Maarten Stultjens, VP Corporate Development at OneWelcome is to partake in a panel discussion entitled Identity, Privacy, Security - The European Perspective on Monday, September 13 starting at 15:50 pm at EIC 2021.
To give you a sneak preview of what to expect, we asked Maarten some questions about what he will bring to the panel.
There are differences in Digital Identity between US and Europe. What is the bigger picture?
Yeah, well, I think as the first step we have to look at some global initiatives that are taking place in business. And if I have to mention two main things that are happening, one is the gig economy where the relationship between employees and the employer is changing. That employees are much more flexible and that a lot of the work is being outsourced and outsourcing can be done anywhere. And the second thing that is happening is that we are working towards anything as a service. We're used to software as a service, especially here in the IT industry, but we're also very familiar at the moment with car as a service.
And, one of our customers is also thinking of moving to ship as a service. So rather than buying a ship, you just pay for operating hours of such a ship. Well, these changes lead to changes in IT, it increases the dependency on IT. It leads to dominance of certain platforms in IT. Think of Amazon, Google, Microsoft - it leads to globalization. And of course, as a result, it also requires a higher interoperability. So, these things strongly influence the changes in digital Identity.
What are challenges between the different aspects of Digital Identity?
With these changes with the gig economy and anything as a service - or I already mentioned that there is a bigger dependency on IT, and on the big tech providers. And there are some concerns, and these concerns result in the behavior of these organizations, not only in how they treat our privacy, but also in taxation or in copyright protection. And also, think of the data sovereignty that we want to have here in Europe, where we have seen that the US has implemented the Cloud Act in 2018. We are very aware here in this geography of privacy and we have developed the GDPR and adopted the GDPR and beyond GDPR, there will be other rules and regulations like privacy.
At the same time, we are in a very fragmented landscape here where interoperability is not so easy. So, if you look for example, at data residency, then, in the past we had the Safe Harbor agreement back in 2015, it was invalidated. And as a follow up of the Safe Harbor agreement, there was the privacy shield agreement that again was invalidated last year, known as the Schrems II outcome. And currently, in the EU, we are working towards a data sovereignty - we've seen that in Russia and China - and we are implementing now our own internet, Gaia-X. We are implementing other measures to transfer data from the EU to the US contractual clauses. The UK has their own guidelines and is building their own guidelines.
And we see all kinds of interpretations in different countries, for example, in France, where they allow EU SaaS built on AWS provided that sufficient safeguards have been implemented. In the privacy area, we see that, although GDPR has been implemented, it is still only implemented in a pretty basic fashion. So going forward, I expect that, for example, consent management will get a lot more adoption, rather than the legitimate interest that we initially thought would be a ground for processing of data. And, at the same time, we see that in different industries, there are, per country, different regulations. Think of healthcare, think of insurance or banking. And last but not least, there is this interoperability question - we would like to inter-operate, we want to inter-operate across these verticals, which have their specific regulations - and also per country.
But at this moment, we see, for example, identity providers like Speed in Italy, France Connect. We see Verimi in Germany, and we see Itsme in Belgium, DigiD and eHerkenning in the Netherlands. We are working - or the EU is working towards standardization with eIDAS. But this is still a bit of a free option for the different countries because their own identities have to be notified in the eIDAS. So, a new law is currently being developed by the EU for EU wide digital identity based on the wallet. So, there are a lot of developments in this area that try to solve the challenges of digital identity in and across Europe.
How does that impact the platforms that customers need for their digital identities?
I think first of all – the question of data residency – that is a clear question. So, the platforms that customers need, need to ensure that data is kept in Europe, because our customers don't want to be opposed to these constantly changing regulations that are constantly declared invalid, and on contractual agreements. That is a clear thing, other things, with the fragmented landscape, with the fragmented identity providers across Europe, we also see a need for a lot of flexibility in building a customer journey and for the onboarding of users at every point in the customer journey, you need to be able to make a step out. And the step out in Italy will be different from France and so forth. There is, of course, also the multi-language in Europe, we speak different languages.
And, for example, I'm from the Netherlands. If I drive two hours to the south, I need to speak French, and only French. If I drive to the east, I need to speak German, and very often only German. And to the west there is the UK. And these language barriers do not only give requirements for the end user, the consumer, but also if you work business to business and you work in a delegated fashion, then your business customers, or your partners – and I think again of that “anything as a service or to gig economy” - also, you need to address these type of business users within their own language. So, language support, not only for the consumer, but in the whole chain, B2B to B2C needs to be supported. And, of course with our consciousness on privacy, it is very important that we give full control in the platforms to the consumer on the usage of their data.
What would your key take-away for the panel be?
Well, of course, for the customers, when they are looking for a platform, they need a platform that fulfils the requirements that were just mentioned here, the flexibility, the language, but it's not only that. There is a lot of dynamics in this world. The Gig economy and the SaaS and Anything as a Service are constantly evolving. That means that, if you have a vendor far away, most likely that vendor doesn't completely understand, or doesn't adopt these types of dynamics quickly enough. So, I'm advocating, being a European vendor, also to work with European vendors because they are on top of all these developments. And there is for the next years no such thing as a standard for customer Identity. I think that this place, especially in the regulated industries - Telco, energy, finance, and maybe to a lesser extent to retail and consumer goods - because things are less privacy sensitive.