2.1. Definitions and concepts

Digital identity can be defined as “a collection of electronically captured and stored identity attributes that uniquely describe a person within a given context and are used for electronic transactions” (World Bank Group, GSMA and Secure Identity Alliance, 2016).

These attributes include biometric data such as fingerprints, eye scans, 3D face maps, and life factors, including date and place of birth (International Organization for Standardization, 2019). They can also be combined with evidence of government-issued IDs such as passports or a drivers’ licenses, as well as digital behavioral attributes including digital activities on social media, search history online, and online purchase history (Beduschi et al., Reference Beduschi, Cinnamon, Langford, Luo and Owen2017; Kuner and Marelli, Reference Kuner and Marelli2020).

As such, digital identity is placed at the interplay of complex relationships between technology, identification, and identity (Whitley et al., Reference Whitley, Gal and Kjaergaard2014). Technology can play an important role on how individuals understand and define their identity (Whitley et al., Reference Whitley, Gal and Kjaergaard2014; Shoemaker et al., Reference Shoemaker, Kristinsdottir, Ahuja, Baslan, Pon, Currion, Gumisizira and Dell2019). However, the analysis of the concept of identity from a social, cultural, and historical perspectives, as amply discussed in the scholarship (Baumeister and Muraven, Reference Baumeister and Muraven1996; Dube, Reference Dube2002; Liu and László, Reference Liu, László, Moloney and Walker2007; Breckenridge, Reference Breckenridge2014, Reference Breckenridge2019), falls outside of the remit of this article.

Digital identity technologies mediate identification, identity verification, and authentication of individuals (Sullivan, Reference Sullivan2016, Reference Sullivan2018). Identification is “the determination of identity and recognition of who a person is” (World Bank, 2018). Biometric identification is often referred to as a 1:N (one-to-many) match, in which a person’s biometric data such as a fingerprint, voice, face, gait, or iris, is captured and used to determine the identity of that person (Biometric Institute, 2020).

Identity verification is the “confirmation and establishing of a link between a claimed identity and the actual, living person presenting the evidence” (World Bank, 2018). For example, fingerprint verification is commonly used to unlock mobile phones—matching a live biometric attribute (fingerprint) against the record of that fingerprint that was previously collected and stored in the relevant mobile phone database.

Authentication is “the process of verifying an identity claim against the registered identity information” (World Bank, 2018). For instance, authentication is paramount for the online banking sector as customers have their identity verified upon registering for online services, but they also need to have it re-established every time they want to access online services to avoid fraud. Authentication may include multifactor methods, using a combination of biometric information such as a fingerprint, a mobile device, and a password (Kessem, Reference Kessem2018).

Based on these definitions, the following subsection assesses the influence of different actors and interests involved in the digital identity space.

2.2. Multiple actors and interests

The digital identity landscape includes a multitude of actors with different and often divergent interests, defining how technologies are designed and implemented.

Digital identity is used in a variety of sectors, spanning from retail and online banking to government services and humanitarian action (Organisation for Economic Co-Operation and Development, 2011; World Economic Forum, 2018; Kuner and Marelli, Reference Kuner and Marelli2020). Each of the actors in these different sectors has their own interests. For instance, private companies may logically follow their commitment toward profit-making and safeguard the interests of their shareholders. Whereas governments should defend the public interest, and international organizations should act within the limits of their mandate to protect the interests of those that they serve. These different motivations can subsequently influence the shaping of technological systems (Medaglia et al., Reference Medaglia, Eaton, Hedman and Whitley2021).

Historically, digital identification largely arose from a functional demand. Actors such as service providers, organizations, and national governments started attributing digital identifiers to individuals already included in their various databases of beneficiaries. That was, for example, the case of the attribution of digital identifiers in the context of health insurance cards, voter registration cards, or food distribution programmes IDs (Gelb and Clark, Reference Gelb and Clark2013; Kuner and Marelli, Reference Kuner and Marelli2020).

Whereas this functional approach allows for a more tailored collection of information, in practice, it also fragments and increases the complexity of the identity landscape (USAID, 2017). Often, the same individual would have multiple parallel digital identities, issued by a variety of service providers, organizations and government bodies and agencies. For instance, in the humanitarian sector, several organizations frequently collect an individual’s personal information, including biometric data, in a digital format, leading to the multiplication of different identity credentials (Shoemaker et al., Reference Shoemaker, Kristinsdottir, Ahuja, Baslan, Pon, Currion, Gumisizira and Dell2019).

In the private sector, for example, in the online banking and retail fields, user demands for seamless authentication as well as data privacy and cybersecurity considerations have led to the gradual adoption of more sophisticated systems for digital identity management.

For instance, companies have increasingly invested in secure identity and access management practices in recent years (IBM, 2018). In the European Union (EU), the eIDAS (electronic Identification, Authentication and Trust Services) Regulation provides a framework for electronic transactions in the European Single Market (European Parliament and Council, 2014). Under the eIDAS individuals and businesses can use their national electronic identification schemes (eIDs) to carry out cross-border electronic transactions such as accessing public services online in other EU member states.

At the same time, governments across the world have started nation-wide digital identity programmes, aiming at providing foundational legal digital identity to their citizens. Well-established examples of such programmes include the unique identifier number issued by India’s Aadhaar programme (Unique Identification Authority of India, 2019) and Estonia’s digital citizenship model (e-Estonia, 2020). Other examples include the UK’s Verify federated digital identity system (Whitley, Reference Whitley2018; Government Digital Service, 2020) and Canada, which has launched an initiative to accelerate the adoption and development of digital identity (DIACC, 2020). Australia is currently piloting a digital identity ecosystem (DTA, 2020) and New Zealand has also launched a Digital Identity Transition Programme (New Zealand Government, 2020).

Foundational digital identity programmes have become more common in South-East Asia (World Bank, 2019) and are also gaining traction in several Latin American countries (Barbosa et al., Reference Barbosa, Carvalho, Machado and Costa2020). Another example is the West Africa Unique Identification for Regional Integration and Inclusion Program, which is currently underway. This programme aims to provide foundational digital identity to individuals in Ivory Coast and Guinea by 2023 (World Bank, 2020a).

Different interests in the context of public–private initiatives can potentially lead to problematic power relationships due to the nature of the dependencies between public and private actors (Medaglia et al., Reference Medaglia, Eaton, Hedman and Whitley2021).

Public–private initiatives such as ID2020 (2020) and the World Bank ID4D programme (World Bank, 2020b) have recently increased their efforts to provide legal identity to over one billion people worldwide who still lack the means of proving their identity. Such programmes strive to meet the goal of providing legal identity for all by 2030, as established by Target 16.9 of the United Nations Sustainable Development Goals (UN SDGs) through a variety of technological solutions, to which we now turn.

2.3. Diverse technological solutions

Digital identity systems build on a variety of technologies, which adds complexity to the already intricate network of multiple actors operating in the field. The World Bank classifies these technologies into three categories: technologies linked to credentials such as biometrics; technologies related to authentication and trust frameworks such as blockchain; and technologies linked to data analytics such as predictive analytics (World Bank, 2018).

Biometric technologies build on an individual’s unique physiological (e.g., fingerprint ridges, iris patterns, palm prints, and facial characteristics) and behavioral attributes (e.g., gait and signature) for identification or authentication (Beduschi et al., Reference Beduschi, Cinnamon, Langford, Luo and Owen2017).

Blockchain operates on decentralised distributed ledgers (Swan, Reference Swan2015), thus avoiding data storage in a single central database (Tapscott, Reference Tapscott2017). It records data in a chronological order in the decentralized ledger, which is hosted on nodes or servers across a peer-to-peer infrastructure (World Bank, 2018). Blockchain technology is at the center of the decentralized model of “self-sovereign identity,” according to which digital identity is owned and controlled by the user (Tobin and Reed, Reference Tobin and Reed2017; Sovrin Foundation, 2018; Goodell and Aste, Reference Goodell and Aste2019).

Insofar as personal information is not directly recorded in a blockchain, decentralized distributed ledgers can improve information security and confidentiality as it is very difficult to delete or tamper with the information recorded in it (Zyskind, Reference Zyskind2015; Finck, Reference Finck2018). Similar considerations apply to KERI (Key Event Receipt Infrastructure), one of the most recent technologies in the identity landscape, which can be broadly defined as a micro-ledger fully decentralized identity system (Decentralized Identity Foundation, 2020; KERI, 2020).

Data analytics refer to the technologies that use mathematical, statistical, and predictive modeling techniques to analyze a variety of data sources, including big data, to identify patterns, provide insights, and predict behavior (World Bank, 2018). They often build on artificial intelligence techniques such as machine learning algorithms (Flach, Reference Flach2012; Ertel, Reference Ertel2018) and neural networks (LeCun et al., Reference LeCun, Bengio and Hinton2015). For instance, data analytics can be used to predict the effects of aging on individuals in the context of digital identity (World Bank, 2018).

Each of these different technologies can be designed and used in ways that present advantages and disadvantages for data privacy. For example, cryptography can be used to ensure privacy in the context of biometric data—researchers have explored the benefits and shortcomings of using encrypted hashes of biometric data and deep hashing for multimodal biometrics (Talreja et al., Reference Talreja, Valenti and Nasrabadi2020). Similarly, zero-knowledge protocols, whereby one can prove that they hold a value x without disclosing any information besides that they know the value x, can be introduced to make blockchain technologies privacy compliant (Li et al., Reference Li, Guo, Nejad and Shen2020; Yang and Li, Reference Yang and Li2020).

Based on this typology, the next section analyses in more detail how digital identity systems can respect and protect data privacy.

3.1. Digital identity systems should incorporate data privacy by design and by default

Privacy by design principles (Cavoukian, Reference Cavoukian2010; Resolution on Privacy by Design, 2010; Federal Trade Commission, 2012) provide a good starting point, as they advocate for a proactive (not reactive) and preventive (not remedial) protection of data privacy (Cavoukian, Reference Cavoukian2010).

According to these principles, privacy should be safeguarded throughout the systems’ lifecycle, as the default setting. Guarantees should be embedded into the design of these systems. In doing so, privacy by design aims to avoid the supposed trade-off between privacy and security. It proposes, instead, a solution that ensures that both interests are protected. Cavoukian’s principles also call for visibility and transparency, as well as user-centric approaches to design, operation, and management of systems.

While these principles remain limited in their material scope of application (Jasmontaite et al., Reference Jasmontaite, Kamara, Zanfir-Fortuna and Leucci2018), they represent a valuable tool for building better data privacy protection (Buttarelli, Reference Buttarelli2018).

In the EU, Article 25 of the GDPR imposes a more comprehensive requirement for data protection by design and by default, which is said to be one of “the most innovative and ambitious norms of the EU’s newly reformed data protection regime” (Bygrave, Reference Bygrave2017). It requires the implementation of appropriate technical and organizational measures aiming at integrating the core data protection principles listed in Article 5 of the GDPR into the design and development of systems processing personal data.

Therefore, data protection by design and by default involves not only the implementation of technical measures relating to the design and operation of software and hardware in a manner that takes account of data protection principles. It also entails a revision of organizational strategies and practices to accommodate such principles by design (Article 25-1 GDPR) and by default (Article 25-2 GDPR).

In the digital identity context, such requirements apply to the processing of personal information concerning EU data subjects, independently of whether processing occurs within or outside of the EU (Article 3-1 GDPR).

Nonetheless, the operationalization of these requirements may be challenging. Only data controllers bear a positive obligation to implement data protection by design and by default (Jasmontaite et al., Reference Jasmontaite, Kamara, Zanfir-Fortuna and Leucci2018). Data controllers are “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4-7 GDPR).

Consequently, a variety of stakeholders, including engineers, software developers, and industry collaborators, may not be obliged to conform to these requirements. Yet, they may actively contribute to the design of digital identity tools, and influence decision-making in matters related to, for example, the amount of personal data to be collected, their storage and accessibility. Such a situation may considerably weaken the obligation.

Therefore, the whole digital identity community should commit to implementing data privacy protection by design and by default, even in cases where they are not under a legal obligation to do so.

Such an approach aligns with Recital 78 of the GDPR, which provides that “producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications.”

Principle 6 of the World Bank’s Principles on Identification for Sustainable Development also recommends “[p]rotecting user privacy and control through system design” (World Bank, 2017). It thus provides further support to the argument that the whole digital identity community should commit to better data privacy protection by design and default.

3.2. Data protection impact assessments should support the development of digital identity systems

Data protection impact assessments (DPIA) can be used to continuously develop technologies in a data privacy compliant manner. A DPIA is a process that identifies the risks for the protection of individuals’ data privacy and the ways of mitigating these risks.

Under EU law, the data controller has an obligation to carry out a DPIA before the processing of the data if there is a high risk of harm to individuals’ rights and freedoms (Article 35-1 GDPR).

Digital identity systems process personal information, including biometric data (Kak, Reference Kak2020), which are considered as a special category of data that attracts stronger levels of protection (Article 9-1 GDPR). Digital identity providers are thus required to undertake a DPIA during the development of the systems, considering the nature, scope, context, and purposes of the processing (Article 35-3-b GDPR).

The assessment must fulfill the criteria set forth in the GDPR, which include an evaluation of the necessity and proportionality of the operations concerning the purposes of the processing, as well as an assessment of the risks to individuals’ rights and freedoms, going beyond the sole protection of data privacy (Article 35-7 GDPR).

While there is current practice indicating that some private and public sector actors are undertaking DPIA (Privacy International, 2019; Kuner and Marelli, Reference Kuner and Marelli2020), more needs to be done. Overall, it is essential that policymakers ensure that digital identity providers undertake DPIA before deployment of digital identity technologies, at least when these fall within the scope of the GDPR.

3.3. Data privacy should guide the implementation and evaluation of digital identity systems

When implementing digital identity solutions, it is essential to bear in mind that digital personal information is also protected under international human rights law within the scope of the right to privacy. For instance, the right to privacy is guaranteed by Article 12 of the Universal Declaration of Human Rights (UDHR), Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and Article 8 of the European Convention on Human Rights (ECHR).

Public authorities implementing digital identity solutions or allowing private parties to do so within their jurisdiction must consider that such measures could interfere with the right to privacy of affected individuals (Human Rights Committee, 1988; S. and Marper v. UK, 2008; Gaughran v. UK, 2020).

As the right to privacy is a qualified right, public authorities may be able to justify interference with this right under specific conditions. Specifically, such measures must safeguard a legitimate aim, such as those enumerated in Article 8, paragraph 2 of the ECHR, which include national security, public safety, and protection of rights and freedoms of others. They must also satisfy the cumulative tests of legality, necessity, and proportionality.

The legality test implies that domestic laws providing the legal basis for the adoption of digital identity technologies must be adequately accessible and foreseeable, and clearly indicate the amount of discretion left to public authorities (S. and Marper v. UK, 2008). For instance, the UK government plans to update existing laws on identity checking to enable the deployment of digital identity solutions. In such a case, the revised laws would need to meet the said criteria of accessibility, foreseeability, and clarity for the legality hurdle to be cleared.

The necessity test requires public authorities to demonstrate that their actions were motivated by a pressing social need (S. and Marper v. UK, 2008). In other words, they must justify whether deploying digital identity solutions is critical for the functioning of the society. The unprecedented nature of the COVID-19 pandemic and the ensuing great demand for seamless online services may allow public authorities to clear this hurdle.

The proportionality test requires the measures taken by public authorities to be proportionate to the legitimate aims such as those listed above: national security, public safety, and so on. These measures must also represent the least restrictive viable solution (Kennedy v. UK, 2010; Roman Zakharov v. Russia, 2015). In the context of digital identity, that implies opting for less privacy-intrusive architectural choices that can still efficiently achieve the public interest goals relating to digital identification, authentication, or identity verification.

In this regard, digital identity should not be transformed into surveillance tools by actors in the private and public sectors alike. As the COVID-19 pandemic normalized remote ways of working, scholars have highlighted the risks for employee privacy amounting to “surveillance-by-software” (Codd and Ferguson, Reference Codd and Ferguson2020; Collins, Reference Collins2020).

There are also risks associated with the provision of digital public services, notably concerning questions about who has access to personal information, for which purpose and uses, and for how long. These questions are even more significant with respect to health data such as COVID-19 test results and digital vaccination records, especially if these will be requested from individuals to allow them to access public and private spaces such as restaurants, churches, or public transport (Beduschi, Reference Beduschi2020b).

Overall, it is essential that public authorities evaluate the impact of digital identity technologies beyond data privacy, as this right is deeply intertwined with the protection and respect for other sets of legal rights, as discussed in the next section.

4.1. Digital identity should not exacerbate pre-existing inequalities

Digital identity technologies are not inherently neutral. Depending on how digital identity systems are designed and used, they may lead to inequalities or discrimination and even hinder the rights of those that they intend to benefit (Beduschi, Reference Beduschi2019).

Article 1 of the UDHR recognizes that “all human beings are born free and equal in dignity and rights.” International treaties on human rights such as the ICCPR, the ECHR, and the American Convention on Human Rights (ACHR) operationalize the right to equality by establishing guarantees against discrimination (Article 26 ICCPR, Article 14 ECHR, and Article 1 ACHR).

Direct and indirect forms of discrimination based on grounds, such as race, color, sex, language, religion, political or other opinion, national or social origin, property, birth, or other status are therefore prohibited. Direct discrimination indicates that individuals are treated less favorably because of one or more of these grounds. Indirect forms of discrimination are the result of measures that are neutral in appearance, but that can lead to a less favorable treatment of individuals on one or more of these protected grounds.

Even if digital identity systems do not directly discriminate people based on any of these protected grounds, they might still lead to indirect discrimination if individuals are treated less favorably due to the deployment of these technologies.

Consider, for example, a scenario in which digital identity registration and management of records rely primarily on biometric data such as fingerprints and iris scans. Older individuals and those from a manual laborer background may experience obstacles in joining and using digital identity programmes. That is because aging and manual labor can cause damage to and change one’s biometric information (Rebera and Guihen, Reference Rebera and Guihen2012). Decrease of skin firmness, medical conditions such as arthritis, and other common issues associated with the process of aging significantly lower the quality of fingerprint images captured by sensors (Modi et al., Reference Modi, Elliott, Whetsone and Kim2007).

Such difficulties with registration and management of biometric records can exclude some persons from access to benefits and services if these are conditioned on having a digital identity that relies primarily on biometric data.

For instance, research demonstrates that although most people find India’s Aadhaar digital identity programme easy to use, a sizable minority have encountered problems with biometric authentication, which then led to difficulties accessing welfare benefits, and at times, even exclusion or denial of service (Totapally et al., Reference Totapally, Sonderegger, Rao, Gosselt and Gupta2019). Such problems have occurred even though the programme provided alternatives to authentication, as these were not widely known by the population (Totapally et al., Reference Totapally, Sonderegger, Rao, Gosselt and Gupta2019).

Similarly, researchers have highlighted the challenges for refugees and other vulnerable populations in accessing services and benefits provided by international organizations that use digital identity systems in the humanitarian context (Masiero and Das, Reference Masiero and Das2019; Shoemaker et al. Reference Shoemaker, Kristinsdottir, Ahuja, Baslan, Pon, Currion, Gumisizira and Dell2019).

Therefore, it is crucial that once deployed, digital identity systems do not exacerbate pre-existing inequalities in society. To achieve this goal, decision-makers should take a step back and assess the broader impacts that these technologies can have for equality and nondiscrimination throughout the identity lifecycle.

After undertaking a human rights impact assessment (The Danish Institute for Human Rights, 2020), decision-makers should put strategies in place to manage potential issues, such as exclusion and denial of access to services. Examples of effective strategies include providing alternatives to biometric registration and identity management and the promotion of digital literacy amongst marginalized populations to facilitate wider adoption of digital identity systems.

Another matter of priority for decision-makers relates to ensuring accountability for digital identity systems, analyzed further below.

4.2. Digital identity systems should enshrine accountability

In the digital identity sphere, procedures should be in place to promote accountability throughout the identity lifecycle.

At its core, accountability can be understood as the action of calling someone to account for their actions or omissions (Mulgan, Reference Mulgan2000). It implies an exchange between individuals or entities—an exchange in which one is giving an account for an action or omission to the other. Accountability is, therefore, principally procedural in nature. It is a process that aims to assess whether a person’s or an entity’s actions or omissions were required or justified and whether that person or entity may be legally responsible or liable for the consequences of their act or omission (Giesen and Kristen, Reference Giesen and Kristen2014, p. 6).

Accountability is recognized as an essential principle applicable to digital identity systems. For instance, the World Bank places it at the heart of digital identity governance mechanisms (World Bank, 2017, Principle 9) even if accountability mechanisms can be difficult to establish and measure. Similarly, in the EU, the eIDAS Regulation provides for requirements on security and liability with a view to ensuring accountability of operations and services (European Parliament and Council, 2014, Recitals 35–36).

It follows that digital identity providers from the private as well as public sectors should be held accountable for their actions and omissions vis-à-vis the end-users (the entities that commission digital identity solutions and individuals who use digital identity systems for online operations and transactions).

In the private sector, the accountability of digital identity providers must be analyzed in connection with the two applicable legal regimes of liability and responsibility. Liability is, for instance, a crucial matter under the eIDAS Regulation, which establishes a specific regime in the context of electronic identification for cross-border transactions (European Parliament and Council, 2014, Article 11).

Businesses also have a responsibility to respect human rights under the United Nations Guiding Principles on Business and Human Rights. Such responsibility can be operationalized, for example, by undertaking due diligence processes to “identify, prevent, mitigate and account for how they address their impacts on human rights” (Human Rights Council, Guiding Principles on Business and Human Rights, 2011, Article 15b).

The accountability of state-led digital identity programmes must also be articulated on the basis of the legal regime of responsibility established by international human rights law. State parties to international treaties on human rights owe treaty obligations to individuals who find themselves within those States’ jurisdiction (Article 2 ICCPR, Article 1 ECHR, and Article 1 ACHR). They must, therefore, respect and protect individuals’ human rights set forth by these treaties (Human Rights Committee, 2004).

State responsibility is engaged when harmful conduct is attributable to a State and when it constitutes a breach of one of the State’s obligations under international law (International Law Commission, 2001; Marks and Azizi, Reference Marks, Azizi, Crawford, Pellet, Olleson and Parlett2010; McGregor et al. Reference McGregor, Murray and Ng2019). Therefore, public authorities that deploy digital identity systems are responsible for the harms caused to individuals if their conduct breaches the applicable legal obligations to respect and protect human rights.

Their responsibility is not contingent on whether they have designed and developed the systems internally or procured them from private sector suppliers. The contractual relationship between the supplier of digital identity systems and the public authority acquiring these systems does not preclude the public authorities’ responsibility for the implementation of the systems if that causes harm and breaches relevant human rights obligations.

After assessing the relationship between accountability, liability and responsibility regimes, it is important to analyze which mechanisms could support individuals to obtain redress in case of harm and breach of their rights. This topic is examined in the following subsection.

4.3. Digital identity frameworks should encompass mechanisms for the adjudication of grievances

Individuals should be able to challenge decisions related to the implementation of digital identity systems and to obtain redress in case of harm and breach of their rights. For example, individuals should have the means to address common issues, including the failure to register or verify identity with biometrics, and errors in the attribution of identity due to inaccurate technologies. Identity theft and loss of identity data are also significant issues that need to be swiftly addressed by digital identity providers.

Consider, for example, digital identity systems using facial recognition technologies for identification in a multiethnic context. Research demonstrates that facial recognition technologies are considerably less accurate when used to recognize darker-skinned faces (Buolamwini and Gebru, Reference Buolamwini and Gebru2018; Crawford et al., Reference Crawford, Dobbe, Dryer, Fried, Green, Kaziunas, Kak, Mathur, McElroy, Sánchez, Raji, Rankin, Rashida Richardson, West and Whittaker2019). Suppose, for example, that the system using facial recognition technologies misidentifies a person applying for a digital voter ID and that such error is not found and promptly corrected. Suppose further that the digital voter ID is a pre-requisite for participating in democratic elections. In that case, the individual concerned by such misidentification may not be able to exercise their right to vote unless the public authorities provide alternative forms of registration. Public authorities may thus be in breach of their obligations to hold elections that ensure the free expression of the opinion of the people (Article 3 of the First Additional Protocol ECHR).

Yet, individuals such as in this example may face significant difficulties in bringing a complaint if dispute resolution and adjudication mechanisms were not easy to access and affordable. The World Bank’s Principles on Identification for Sustainable Development recommend “enforcing legal and trust frameworks through independent oversight and adjudication of grievances” as part of the applicable governance frameworks (Principle 10). Nonetheless, it is crucial to examine how these can be put in place.

Adjudication before judicial authorities follows the rules provided by domestic laws, which are generally not exclusive to digital identity matters. Under international human rights law, States must ensure the right to a fair trial (Article 14 ICCPR; Article 6 ECHR; Article 8 ACHR) and the right to an effective remedy (Article 2 ICCPR; Article 13 ECHR; Article 25 ACHR). However, they are free to decide on the procedures and mechanisms to satisfy these obligations.

Extra-judicial complaint mechanisms could be embedded within the sector of activity in which digital identity systems are deployed. For example, administrative complaint mechanisms could be used to settle potential disputes concerning digital identity in the public sector. These could be used, for instance, for matters including complaints relating to welfare payments, taxation, and license requests.

Alternative dispute resolution mechanisms such as mediation and arbitration could also be used to settle disputes concerning digital identity in the private sector more swiftly. Doing so could enhance access to justice and dispute resolution mechanisms in jurisdictions with high judicial litigation costs, such as the UK.

Dispute resolution mechanisms, both within and outside judicial systems, are essential for building trust in the adjudication of grievances, thus reinforcing governance and supporting accountability within digital identity frameworks.