Businesses and governments are beginning to recognize the critical importance of online identity management, as previously reported
, and as a result we are starting to see a strong push for legislation governing this topic. At least two jurisdictions have enacted significant identity management legislation within the past year, and in July 2015 the United Nations Commission on International Trade Law (“UNCITRAL”) approved a project to develop international legal rules to facilitate cross-border online digital identity management.
Key to online identity management is building a legal framework of predictable and enforceable rules designed to ensure proper functioning and trustworthy identity systems. Much like the Visa or MasterCard rules that govern credit card systems, identity system rules will ideally provide a structure to govern the operation of an identity system. They include the technical specifications and operational rules and requirements necessary to make the system functional and trustworthy, and the legal rules that define the rights and legal obligations of the parties and facilitate enforcement where necessary.
The source and content of those rules, and the method of assuring each participant that all of the other participants are following those rules, have provided some of the key challenges for developing economically viable identity systems. Consequently, there has recently been a great deal of legislative activity in this area. But as might be expected, the EU and the U.S. are pursuing somewhat different approaches.
The EU took the lead, beginning with the July 2014 adoption of its eIDAS Regulation, to address federated identity transactions. The EU eIDAS Regulation focuses on identity systems that issue credentials for use in online transactions with public sector bodies. Its key goal is mutual recognition of such credentials in cross-border public sector transactions – i.e., to enable individuals who have an identity credential issued in one EU member state to use that same credential to access online public services in another member state.
The eIDAS Regulation does not require that identity systems be government-operated. Accordingly, credentials issued by an EU member state, under a mandate from the member state, or independently of the member state (e.g., by the private sector) but recognized by the member state, are all acceptable. However, they must also comply with the applicable technical specifications, standards, and procedures regarding assurance levels set out in the implementing act currently being developed. And the Regulation holds member states and identity providers liable for damage caused by a negligent failure to comply with its obligations under the Regulation.
A few months after the EU Regulation was adopted, the state of Virginia became the first U.S. state to adopt rules by enacting its own Electronic Identity Management Act, which can be found here and here. That legislation, which took effect on July 1, 2015, takes a very different approach. It provides for the creation of a Virginia Identity Management Standards Council, which is tasked with developing Identity Management Standards. And unlike the EU approach, the Virginia statute grants immunity from civil liability to trust framework operators and identity providers that comply with the requirements of those Identity Management Standards. It also provides for the regulation of identity management trustmarks designed to evidence trustworthy systems.
These legislative initiatives represent very divergent approaches. Yet there is a general recognition that identity management is a global issue, and that interoperability across national boundaries is critical. Accordingly, in the spring of 2015 the American Bar Association Identity Management Legal Task Force, and the countries of Austria, Belgium, France, Italy, and Poland (with support from the EU Commission), all submitted proposals to UNCITRAL recommending that it undertake a project to develop “a basic legal framework covering identity management transactions, including appropriate provisions designed to facilitate international cross-border interoperability.” At its July 2015 meeting UNCITRAL agreed to move forward with such a project.
As we saw with its prior work in the area of electronic commerce, UNCITRAL provides an international forum capable of developing a harmonized set of globally accepted rules governing identity management. Such rules can be adapted domestically by countries to promote a universal approach to identity management law, and can also be extended globally (to facilitate cross-border identity transactions) through an international convention.
Given the cross-border nature of e-commerce and associated identity management requirements, and in light of the level of interest in identity management legislation to facilitate the development of a trustworthy identity management ecosystem, it is important that new legislative efforts adopt appropriate approaches and are sufficiently harmonized so that such legislation does not present a barrier to the use of identity in online transactions.
Thomas J. Smedinghoff is Of Counsel in Locke Lord’s Chicago office. He can be reached at firstname.lastname@example.org.