EU digital identity national ID

EU Commission Overrides Member States to Embed Biometrics in Every European Digital ID Wallet

A June 2026 eIDAS Committee vote forces facial portrait photos into the EUDI Wallet's mandatory data set, reversing Parliament-won privacy safeguards through technical rules that bypass legislative scrutiny.

The EUDI Wallet Biometrics Dispute People of Internet Research · EU All 27 EU states must deploy Every EU member state must offer a… 15 Rights groups warned EU Fifteen digital rights and consume… 5 Safeguard failures found Epicenter.works identified five di… peopleofinternet.com

Key Takeaways

On June 19, 2026, the European Commission's eIDAS Committee voted to include biometric passport-style portrait photos in the minimum Person Identification Data (PID) dataset required for every European Digital Identity Wallet (EUDI Wallet). The vote overrode objections from a bloc of member states — including Germany, France, Spain and the Netherlands — drew formal criticism from the European Data Protection Supervisor (EDPS), and directly contradicted privacy protections the European Parliament spent two years negotiating into Regulation (EU) 2024/1183. A parallel decision effectively neutered the regulation's pseudonymity provisions. Together, the moves have prompted civil society groups to accuse the Commission of rewriting the eIDAS privacy compact through technical implementing acts that bypass democratic oversight.

The Commission's Case Is Not Frivolous

Before dismissing the Commission's position, it deserves a fair hearing. The EUDI Wallet is designed to function not only as a government credential but across commercial settings — a doctor's office, a border crossing, an age-gated online service. In face-to-face proximity use cases, a facial portrait is standard practice, and its inclusion brings the wallet into alignment with ISO/IEC 18013-5, the international mobile driving licence standard adopted by Australia, Japan and Canada that mandates portrait images. Interoperability with non-EU systems is a legitimate policy goal if the wallet is to function as a genuine travel and commerce document.

There is also a real identity assurance argument: a biometric photo cryptographically bound to a digital credential reduces impersonation risk in a way that a name and address alone cannot. Regulators who emphasise this are not acting irrationally.

The Problem Is the Architecture, Not the Photo

The objection is not to portraits existing in wallets. It is to embedding them in the minimum dataset — the baseline attributes transmitted in every wallet interaction, regardless of context.

As Austrian digital rights group Epicenter.works detailed in its March 2026 analysis, making a biometric portrait mandatory means that every time a citizen uses their EUDI Wallet to verify their age on a streaming platform, sign a lease, or authenticate to a municipal portal, they may transmit a facial image to that service. That is categorically different from a photo embedded in a chip that stays on the document. Digital transmission creates logs, enables cross-service linkability, and constructs the conditions for a surveillance layer — even without deliberate intent by any single actor.

The EDPS has repeatedly flagged this as the "wallet as honeypot" risk: a credential that aggregates biometric, identity and transactional data across commercial and governmental contexts becomes an extraordinarily high-value target. Epicenter.works director Thomas Lohninger put the social consequence plainly: "If they are pressured and forced to use it, I think we'll just create a pushback from society."

The Pseudonym Rollback

Equally significant is what the June 2026 implementing acts do to pseudonymity. Regulation (EU) 2024/1183 explicitly guarantees users the right to authenticate using a wallet-generated pseudonym in contexts where full legal identification is not required by law — a hard-won Parliament provision designed to ensure the wallet cannot become a mandatory identifier for low-stakes interactions.

The implementing acts narrow this protection to the authentication step alone. Once a user authenticates pseudonymously, services can still request full legal identity data from the wallet without triggering any privacy-by-default protection. The European Digital Rights network (EDRi) noted in March 2026 that this renders the pseudonym right "practically useless when available", making over-identification the structural default rather than the exception.

Bypassing Parliament Through Comitology

The procedural dimension of this dispute matters as much as the substantive one. The implementing acts are adopted through the comitology process — a committee of member state representatives that advises the Commission. The full European Parliament does not vote on implementing acts. This means the Commission can use the fourth implementing act batch to quietly rewrite privacy protections that Parliament spent two years securing in trilogue negotiations — without any MEP casting a ballot.

This is precisely what civil society groups warned was happening. In March 2026, fifteen digital rights and consumer organisations signed an open letter to the Commission urging it to reverse course before the implementing acts were finalised. The Commission proceeded anyway.

A Compromise That Falls Short

The June 19 vote produced a compromise: member states are permitted, but not required, to allow citizens to opt out of storing biometric portrait photos. On the surface, this is a concession to the objecting bloc. In practice, it creates a fragmented patchwork. States that do not implement the opt-out — and there is no enforcement mechanism compelling them to do so — will embed biometric data in every citizen's wallet dataset with no practical recourse. The compromise also does nothing to fix pseudonym narrowing, registration certificate loopholes that allow services to bypass the wallet's "no over-asking" protection, or provisions that allow large online platforms to substitute proprietary authentication systems for genuine EUDI Wallet integration.

What the Commission Should Do

All 27 EU member states are required to make EUDI Wallets available to citizens by December 2026. That deadline is real, and the implementation pressure it creates is not an excuse to cut privacy corners — it is precisely the moment when getting the architecture right matters most. A wallet that citizens do not trust will not be adopted regardless of legal mandates.

The Commission should reopen the fourth implementing act batch and strip biometric portraits from the mandatory minimum PID set, retaining them as an optional attribute member states may include for identity-assurance purposes. It should restore the pseudonymity protection Parliament won by making it apply to the full interaction, not just the login step. And it should make registration certificates — the mechanism that allows wallets to detect and block impermissible data requests — mandatory rather than optional.

The EUDI Wallet has the potential to be a genuine public good: a citizen-controlled credential that reduces dependence on proprietary platforms, enables cross-border access to services, and gives Europeans actual sovereignty over their digital identity. That potential is squandered the moment the wallet becomes a biometric data collection instrument that routinely transmits facial images to online retailers. Parliament won these protections once. The Commission should not force legislators to win them twice.

Sources & Citations

  1. EUDI Wallet Biometric Compromise — Biometric Update
  2. Five Problems the Commission Must Fix — Epicenter.works
  3. eID Wallet Still Doesn't Deserve Your Full Trust — EDRi
  4. Open Letter on Fourth Batch of eIDAS Implementing Acts
  5. EU Commission — EUDI Regulation Policy Page
  6. Regulation (EU) 2024/1183 — EUR-Lex
  7. EU Parliament Legislative Train — eID File