Federal Electronic Identification Services Act (EISA): a small yes, but a YES!

Rarely has an area as technical as the one put to the vote on March 7, 2010, prompted so many positions, often negative, in the media landscape, be it in the press or on social networks.

One argument often stands out: that of the sovereignty of the State. How can the Federal Council dare to give up its role and rely on a private entity to “manage” our identity? At a time when it is frequently used to influence opinions, fear is unfortunately often a bad advisor. The case in point is no exception to the rule.

Anyone naive enough to believe that the IT infrastructure on which the administration of public authorities is now largely based would be the sole result of internal developments within the administration.

To take an example, in January of this year, the Swiss Confederation signed a contract entrusting SAP (Suisse) SA with the management of its human resources, thus leaving the payment of salaries and the possible processing of sensitive data (such as maternity leave or sick leave) of several thousand federal civil servants to a private entity for ten years and more than 130 million Swiss francs. Don’t the Cantons do the same? The reality is that public authorities simply do not have the resources, either human or financial, to develop the necessary solutions. Recourse to private players is often the assurance of being able to benefit from standard solutions, from the developments implemented by suppliers drawn from their experience with hundreds or even thousands of customers, and from competent support. Wanting people to believe otherwise is tantamount to trying to deceive them. In fact, the Nordic countries have not hesitated to outsource their electronic identity management to private entities, and to my knowledge no scandal has ever occurred.

Truth is that to admit the principle of this outsourcing does not yet mean that it is in any case appropriate. In order to judge this in good conscience, one must still take the time to carefully read the bill submitted to a vote and the accompanying Message from the Federal Council. But what does this result in?

First of all, the fact that it is not intended to make the use of e-ID a compulsory instrument for citizens, but only with their consent, both when the e-ID is created and when it is first used. In other words, everyone is free to choose this alternative or not. Some object that the use of e-ID could quickly be required by private operators in transactions, thus making the use of e-ID mandatory in practice. Without being a fortune-teller, I have never yet seen a business forcing its customers to pay by credit card and refusing a payment by cash… It is therefore difficult to believe that e-ID will impose itself as the one and only possible means of identification.

Secondly, the fact that the data processed by private actors (referred to as “identity providers”) will be limited, since they will deal, depending on the level of identification desired, with the following data : (1) the e-ID registration number, first and last name and date of birth (low); (2) gender, place of birth and nationality (high), (3) a photograph (high). Is that all? Yes…with the reservation, it is admitted, of the e-ID usage data, which, however, will have to be deleted every six months.

It is therefore surprising to see the outcry in the media when we think of the number of data processed by private actors who are part of our daily landscape, such as credit card issuers or the various sites that require the creation of an account or a profile, all of which are events where everyone does not hesitate to share their data, without any control whatsoever over these entities, and without any indignation whatsoever being felt. As an example, the Cambridge Analytica scandal suffered by Facebook, Inc. in 2018 did not prevent the share price from rising over the years.

Unlike these examples, the federal law on electronic identification services sets up such controls. As an example, among those worthy of mention is the fact that : (1) the data must be processed in Switzerland; (2) the identity provider must be registered in the commercial register (and thus have a registered office in Switzerland); (3) the data must be used solely for identification purposes, to the exclusion of any marketing or disclosure to any other third party; (4) contracts concluded with users must be reviewed by the Federal Data Protection Commissioner; (5) accreditation must be reviewed every three years; and (6) technical and organizational measures must be imposed by the Confederation.

Such requirements are, needless to say, welcome. Admittedly, not everything is perfect. For example, the technical and organizational measures, i.e., security requirements, standards, and conditions for interoperability, will be the subject of ordinances by the Federal Council. Since these ordinances are not enacted and therefore not subject to a vote, they will have to be voted on without knowing their content. If the legislative technique is understandable, it is indeed regrettable to vote on a text whose fundamental points will in fact be regulated at the level of ordinances.

In the end, it all comes down to a matter of confidence. The system envisaged by the bill is in line with the system adopted at the EU level by Regulation 910/2014 on electronic identification, known as the eIDAS Regulation, and the one provided for by the National Institute of Standards and Technology (NIST) in the United States. One can legitimately think that the Federal Council will be able to draw inspiration from the requirements imposed abroad to adopt its own framework in this area (for example, ANSSI for France). The framework for electronic patient records, which is also more sensitive in terms of the data it contains, is also rich in experience.

Another question mark is that of costs, since these identity providers could charge for their services to users wishing to use e-ID. However, the project already foresees certain caveats, emphasizing that the identity providers will be considered “powerful” on the market within the meaning of the Federal Law on Price Supervision, and therefore subject to certain limits on the prices they can set.

In the end, although some points remain to be clarified, the fears raised seem largely unfounded if one takes the time to step back a little. There is only one real fear: that of continuing to see Switzerland, despite being trumpeted year after year as being at the top of the innovation rankings, falling further and further behind in its digitization. Weighing up the pros and cons, there is no room for doubt: it is indeed a small but confident YES that we will have to put into the ballot box this weekend.

Do you have questions about his topic?

Latest news from Wilhelm Gilliéron Avocats

activité accessoire et activité salariée en droit suisse
Labour law
Is it possible to have a secondary activity in parallel with your salaried activity and what do you have to keep in mind ?
Visuel LinkedIn
Company law
The transfer of capital contributions in a limited liability company and its particularities
Visuel LinkedIn
Labour law
Garden leave or no garden leave?

À propos de l’auteur

Avocat à Lausanne en droit suisse des affaires - Avocat Lausanne