Data Sovereignty and Trusted Online Identity – COVID-19 Vaccination Data – WS 03 2021

From EuroDIG Wiki
Jump to navigation Jump to search

29 June 2021 | 12:15-13:15 CEST | Studio Trieste | Video recording | Live transcription
Consolidated programme 2021 overview / Day 1

Proposals: #10 #21 #92

You are invited to become a member of the session Org Team! By joining an Org Team, you agree to your name and affiliation being published on the respective wiki page of the session for transparency. Please subscribe to the mailing list to join the Org Team and answer the email that will be sent to you requesting your subscription confirmation.

Session teaser

Data Sovereignty and Trusted Online Identity – COVID-19 Vaccination Data

Online identities are the key for many digital services. Identification is essential to everything from identifying with health or government services, to traveling, to participating in social media. But who should control those IDs and how can we minimize the personal data exchanged to a minimum that is needed for the services?

Using the concrete example of COVID-19 vaccination data, we will discuss possible approaches regarding who should be in control of the data – private companies, government, or citizens – in different scenarios.

Session description

Until .

Online identities are the key for many digital services. From identifying with health or government services to managing a bank account or just participating in social media, from paying taxes to buying goods, end-users and consumers, identification is essential. But who should control those IDs and how can we minimize the personal data exchanged to a minimum that is needed for the services? The recent discussions about vaccination passports have highlighted that this discussion is at the center of the current debate. There are 3 approaches that we would like to discuss here:

Scenario 1: Private companies lead the effort. Private tech companies provide us with secure electronic identification including two factor security and biometric verification. However, this raises many privacy and data-sovereignty concerns. For example, the Swiss people recently voted against an eID-law that wanted to allow private companies to control the access to government services.

Scenario 2: Government leads the way with a centralized public key infrastructure (e.g., EU-eIDAS). EU-eIDAS regulation (as well as the Swiss ZertES law) have long ago established electronic identification based on a centralized public key infrastructure PKI that has reached very high adoption rates in some countries (e.g., Estonia) and low adoption rates in other countries (e.g., Germany).

Scenario 3: Hand some control to citizens (e.g., European Self Sovereign Identity Framework [ESSIF]). The EU-Commission has developed the European Self Sovereign Identity Framework ESSIF, that is handing some of the control back to the citizens and neither to centralized government service nor to private tech companies.

Discussants from each of the stakeholder groups will kick off a conversation that will involve everyone, and by the end we will hopefully all have a fuller understanding of the possibilities and limitations of various paths forward.


Until .

The session will have four discussants who will have 4-5 minutes each to speak, followed by a discussion of the topic among discussants and attendees. Discussants represent a variety of actors (European Institutions, Companies, Users) with crossover experience in many cases, in the hopes of creating a rich discussion that takes into account the different views and circumstances of each stakeholder.

Further reading

Ethically Aligned Design Ethically Aligned Design, First Edition is a comprehensive report that combines a conceptual framework addressing universal human values, data agency, and technical dependability with a set of principles to guide A/IS creators and users through a comprehensive set of recommendations.

The following chapter on Personal Data and Individual Agency would be of particular interest.


Until .

Focal Point Focal Points take over the responsibility and lead of the session organisation. They work in close cooperation with the respective Subject Matter Expert (SME) and the EuroDIG Secretariat and are kindly requested to follow EuroDIG’s session principles

  • Kristin Little, IEEE
  • Miguel Pérez Subías, Internet Users Association

Organising Team (Org Team) List Org Team members here as they sign up.

Subject Matter Experts (SMEs)

  • Polina Malaja
  • Jörn Erbguth

The Org Team is a group of people shaping the session. Org Teams are open and every interested individual can become a member by subscribing to the mailing list.

  • Kristin Little, IEEE
  • Vittorio Bertola, Open-Xchange
  • Concettina Cassa, AgID
  • Constance Weise, IEEE
  • Amali De Silva-Mitchell, Dynamic Coalition on Data Driven Health Technologies / Futurist
  • Miguel Pérez Subías
  • Lucien Castex
  • Jutta Croll

Key Participants

Key Participants are experts willing to provide their knowledge during a session – not necessarily on stage. Key Participants should contribute to the session planning process and keep statements short and punchy during the session. They will be selected and assigned by the Org Team, ensuring a stakeholder balanced dialogue also considering gender and geographical balance. Please provide short CV’s of the Key Participants involved in your session at the Wiki or link to another source.


Clara Neppel - IEEE (Confirmed)

Senior Director European Operations

Dr. Clara Neppel is responsible for the growth of IEEE’s operations and presence in Europe, focusing on the needs of industry, academia, and government. She serves as a point of contact for initiatives with regard to technology, engineering, and related public policy issues that help to implement IEEE’s continued global commitment to fostering technological innovation for the benefit of humanity. She contributes to issues regarding the technology policy of several international organizations, such as the OECD, European Commission, and Parliament or the Council of Europe. Dr. Neppel holds a Ph.D. in Computer Science from the Technical University of Munich and a Master in Intellectual Property Law and Management from the University of Strasbourg.


Cecilia Alvarez - Facebook (Confirmed)

EMEA Privacy Policy Director

Cecilia Álvarez Rigaudias is the EMEA Privacy Policy Director at Facebook since March 2019. From 2015 to 2019, she served as European Privacy Officer Lead of Pfizer, Vice-Chair of the EFPIA Data Protection Group and Chairwoman of IPPC-Europe. For an interim period, she was also the Legal Lead of the Spanish Pfizer subsidiaries. She formerly worked 18 years in a reputed Spanish law firm, leading the data protection, IT and e-commerce areas of practice as well as the LATAM Data Protection Working Group.

Cecilia was the Chairwoman of APEP (Spanish Privacy Professional Association) until June and currently in charge of its international affairs. She is also the Spanish member of CEDPO (Confederation of European Data Protection Organisations) and member of the Leadership Council of The Sedona Conference (W-6).

She is a member of the Spanish Royal Academy of Jurisprudence and Legislation in the section of the Law on Technologies of the Information and the Knowledge as well as Arbitrator of the European Association of Arbitration (ITC section).

She formed part of the Volunteer Group of Privacy Experts of the OECD (Working Party on Information Security and Privacy; WPISP) in charge of the 2013 review of the OECD guidelines governing the protection of privacy and transborder data flows of personal data. She formerly participated in the Group of Experts selected by the Spanish DPA to prepare the Madrid Resolution on International Privacy Standards in 2009.

Cecilia has written numerous publications on data protection and regularly lectures on data protection, IT and e-commerce at different Master’s programmes and seminars.

Nishan Chelvachandran - Iron Lakes (Confirmed)

Founder and CEO, Iron Lakes;

Chair, Trustworthy Technical Implementations of Children’s Online/Offline Experiences Industry Connections Programme, IEEE Standards Association

Co-Chair, AI-Driven Innovations for Cities and People Industry Connections Programme, IEEE Standards Association

Nishan Chelvachandran is the Founder of Iron Lakes (Finland), a cyber impact consultancy specialising in providing expertise from the conflux of technology and humanity, with clients and partners from across the world, ranging through private business, NGOs and Governments. He is also a Director at Future Memory Inc (Canada); a creative and speculative design consultancy that pressure tests and anticipates undesirable futures to avoid harmful, unethical or negative consequences. He is a High-Level cybersecurity adviser, strategist, published author, researcher, and former UK Police Officer, with years of experience built on the strong foundations of bespoke operational activity in the UK Public Sector. Nishan spent 6 years as one of the UK National leads for Diversity in Policing, driving equity throughout the Police in the UK.

Nishan specialised in fields such as Digital Transformation, Digital Intelligence Forensics, Cybercrime, Cyberoperations and Cyberwar, Surveillance, and Intelligence. Nishan’s research interests include Big Data keyword and behavioural analytics, jurisdictional and legislative affairs relating to cyber-operations and cyber-warfare, ethical frameworks for mass and automated data surveillance, profiling and decision-making, IoT, AI and it’s ethical and responsible use and design, and Data Use and Privacy. He is an advisor in AI Commons, and an Ambassador for the Xprize Pandemic Alliance. He is actively engaged in the Cybersecurity and Impact Tech Space. A thought leader in the Cyber sector, He is actively driving the UN’s Sustainable Development Goals agenda and initiatives involving AI for Good.

Nishan is also on the Fellowship Council at the RSA (Royal Society of Arts, Manufactures and Commerce), and a Special Advisor to the British & Commonwealth Chambers of Commerce in Finland.

Pēteris Zilgalvis - European Commission (Confirmed)

Head of Unit, Digital Innovation and Blockchain, Digital Single Market Directorate, DG CONNECT;

Co-Chairman of the European Commission Task Force on Financial Technology

Pēteris Zilgalvis, J.D. is the Head of the Startups and Innovation Unit at the Directorate General Communications Networks, Content and Technology (DG-Connect). He is also Co-Chairman of the European Commission Task Force on Financial Technology. He was the Visiting EU Fellow at St. Antony’s College, University of Oxford for 2013-14, where is a Senior Member and Associate of the Political Economy of Financial Markets Programme. From 1997 to 2005, he was Deputy Head of the Bioethics Department of the Council of Europe, in its Directorate General of Legal Affairs. In addition, he has held various positions in the Latvian civil service (Ministry of Foreign Affairs, Ministry of Environment).

Previously, he was Senior Environmental Law Advisor to the World Bank/Russian Federation Environmental Management Project and was Regional Environmental Specialist for the Baltic Countries at the World Bank. He has been a member of the California State Bar since 1991, completed his J.D. at the University of Southern California, his B.A. in Political ScienceCum Laude at UCLA, and the High Potentials Leadership Program at Harvard Business School. A recent publication of his is “The Need for an Innovation Principle in Regulatory Impact Assessment: The Case of Finance and Innovation in Europe” in Policy & Internet.

Remote Moderator

Trained remote moderators will be assigned on the spot by the EuroDIG secretariat to each session.


Reporters will be assigned by the EuroDIG secretariat in cooperation with the Geneva Internet Platform. The Reporter takes notes during the session and formulates 3 (max. 5) bullet points at the end of each session that:

  • are summarised on a slide and presented to the audience at the end of each session
  • relate to the particular session and to European Internet governance policy
  • are forward looking and propose goals and activities that can be initiated after EuroDIG (recommendations)
  • are in (rough) consensus with the audience

Current discussion, conference calls, schedules and minutes

See the discussion tab on the upper left side of this page. Please use this page to publish:

  • dates for virtual meetings or coordination calls
  • short summary of calls or email exchange

Please be as open and transparent as possible in order to allow others to get involved and contact you. Use the wiki not only as the place to publish results but also to summarize the discussion process.


Next meeting of the working group on Friday 23 April at 18:00 CEST Items we will be taking care of leading up to the meeting:

  • Confirm speakers
  • Confirm 100% online
  • Add information to wiki on our invited speakers as we find out who is confirmed.


  • The use of data and authentication methods are proliferating, but legal frameworks for data governance need to rapidly address the concerns of the governments, private sector, and citizens.
  • Privacy, security, and sovereignty concerns are getting deeper at the background of COVID-19 vaccination certification process.
  • In designing authentication frameworks we should bring to the table all proposals from both the public and private sectors, and from citizens themselves.
  • It is important for a citizen to know how their data is used, stored, and secured: what are the stages, who has access at each particular point.
  • Citizens should have a choice to control how their data is used by different entities in a centralised or a decentralised manner.
  • Both the public and private sectors should work to develop a better visualisation of authentication frameworks comprehensible by citizens.
  • In developing innovative identification and authentication governance frameworks, we should keep in mind interoperability issues in order to ensure consistency in technology standards for the normalisation of data, while including consented use of such data.

Find an independent report of the session from the Geneva Internet Platform Digital Watch Observatory at

Video record


Will be provided here after the event.