Estonia recently became the first country in the world to announce plans that would enable persons from anywhere in the world to become e-residents of the state. Beginning in 2015, an Estonian e-ID can be used by persons outside the country to access e-services such as company registration, banking, e-signatures, and e-document delivery.
Estonian e-residency is a major development with significant legal and commercial implications. This is the first time that a government-verified identity has been divorced from residency and citizenship, which raises questions about the legal protections available to e-residents, the possible tax effects, and the security of data collected, stored, and accessed under the Estonian system. The bigger question, however, is what this development implies for in other countries, particularly within the European Union.
To fully comprehend the significance of the Estonian announcement it is first necessary to understand both the way in which e-residency will be obtained as well as its limitations. First, applicants must apply in person in Estonia, though it may be possible to apply at Estonian embassies and consulates abroad in the future. Second, applicants must pay a fee and are required to provide the same biometric data and paper documentation to establish their identity as are Estonian residents. After identity verification, an e-ID is issued to enable access to Estonian business e-services for the non-resident.
The e-ID granted to e-residents will probably come in the form of a mobile credential within a module inside a mobile phone SIM card. The e-resident’s e-ID will not be the equivalent of the e-ID used by Estonians. It will not contain a photograph and cannot be used for travel, for example, but it can be used to access Estonian online services to do business without being physically present in Estonia. The primary objective of this new initiative is to encourage business and investment. The aim is for Estonia to become synonymous with secure e-signature architecture and e-commerce, in much the same way that Switzerland became known for banking.
The initiative does have major commercial advantages. Estonia has the most advanced e-society economy in the world, with over 600 e-services available to its citizens and 2,400 e-services to businesses. With an Estonian e-ID, a non-resident can register a company online in minutes, open a bank account, and buy and sell property using e-documents and e-signatures. However, there are also potential pitfalls. The e-ID granted to an e-resident does not provide the legal protection available to an Estonian citizen or legal resident. Indeed, the legal position of an international e-ID holder is still effectively that of a foreigner. Estonia is a member of the European Union, but if an e-resident is not physically within the geographic boundaries of the European Union the legal protections available to EU citizens do not apply.
Businesses registered in and operated from Estonia are also subject to Estonian taxes. In the absence of a double tax treaty with Estonia, under which taxes can be offset, an overseas business incorporated in Estonia and operated using Estonian e-services may discover it is subject to double taxation. Typically, if a company is registered offshore, it is still considered resident for tax purposes in the country where its central management and control is located or where its voting power is controlled by resident stockholders. Estonia presently has double tax treaties with many countries, including the United States, Canada, and the United Kingdom, but not, for example, with Australia.
Under the Estonian e-system, virtually every part of life and business is automated. Personal information is constantly collected, stored, and used. At birth, a digital birth certificate is issued and the baby’s health insurance is automatically activated. All residents aged 15 and over have e-ID cards, which are used for health care, public transport, electronic banking and shopping, buying and selling property, signing contracts, filing taxes, and voting. Significantly, private-sector organizations also use the authentication mechanism for their services. With the advent of e-residency, information relating to e-residents will become part of this e-system.
The Estonian government acknowledges that security vulnerability is inherent to this type of scheme. To address this vulnerability, Estonia is establishing what it calls “data embassies” in overseas locations where multiple copies of data will be stored so the system can be restored in the event of system failure.
The creation of multiple offshore storage sites increases the opportunity for data to be accessed and the potential for it to be compromised. In general, local law applies and creation of these “data embassies” does not automatically provide immunity from access and use by government and private sector entities in the country where the “embassy” is located.
As for the bigger picture, the Estonian e- residency model may well become the standard for Europe. The European Commission is currently proposing an upgrade to the existing legal framework. The proposal allows “signing” using mobile phone technology, requires greater accountability for security, and establishes clearer and stronger rules for the supervision of e-signature and related e-document services. When formally approved by the European Parliament, the proposal will apply to all European Union Member States.
Most significantly, however, the European proposal requires mutual recognition between various national e-ID systems. Already, Estonia, Belgium, Portugal, Lithuania, and Finland mutually recognize their e-IDs. The major advantage of Estonian e-residency is the potential it holds for greater relations with the European Union. While the primary objective of Estonian e-residency initiative is to attract business and investment to Estonia, it is also likely to facilitate broader access to Europe. Of all the potential benefits and drawbacks to Estonia’s e-resident proposal, this access to EU member countries—and its potential implications for the future of European online identity—will likely be the most significant political, commercial, and legal development.