Personal mobile government – mixing legal frameworks to build privacy and control

The central objective of the mGov4EU project is to facilitate the use of inclusive mobile Government services in Europe. In order to do so, solutions are being created that allow citizens to take control over their personal data, by managing it on their own trusted mobile devices. They can choose to keep or delete their personal information, to keep it to themselves or to share it, and to make it accessible to public administrations when they want to.

On the surface, mGov4EU may seem to be a legal compliance dream, since it ticks all the right boxes. Citizens manage their own personal data safely and transparently, precisely as European data protection law – notably the well known GDPR – would have it. They have reliable tools to identify themselves and to sign documents in a trustworthy manner, as envisaged by the eIDAS Regulation that covers these topics. And document exchanges with public administrations are enabled only at the citizen’s individual request, in accordance with the European rules on once-only data exchanges in the Single Digital Gateway Regulation (SDGR). What’s not to love?

And yet, mGov4EU has some challenging legal knots to untie as well. Principally, these relate to the paradigm shift that’s introduced by putting information squarely in the hands of the citizens. In traditional e-government transactions, information remains firmly under the control of public administrations. Citizens may be able to get extracts, certificates, attestations and so forth for the purposes of specific procedures; but at the root of traditional e-government, public administrations act as data controllers, and as stewards of their citizens’ data. While this approach is perhaps slightly (and certainly unintentionally) patronising, it does have the benefit of ensuring that citizen data is in the hands of an organisation that should, in principle, be able to protect it – at least better than most citizens can.

Even the much more innovative information exchanges envisaged by the SDGR don’t fundamentally challenge that logic. The SDGR requires data to be exchanged directly between public administrations in certain e-government services, at the citizen’s request. The citizen is to some extent in control, in the sense that he must request the exchange before it can happen, and can even validate the information to be exchanged before it is sent. But the information fundamentally passes from one governmental body to another – an exchange from one controller to the next, with the citizen acting as a gatekeeper, but not as the holder of their own data.

And this is precisely where mGov4EU creates new possibilities, but also new challenges. The standard SDGR data flow doesn’t involve mobile devices, let alone data being held permanently by a citizen. Allowing citizens to keep their own data on their own device creates a lot of new options, but also raises a lot of new questions. Who determines which information will be stored on a phone? How can we be sure that the data is safely protected against theft while on the phone? Should all smartphones be supported? Should we validate the identity and competences of aspiring recipients of data? And how do we secure the exchanges between the different stakeholders?

All of these are critical questions to be examined in the course of mGov4EU. The answers will bring innovations and advances compared to the status quo. In order to execute the project in accordance with the EU’s high standards for data protection – including the principles of data protection by design and by default, as required by the GDPR – mGov4EU will have to ensure that sufficient protection capabilities are built into the application itself, and into the information exchanges enabled by the project. A naïve assumption that simply requires citizens to exercise their own diligence, and places all responsibility and risk squarely on their shoulders, would certainly be inadequate.

mGov4EU does not stand alone in examining this shift, however. After the project initiated, a new legislative proposal was published, this time aiming to amend the eIDAS Regulation. One of the innovations included a legal framework for a mobile identity wallet, allowing citizens to securely store and manage their data. If that sounds familiar, then that’s principally because the winds are blowing in a common direction: towards a digital and mobile environment that places greater data stewardship with the citizens themselves. Clearly, mGov4EU has a bright future ahead of itself!

mGov4EU mobilises European eGovernment

With the practical implementation of the “eIDAS regulation”, which has been fully applicable since July 2016, the European Union has made great strides in recent years in successfully simplifying the cross-border online identification process for citizens. In addition, in December 2020 a first part of the “Single Digital Gateway (SDG)” regulation for the establishment of a uniform digital access gate for administration in the EU came into force. After all, there is an unbroken trend towards the mobile and self-determined use of administrative services: Today, citizens expect eGovernment services to always be conveniently usable via smartphone. Against this background, the mGov4EU (“Mobile Cross-Border Government Services for Europe”, https://mGov4.EU) project, funded by the European Union as part of the Horizon 2020 research and innovation program, has recently started to enable mobile cross-border administrative services in Europe. The project is open to further pilot partners and cordially invites you to participate.

The mGov4EU project assembles leading European experts from government, business and science located in Austria, Belgium, Estonia, Germany, and Spain, to enable secure and privacy-friendly mobile government services across Europe. mGov4EU will put the citizen at the center of the considerations and offer them new, secure and privacy-protecting options for managing their identity and personal data – regardless of whether they or the eGovernment service are located in the home country or in another EU Member State.

mGov4EU combines eIDAS with a single digital gateway in a user-centric way

The regulatory framework for this project is provided by Regulation (EU) 2018/1724 on the establishment of a Single Digital Gateway Regulation (SDGR) for the cross-border provision of services together with the eIDAS Regulation (EU) No. 910/2014 for cross-border electronic identification and trust services for electronic transactions in the internal market. The mGov4EU project puts the requirements of self-sovereign and mobile citizens at the center of the considerations and integrates the existing eIDAS ecosystem with the new Single Digital Gateway to create a user-friendly overall system.

The mGov4EU-System at a glance

Figure 1: The mGov4EU-System at a glance

Within the mGov4EU project the existing and emerging possibilities of the eIDAS and SDG regulation will be used and the principles of “once-only”, “digital-by-default” and “mobile-first” will be implemented in practice. After a user-friendly mobile identification and explicit approval by the user, it will be possible to access data that is already available, so that the time-consuming filling out of complex forms can be dispensed with, as far as possible. Through the consistent use of the technologies available in modern smartphones, the solutions targeted in mGov4EU are not only expected to meet the highest security and data protection requirements, but also offer an excellent user-friendliness. The mGov4EU project aims at providing basic building blocks for secure and mobile eGovernment services that can be used throughout Europe and beyond. These modules will be tested in selected pilot applications in the field of electronic voting, smart mobility and, last but not least, mobile signature, before they will be made available to a broader group of users. In this way, based on the mGov4EU developments, a trustworthy federation of collaborative eGovernment platforms can emerge, which facilitates the joint provision and reuse of available and easy-to-use public services.

The mGov4EU project is carried out by an interdisciplinary team of experts

The mGov4EU project is fully funded by the EU research and innovation program Horizon 2020 with a budget of 3.9 million Euro. The mGov4EU project assembles top-class, internationally experienced, interdisciplinary experts from administration, business and science. In addition to the TECHNIKON Forschungs- und Planungsgesellschaft mbH as coordinator, the Center for Secure Information Technology Austria (A-SIT together with A-SIT Plus GmbH), Danube University Krems, ecsec GmbH, the Fraunhofer-Gesellschaft zur Förderung der angewandten Forschung e.V., go.eIDAS Association, Graz University of Technology, Scytl Election Technologies, TIMELEX and the University of Tartu work on this project.

During the three-year project period, several mGov4EU pilot applications will be designed and implemented in order to validate the solution modules and infrastructure services provided. The pilot applications include electronic voting, smart mobility based on subsidised taxi rides and mobile signature. Interested authorities across Europe are cordially invited to contact the mGov4EU project in order to participate in these pilot applications or to use the innovative technologies in their own applications at an early stage.