On June 11, the Dutch Data Protection Authority commented on eID (source document in Dutch), a proposed new standard for online identification for access to both corporate and government services. The authority expressed concerns about the shared responsibility and accountability for the platform and noted that the Data Protection Act requires the appointment of a single responsible party.
At the beginning of the year 2016 the test phase of the implementation of the Public System of the Digital Identity (SPID) started. By this System all Italian citizens, enterprises and organizations will have a digital identity, allowing them to dialogue with a unique identity with the Public Administration. A campaign on the national TV is accompanying the test phase. The agreements with the three national identity providers - Poste Italiane (Italian Postal Service); Infocert and TIM – have been signed. The regulations have been corrected taking into account the requests of the Data Protection National Authority.
The Municipality of Venice and that of Florence are among the municipalities involved. The test phase – started on March 15 2016 - involve also: six Italian Regional Governments – Emilia Romagna, Friuli Venezia Giulia, Liguria, Marche, Piemonte, Toscana; three important Public Administration bodies – INAIL, Agenzia delle Entrate (Agency for Taxation), INPS. All in all 401 services will be available digitally.
The SPID Road Map foresees that by the end of 2017 all Italian citizens will have a digital identity. One of the important issue of the spread of SPID concern the development of the digital skills and competences of citizens. Public administration bodies will have 24 months for joining the SPID system. The start of SPID was accompanied by a debate among involved stakeholders and opinion leaders on various issues. The first one is the privacy of citizens, also taking into account the fact that identity provider also provide services for thousands of users: SPID is in line with eIDAS and with the Italian Code of Privacy, but there is the concern on the absence of explicit mention of the respect of principle of aim to which the personal data are collected and stored (risks of profiling). The second one is the fact that are allowed to act as identity provider only big enterprise; the third one is about the security of data.