Personal mobile government – mixing legal frameworks to build privacy and control

The central objective of the mGov4EU project is to facilitate the use of inclusive mobile Government services in Europe. In order to do so, solutions are being created that allow citizens to take control over their personal data, by managing it on their own trusted mobile devices. They can choose to keep or delete their personal information, to keep it to themselves or to share it, and to make it accessible to public administrations when they want to.

On the surface, mGov4EU may seem to be a legal compliance dream, since it ticks all the right boxes. Citizens manage their own personal data safely and transparently, precisely as European data protection law – notably the well known GDPR – would have it. They have reliable tools to identify themselves and to sign documents in a trustworthy manner, as envisaged by the eIDAS Regulation that covers these topics. And document exchanges with public administrations are enabled only at the citizen’s individual request, in accordance with the European rules on once-only data exchanges in the Single Digital Gateway Regulation (SDGR). What’s not to love?

And yet, mGov4EU has some challenging legal knots to untie as well. Principally, these relate to the paradigm shift that’s introduced by putting information squarely in the hands of the citizens. In traditional e-government transactions, information remains firmly under the control of public administrations. Citizens may be able to get extracts, certificates, attestations and so forth for the purposes of specific procedures; but at the root of traditional e-government, public administrations act as data controllers, and as stewards of their citizens’ data. While this approach is perhaps slightly (and certainly unintentionally) patronising, it does have the benefit of ensuring that citizen data is in the hands of an organisation that should, in principle, be able to protect it – at least better than most citizens can.

Even the much more innovative information exchanges envisaged by the SDGR don’t fundamentally challenge that logic. The SDGR requires data to be exchanged directly between public administrations in certain e-government services, at the citizen’s request. The citizen is to some extent in control, in the sense that he must request the exchange before it can happen, and can even validate the information to be exchanged before it is sent. But the information fundamentally passes from one governmental body to another – an exchange from one controller to the next, with the citizen acting as a gatekeeper, but not as the holder of their own data.

And this is precisely where mGov4EU creates new possibilities, but also new challenges. The standard SDGR data flow doesn’t involve mobile devices, let alone data being held permanently by a citizen. Allowing citizens to keep their own data on their own device creates a lot of new options, but also raises a lot of new questions. Who determines which information will be stored on a phone? How can we be sure that the data is safely protected against theft while on the phone? Should all smartphones be supported? Should we validate the identity and competences of aspiring recipients of data? And how do we secure the exchanges between the different stakeholders?

All of these are critical questions to be examined in the course of mGov4EU. The answers will bring innovations and advances compared to the status quo. In order to execute the project in accordance with the EU’s high standards for data protection – including the principles of data protection by design and by default, as required by the GDPR – mGov4EU will have to ensure that sufficient protection capabilities are built into the application itself, and into the information exchanges enabled by the project. A naïve assumption that simply requires citizens to exercise their own diligence, and places all responsibility and risk squarely on their shoulders, would certainly be inadequate.

mGov4EU does not stand alone in examining this shift, however. After the project initiated, a new legislative proposal was published, this time aiming to amend the eIDAS Regulation. One of the innovations included a legal framework for a mobile identity wallet, allowing citizens to securely store and manage their data. If that sounds familiar, then that’s principally because the winds are blowing in a common direction: towards a digital and mobile environment that places greater data stewardship with the citizens themselves. Clearly, mGov4EU has a bright future ahead of itself!