIDAS Regulation (2024/1183), the European Commission has established that each EU Member-State must offer its citizens a digital identity wallet. This will be an application for mobile devices in which each user will be able to store documents in digital form (e.g. ID cards, driving licenses, educational qualifications, social security documents and other travel documents). The user's interaction with the respective services will be done through the wallet, i.e. the user will select the credentials they wish to share. As mentioned earlier, the entire documents are not sent by each user, but a selected presentation of certain data in combination with the appropriate digital evidence that cryptographically proves the validity of those documents. Admittedly, the original vision of a “sovereign identity” seems to be significantly limited in the current design of the EUDI Wallet. In particular, the draft architecture (i.e. Architecture and Reference Framework - ARF) foresees the use of a traditional Public Key Infrastructure (PKI). Simply put, instead of leveraging a fully decentralised system, the European Commission chooses to leverage existing infrastructures that collect digital identity data. As such, it is more of a cross-border federated model in which users are responsible for managing and sharing their credentials on their own, rather than a fully decentralised model.
Is the protection of privacy and personal data enhanced or undermined?
Based on current developments, several risks related to data protection and privacy arise. First, the wallet can generate unique identifiers for each user (although theoretically this is necessary to identify the user when accessing cross-border services in the EU) and several experts express fear that these identifiers will allow for the continuous monitoring and correlation of all user activities.
In particular, according to the position of a group of distinguished academics (specialists in cryptography), the proposed architecture does not include sufficient technical measures to limit the “observability” and prevent the “linkability” of user activities. This means that even if user activities are carried out through the use of pseudonyms, there is no special care to prevent service providers from collecting usage patterns and correlating them with each other. So, in practice, this gap allows the tracing of user activities. The latest version of the architecture (ARF 2.3.0) recognises these risks, however, the integration of appropriate mechanisms remains at the level of discussion and has not yet been implemented (due to complexity and certain technical limitations). The European Telecommunications Standards Institute (ETSI) recognises the importance of technical measures, such as zero-knowledge proofs (ZKPs), but it is shown that (for the time being) the complete elimination of tracking is not feasible due to the technical complexity and lack of interoperability.
Regarding the overall “flexibility” and accountability of the ecosystem, there are also several negative comments. For example, if a service decides to request more data than necessary, there is no mechanism for prevention or even control. At the same time, it is considered that a huge share of responsibility will be shifted to users, because they will be constantly asked to approve the credentials that will be shared with service providers. In fact, if something goes wrong (e.g. in the event of theft of the user’s device or electronic fraud), there are no sufficient protection measures and therefore the user bears a large share of the responsibilities. In fact, there is no provision (so far) for any kind of recovery or restoration process.
Finally, an additional concern relates to the expansion of the wallet's functionalities, as it is going to gradually collect all kinds of electronic documents and certificates (e.g. even travel credentials and electronic payment details). Thus, the risk of a "surveillance dossier" emerges, where a malicious analyst or attacker could discover an extensive set of information about a person through a single medium.
Towards a cautious acceptance or questioning of the framework?
Although the EUDI Wallet is an important step in the development of modern digital services on the Internet, it comes with several challenges. If citizens are to trust such a technological solution, they must do so with full awareness of the advantages as well as the potential risks involved. At the same time, experts must further develop and document the mechanisms that contribute to security and privacy, otherwise we risk moving from a “wallet that empowers users to protect their data” to a “wallet that exposes data arbitrarily”. Finally, the contribution of experts and civil society organisations is extremely important, as gaps and possible omissions can be identified and corrected before the final implementation.
*Giannis Konstantinidis (CISSP, CIPM, CIPP/E, ISO/IEC 27001 & 27701 Lead Implementer) is a cybersecurity consultant and member of Homo Digitalis since 2019.
We co-sign an CSO Open Letter on the proposed GDPR Procedural Regulation
As the trilateral negotiations at the EU level continue regarding the proposed regulation on additional procedural rules for the enforcement of the GDPR, we, together with European Digital Rights and 34 other Civil Society organizations, join our voices in an open letter to lawmakers!
We urge them to prioritize strong enforcement mechanisms that ensure individuals can effectively exercise their rights while highlighting the systemic weaknesses in the enforcement of GDPR provisions.
Read the open letter here.
Interview of Our President at Women in Digital
Elpida Vamvaká, President of Homo Digitalis and General Legal Counsel at Papaki, spoke to Women in Digital about the need to protect digital rights in Greece, the importance of technology that places people at the center, and the ways in which artificial intelligence can operate responsibly and ethically.
With a focus on the challenges of cybersecurity, the importance of education, and the promotion of gender equality in the tech field, Elpida highlights her vision for a fair, sustainable, and inclusive digital society in her interview. You can read her interview here.
Women In Digital is the editorial and conference initiative of Smarpress. The foundation was laid with the first Women In Digital conference on 8/3/21, where 40 prominent “strong women” from Technology, IT, Startups, and Digital Marketing took the stage. Readers can follow the content through the monthly newsletter or the dedicated website. WID draws its topics from the work of women, both Greek and international, who are active in the STEM sector or apply their digital skills in more traditional fields.
The Hellenic Data Protection Authority Investigates DeepSeek
In a letter addressed to Homo Digitalis on February 5, following our January 30, 2025 request, the Audit and Security Department and the rapporteur auditor, Ms. F. Karvela, informed us that the Authority “has already initiated an ex officio investigation into the companies Hangzhou DeepSeek Artificial Intelligence Co., Ltd. and Beijing DeepSeek Artificial Intelligence Co., Ltd., in accordance with the provisions of Articles 57(1)(a), 58(1)(b) of the GDPR and Articles 13(1)(h) and 15(1) of Law 4624/2019.”
We eagerly await further information regarding the HDPA’s ex officio investigation, the progress of the procedure, and any developments in this case in the near future.
Press Release DEMOCRACY WITH NO AIR The State of the Rule of Law in Greece Today
On Tuesday 4 February, a Press Conference on the current state of the Rule of Law in Greece was successfully held at the Athens Bar Association with a significant turnout. The event was organised by the independent organisations Greek Council for Refugees (GCR), Hellenic League for Human Rights (HLHR), HIAS Greece, Homo Digitalis, Refugee Support Aegean (RSA), Reporters United, Solomon, and Vouliwatch.
You can watch the Press Conference here.
We warmly thank omniatv for organising and hosting the event.
The event was moderated by journalist Natasa Giamali. Representatives of the collaborating organisations presented the main points of the joint report submitted for the third consecutive year to the European Commission on the Rule of Law in Greece in 2024. This submission is part of the Commission’s annual review of national systems.
The speakers emphasised the key systemic issues undermining the Rule of Law in Greece. These issues, coupled with the growing authoritarianism in politics and attacks on human rights, cast a dark shadow over democracy, posing significant threats.
The urgency of the organisations’ call to the European Commission was also highlighted, pressing a shift in its approach and the need to focus not on the state’s “commitments” or “intentions” but on the accurate depiction of the situation in the country. Systematic violations of the fundamental principles of the Rule of Law must not be treated as isolated incidents.
Alexandros Mantzoutsos, Counselor and former Vice President of the Athens Bar Association, delivered a brief greeting.
Key presentations of the report
Stefanos Loukopoulos, Director of Vouliwatch:
“When the State itself undermines principles, procedures, and institutional counterweights through authoritarianism, impunity, and legal inconsistency, it fuels citizens’ distrust in institutions and leads, with mathematical certainty, to societal authoritarianism, with incalculable consequences for the future of Democracy.”
Minos Mouzourakis, lawyer at Refugee Support Aegean (RSA):
“There is a common thread connecting the Tempi train crash, the Pylos shipwreck, the wiretapping of politicians and journalists, the violent disappearances of refugees in Evros and the Aegean, and police brutality: the inability of the Greek justice system to fulfil its duty to attribute responsibility for arbitrariness and criminal offences perpetrated by the state.”
Additional statements from representatives of the other organisations
Alexandros Konstantinou, Lawyer, Greek Council for Refugees (GCR):
“Recently, the European Court of Human Rights found for the first time the ineffectiveness of the Greek criminal justice system in investigating pushback cases (A.R.E. v. Greece, Judgment of 7 January 2025). These cases, involving unlawful actions by state authorities, strike at the core of the Rule of Law. This finding by the Court comes at a time when issues of accountability and justice are central to public discourse and should seriously concern all relevant state bodies, including the Greek Judiciary.”
Elli Kriona-Saranti, Lawyer, HIAS Greece:
“The trend of abusive criminalisation of migrants, human rights defenders and lawyers as smugglers persists, despite continued objections from national, international and European human rights bodies.”
Thodoris Chondrogiannos, Journalist, Reporters United:
“The wiretapping scandal highlights the systemic flaws in the Rule of Law amidst systematic violations of the constitutionally guaranteed confidentiality of communications: Government attacks against the President of ADAE, judicial harassment of its members, the violation of the enhanced majority requirement of the Conference of Presidents of Parliament (⅗) for replacing ADAE members and preventing sanctions against the National Intelligence Service (EYP), the obstruction of investigating the joint EYP-Predator center, and the ‘legalisation’ of surveillance against ministers, politicians, journalists, and military officials, the violation of the obligation of EYP to immediately inform ADAE, and lawsuits against journalists.”
Danai Maragoudaki, Journalist, Solomon:
“The excessive concentration of major media outlets in the hands of a few powerful business-people, the interdependence of the media, the state, and the banks, and the inability of regulatory authorities to ensure the necessary level of transparency create a suffocating operating environment that undermines not only pluralism but democracy as a whole in the country.”
Katerina Pournara, Lawyer, Vice President of the Hellenic League for Human Rights (HLHR):
“In a period when trust in democratic institutions is shaken by incidents such as the Tempi train crash and the Pylos shipwreck, unreasonable and unlawful police violence not only threatens individual freedoms but also undermines democracy, fostering the authoritarianism of state institutions.”
Lamprini Gyftokosta, Director of Human Rights & Artificial Intelligence, Homo Digitalis:
“The protection of personal data is a fundamental right and a critical issue for democracy and transparency in our country. The fines imposed by the Data Protection Authority, amounting to €775,000 on three Ministries in 2024 alone, highlight the non-compliance of state bodies with existing legislation, undermining the Rule of Law and deepening citizens’ mistrust in institutions.”
EXECUTIVE SUMMARY |
FULL REPORT |
Request of Homo Digitalis before the Hellenic Personal Data Protection Authority (HDPA) to Investigate Deepseek: Our Statements in the Newspaper "Kathimerini"
On Thursday, November 30th, Homo Digitalis submitted a request (reference number 865/30-01-2025) to the Hellenic Personal Data Protection Authority (HDPA), asking for the exercise of its investigative powers regarding the use of the Deepseek platform by data subjects within the Greek territory, in accordance with Article 58 of the General Data Protection Regulation (GDPR). The request is available here (ΕL).
In recent days, the Deepseek platform has become particularly popular among users within the Greek territory due to related media publications. Supervisory authorities from other EU member states, such as the Italian and Irish supervisory authorities, have already taken significant interventions to limit the use of the platform. This is because, based on the data processing practices taking place and the way they are described in its Privacy Policy, serious challenges to the protection of users’ personal data are apparent.
In the request we submitted, we are asking the HDPA, in accordance with Article 58(1)(a) and Article 58(2)(f) of the GDPR, to instruct the data controllers, namely Hangzhou DeepSeek Artificial Intelligence Co., Ltd. and Beijing DeepSeek Artificial Intelligence Co., Ltd., to provide all the information necessary to perform its duties in order to clarify the challenges to the rights of the data subjects we highlight in our submission. Furthermore, we request the HDPA to immediately impose restrictions on the processing of personal data of users within the Greek territory by the Deepseek platform, temporarily prohibiting its availability and use in the Greek market.
Today, Sunday, February 2nd, our statements are also featured in an article by journalist Giannis Papadopoulos in the Sunday edition of the newspaper “Kathimerini,” which provides a detailed description of the related developments, including statements from Professors Thodoris Christakis, Dimitris Papaheliopoulos, Vasilis Vlahos, and security researcher Dimitris Siatiras. We sincerely thank the journalist for his interest in our actions! For Homo Digitalis, comments were provided by Eleftherios Chelioudakis. You can read this press coverage online here.
Statements from Homo Digitalis in an article by Reporters United, Investigate Europe & EfSyn on the AI Act
Following the investigation and related revelations carried out last week by Reporters United, Investigate Europe, and EfSyn regarding the trilateral meetings on the AI Act and the negative stance of the Greek government on the security safeguards for biometric identification at a later stage, today in a new report, journalist Εurydice Bersi highlights how various state bodies have been systematically violating for years the security safeguards that European data protection legislation provides for the artificial intelligence systems already in use in our country.
We sincerely thank the journalist for her interest in our related actions and for the opportunity to provide some brief comments on the challenges we have identified and the lack of compliance that has been evident over time. Our statements were represented by Eleftherios Chelioudakis.
In fact, as part of the journalists’ investigation, a request for access to information has already been submitted, calling on the Greek government to disclose the documents with its positions on the trilateral meetings!
You can read the related article and their detailed investigation here.
Open Letter to the President of the European Commission to Stand Up Against Big Tech Companies
Over 40 civil society organizations, across the EU and the US, have an urgent message for the European Commission and President Ursula von der Leyen. Now is the time to stand up to the bullying by Big Tech companies and their allies in the Trump administration.
Europe must commit to strong enforcement of the DSA, DMA regulations, and other digital laws to protect people, our democracy, and our economy!
Read our open letter here.
Invitation to Press Conference: DEMOCRACY WITH NO AIR: The State of the Rule of Law in Greece Today
Illegal pushbacks, police violence, Pylos shipwreck, wiretapping scandal, Tempi train crash, absence of accountability and delivery of justice, poor law-making, “omnibus” legislation, constant and irrelevant legislative amendments, shrinking press freedom, attacks and lawsuits against journalists, concentration of media ownership, state breaches of personal data, corruption, lack of transparency in gifts to political figures and ministerial staff…
These are just some of the critical issues affecting the Rule of Law in Greece today. At a time when authoritarian politics, the re-election of Donald Trump, the rise of the far-right, growing social inequality, the dominance of populism in public discourse and attacks on human rights cast a dark shadow over democracy.
In light of these developments and the ongoing weakening of institutions in Greece, Greek Civil Society leads a pressing fight to safeguard the Rule of Law and to strengthen transparency and accountability.
Independent organisations Greek Council for Refugees (GCR), Hellenic League for Human Rights (HLHR), HIAS Greece, Homo Digitalis, Refugee Support Aegean (RSA), Reporters United, Solomon, and Vouliwatch, submitted for a third consecutive year a joint report to the European Commission on the Rule of Law in Greece in 2024, as part of the annual monitoring of national systems.
We demand a clear shift in the European Commission’s approach, focusing not on “commitments” or “intentions” of the state but on an accurate depiction of the situation in the country. Systematic violations of fundamental principles of the Rule of Law cannot be treated as isolated incidents.
We invite you to the Press Conference, which will take place on Tuesday 4 February at 11:00 a.m. at the Athens Bar Association. During the event, we will present our contribution and publish the report we submitted to the European Commission.
SPEAKERS
A welcome address will be delivered by the Vice President of the Athens Bar Association, Alexandros Mantzoutsos.
The report will be presented by:
Stefanos Loukopoulos | Vouliwatch
Minos Mouzourakis | RSA
Short interventions by:
- Lambrini Gyftokosta | Homo Digitalis
- Elli Kriona-Saranti | HIAS
- Alexandros Konstantinou | GCR
- Danai Maragoudaki | Solomon
- Katerina Pournara | HLHR
- Thodoris Chondrogiannos | Reporters United
The event will be moderated by journalist Natasa Giamali (MEGA TV).
Tuesday, 4 February | 11:00 AM – 1:00 PM | Athens Bar Association (60 Akadimias St., Athens)
The Press Conference will be held in Greek.