Verifiable credentials in the European legal landscape

Every so often, you encounter a solution to a problem you may not have realised existed in the first place. Verifiable credentials are a clear example, and one that seems likely to become a lot more popular in the coming years. That’s due in no small part to recent European initiatives.

What is the problem?

In the physical world, you frequently rely on paper documents to prove important things. Diplomas, birth certificates and drivers licences are clear examples: they are all tied to you somehow, and say something about who and what you are.

Recreating them electronically is easy, at least in principle. A competent organisation creates an electronic version (a PDF, an XML document, or something equivalent), and signs it. Both the technology and the legal framework exist, and can be deployed without much of a problem.

Still, in practice things can be a lot harder. It can be challenging to tie the document to a specific person, since unique identification numbers aren’t always available, and are not always easy to verify. Moreover, how do you determine that the issuer who signed the document actually has any competence to do so? Anyone can create a digital signature, so how does a relying party validate the legal authority behind a document? These are the issues that verifiable credentials can resolve, with some data protection by default thrown in for good measure.

What are verifiable credentials, and how do they help?

Verifiable credentials have been around for some time already, and are even subject to a specific  World Wide Web Consortium (W3C) Recommendation. Essentially, verifiable credentials are a digital equivalent to paper based documents, which a holder can take with them, and present to any third parties that need to rely on them. The aforementioned examples – diplomas, certificates or licences – could all be issued as digital verifiable credentials.

Verifiable credentials are increasingly a hot topic, because the model ticks a lot of current boxes for user requirements. Beyond being inherently digital – a basic prerequisite today – they are also conducive to supporting data protection: while a paper credential often contains far more information than is strictly necessary (such as extensive identity information relating to the holder), a verifiable credential can be made pseudonymous, by e.g. merely confirming that a specific person in a transaction is e.g. an adult, or holds a certain qualification, without divulging identity information that isn’t strictly relevant to the context. It thus supports data protection by default, in a more flexible manner than analogue credentials.

Secondly, a verifiable credential enables verification, as its name already indicates. ‘Verifiable’ means that it is possible to determine the authenticity and integrity of the document, including exactly who the issuer is. This implies that a credential must be signed or sealed, and that a model is established to verify the legal authority of the issuer.

Finally, verifiable credentials are designed to support digital autonomy, or personal data sovereignty. While a credential still must be issued by a competent organisation, after its issuance the holder is no longer dependent on the issuer to use it. Like a paper based credential, the holder can choose to present it to anyone they like. They can store it in a digital vault or personal identity wallet, and keep it as safely as they like. As such, verifiable credentials are also a cornerstone of some more advanced use cases, such as self-sovereign identities that allow a person to prove who they are without involving a third party in each transaction, and are highly suitable for integration in blockchain based digital identity models that further cement the immutability of the credentials or of each authentication session. In short, verifiable credentials are the right technology for today’s needs.

What are the rules in Europe?

Verifiable credentials thus far are not subject to specific legislation. Of course, when used in relation to natural persons, the provisions of the General Data Protection Regulation must be adhered to for the issuance, storage and usage of credentials. Moreover, the core concepts behind verifiable credentials are amply supported by Europe’s eIDAS Regulation, which governs electronic identification and certain trust services, including electronic signatures and electronic seals. On the basis of that Regulation, the reliability and legal value of the underlying identity information can be assessed, and the integrity and authenticity of the credentials can be determined.

Future initiatives may provide further support for verifiable credentials. The EU is already piloting infrastructure and use cases for verifiable credentials, via the European Blockchain Services Infrastructure (EBSI), combining credentials with ledger technology. The interest with some Member States is real as well, since the use of verifiable credentials is also being tested in the context of the Single Digital Gateway Regulation, an initiative that could see verifiable credentials become a building block for public sector documents in general.

And last, but by no means least, there is the expected modernisation of the eIDAS Regulation. Under the June 2021 Proposal for an Amendment of the eIDAS Regulation (sometimes referred to as the eIDAS 2 Regulation), a legal framework would be created for so-called ‘electronic attestations of attributes’, defined as an attestation in electronic form that allows the authentication of attributes. The concept is not limited to verifiable credentials, but certainly comprises it. The eIDAS 2 proposal would not only further support the creation and validation of such attestations, but would also allow them to be integrated into standardised European Digital Identity Wallets.

In that way, the legal predictability and usability of verifiable credentials could get an official EU fiat. And perhaps, many years down the road, we can finally stop worrying in which cardboard box we left our old diplomas…

Do you have any questions and would you like an introductory meeting? Book a free 15-minute call with Hans at hans.lawyer.brussels (reserved for organisations).