Introduction

When Digital Public Infrastructures (DPI) and in particular digital identity systems are opened to both the public and private sector, it becomes essential to regulate how they can be used. Without clear use case regulation, there is a high risk of over-identification and over-sharing of personal information, even in situations where identification is unnecessary.

<aside> 💡

Use case regulation means setting strict rules about who can request information from users, for which purposes, and what information they are allowed to ask for.

</aside>

Why It Matters

If any company or public agency connected to the DPI can request government-certified personal information without restriction, several risks emerge:

• Unnecessary identification: Turning previously anonymous transactions into fully identified ones (e.g., buying a train ticket or renting a bicycle).
• Exploitation by bad actors: Fraudulent or intrusive services could use DPI access to collect sensitive data.
• Loss of trust: If citizens fear misuse, they may stop using the DPI altogether.
• Cross-sector tracking: Once high-quality, verified data is available, it becomes tempting to combine it with other datasets for profiling.

Risks Without Regulation

Without regulating use cases, the entire burden of deciding whether a request for information is proportionate falls solely on the users. Yet, in reality most people will simply click accept to access a service or gain entry to an establishment.

In many contexts, there is a power imbalance that makes it unrealistic for users to refuse giving their consent (e.g., hospitals, border checks, large online platforms). DPI often contain highly sensitive information from a single sector, and with use case registration, any relying party might receive unrestricted permission to request that data.

To uphold trust in DPI, there needs to be a regulation that establishes accountability. Otherwise, bad actors could abuse the DPI for malicious gains without repercussions and trust in the whole system would erode.

Safeguards and Best Practices

1. Mandatory Registration of Use Cases

Every relying party (the entity requesting information from the user) should:

• Register their identity and contact details with the DPI authority.
• Specify exactly which data they will request and for what purpose. This includes if identification is requested based on a legal obligation.
• Be restricted to requesting only the registered data.

We find different approaches in the administrative procedure to approve the registration of particular use cases. Some states have formal administrative procedures that include an appeals process. Others see this as a self declaration of the relying party that is not formally checked by the registration entity.