The world is becoming more digital. Think about the last time you used physical cash—you probably can’t remember. In just a few years, we’ve shifted to digital cash, using plastic cards that hold large amounts of money. The European Commission is now taking this digital shift a step further, proposing to digitize passports. While this sounds like progress, it raises a key question: How can we protect people’s identities when everything is online?

A Logical Step Forward

The European Commission recently announced plans for digital passports. Lena Dupont, a member of the European People’s Party, explains, “Given what the Parliament and Commission accomplished in the previous term, it’s a logical proposal to further digitalize the continent. This would help streamline procedures and, for example, fast-track travel within the European Union.” The debate has never been about if digital passports would happen, but when.

[Interview audio European Commission]*1

Dupont calls the digital passport “a mosaic stone in the path towards a Digital Europe.” While the app alone won’t revolutionize the continent, it builds on initiatives like the e-ID and represents a significant step forward.

Concerns About Efficiency and Privacy

Not everyone welcomes the change. Ella Jakubowska, a digital rights expert, warns, “It’s very clear to us that this will only improve efficiency for some people. For those who don’t fit neatly into the system or are flagged as risky, it will be anything but efficient.”

She also points out a potential long-term issue: “While the app is currently presented as optional, it could become so efficient over time that the alternative—such as using a physical border officer—will become too difficult or inconvenient.” As a result, people may feel forced to adopt the app.

Strong Security Measures

To address privacy concerns, the European Commission emphasizes robust security measures. One of these is data minimization. Rob van Eijk, head of the Future of Privacy Forum in Brussels, explains: “At a border crossing, the app would share the traveler’s name, citizenship, and document validity, but withhold unnecessary details like height, eye color, or photograph.” This limits the amount of personal data exposed.

The Commission also highlights their use of strong encryption. “Appropriate safeguards, such as encryption of personal data and cybersecurity measures, will be employed by eu-LISA(*2) and the national authorities to prevent data leaks and breaches,” they stated. Additionally, they rely on Trusted Execution Environments (TEE*3). Van Eijk describes TEE as “a secure part of a device’s processor that keeps sensitive data and code safe.” He notes that even if other parts of the system are compromised, the TEE will safeguard critical information such as biometric data and digital certificates.

Another important feature is the cryptographic layer. This layer provides further protection through encryption and digital signatures, ensuring that data is both secure and authentic. Brenno de Winter, a cybersecurity expert, stresses its importance: “Using cryptography, the app can store data securely on a phone, protected by a digital signature from a trusted authority, eliminating the need for centralized storage.”

The Risk of Centralized Data

Despite the focus on decentralization, the Commission acknowledges the need for temporary local databases in some cases. For example, during pre-border checks, the traveler’s digital credentials must be temporarily stored to enable biometric matching at border crossings. However, the data will be deleted afterward.

This practice worries critics like De Winter, who states, “Whether a database is short-term or long-term, it’s still a database. If I, as a hacker, gain access and remain undetected for even a few hours, I could steal a significant amount of personal data.” He argues that decentralizing data is essential to reduce risks.

The most important thing of course is knowing if European citizens would actually use such a digital passport. We tried to find out on the airport of Brussels.

The introduction of digital passports marks a major step in Europe’s digital transformation. While it offers clear benefits, such as faster travel and improved efficiency, it also raises privacy and security concerns. Balancing these factors will be crucial to ensure that digital passports are both effective and safe for all users.

*1: This interview is simulated between the interviewer and the European Commision. While the awnsers are directly quoted from a written response, the European Commissioner is not talking in this audio.

*2: eu-LISA, short for European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice, is an EU agency responsible for managing critical IT systems that support the bloc’s internal security and border management. These systems include:

• SIS (Schengen Information System): Enhances border control and law enforcement cooperation.
• VIS (Visa Information System): Facilitates visa applications and checks.
• Eurodac: Supports asylum processes by storing fingerprint data.

eu-LISA ensures these systems operate securely and efficiently, playing a key role in the EU’s efforts to streamline border control, improve security, and support the free movement of people. It also implements cybersecurity measures to protect sensitive data.

*3: A Trusted Execution Environment (TEE) is a secure area within a device’s processor that ensures sensitive data and operations are kept safe from unauthorized access, even if the rest of the system is compromised. TEEs protect critical information such as biometric data and digital certificates by running code in an isolated environment, making it harder for hackers to access or tamper with the data. This technology is commonly used in applications like digital wallets and secure authentication systems to enhance security.