Digital identity has ceased to be a simple authentication tool and must be understood as a projection of the person in environments marked by data, profiles, reputations, and inferences. That is the central thesis of the article signed by Lorenzo Cotino, president of the Spanish Data Protection Agency, and published on April 6, 2026, in which the need to reinforce its legal protection against new technological risks is raised.
A right with international basis and recognition in Spain
The analysis places the legal recognition of identity in Article 6 of the Universal Declaration of Human Rights and in Article 16 of the International Covenant on Civil and Political Rights. In the case of minors, it recalls that Article 8 of the Convention on the Rights of the Child protects the right to preserve their identity, including name, nationality, and family relations.
As an international reference, the judgment of the Inter-American Court in the case of the Yean and Bosico girls against the Dominican Republic, of September 8, 2005, which linked the deprivation of identity with the exclusion of access to rights and with situations of discrimination, is cited.
In Spain, Article 53 of Law 20/2011 of the Civil Registry recognizes the right to a name and its registration as a basic element of civil identity. Added to this is Organic Law 4/2015, which in its Article 8 recognizes the right of Spaniards to obtain the DNI and in Article 13 regulates the accreditation of the identity of foreigners in Spain.
Electronic identification and new digital wallets
The text also reviews the regulations on electronic identification. Law 39/2015 recognizes in its article 13 the right to obtain and use electronic identification and signature means, regulates electronic identification systems in article 9, and establishes in article 10 the signature means admitted in the administrative procedure.
On the European level, the eIDAS Regulation establishes a complete legal system for electronic identification and obliges Member States to recognize certain means of identification and to allow their use in digital public services.
The revision of that framework and the deployment of the European digital identity wallet open, however, new fronts. The article warns of risks linked to the minimization of shared attributes, the possible traceability of their use, and the correlation or reuse of information. These scenarios, it adds, have been analyzed by both the AEPD and the European Data Protection Supervisor, who warns of risks of linking between credential uses, of over-identification, and of the need to effectively apply data protection by design and by default.
Digital twins, profiling and impersonations
Among the problems associated with digital identity, the article identifies the generation of digital twins capable of replicating a person's behavior, the use of profiling and scoring systems, and the persistence and utilization of digital identities after death.
The text connects these risks with the Charter of Digital Rights of 2021, which in its section II establishes that the right to one's own identity is enforceable in the digital environment. That document recognizes the right to manage one's own identity, its attributes and accreditations, and states that identity cannot be controlled, manipulated or impersonated by third parties against the will of the person. It also recognizes the right to pseudonymity.
In the field of neurotechnologies, section XXVI of that same Charter requires guaranteeing each person's control over their own identity, along with their self-determination and control over data related to their brain processes. The text specifies, however, that the Charter of Digital Rights does not have binding normative value.
The GDPR as a protection framework
Facing those risks, the article places the General Data Protection Regulation as one of the main instruments to address the elements of digital identity, based on the broad concept of personal data and the principles of accuracy, minimization, purpose limitation, integrity, and confidentiality.
Along those lines, it maintains that behaviors such as usurpation or identity impersonation fit in many cases into personal data processing without legal basis, which activates the guarantees provided in the GDPR. Among them, it mentions the right of access of Article 15 and the rights of rectification, erasure, objection, and restriction of processing regulated in Articles 16, 17, 21, and 18.
The European regulation also incorporates specific guarantees against automated decisions and profiling when they produce legal effects or significantly affect a person.
The Danish precedent against deepfakes
The article also focuses attention on Denmark, where in 2025 the Government presented with broad parliamentary support a draft reform of copyright legislation to respond to deepfakes and hyperrealistic digital imitations generated by artificial intelligence.
That initiative introduces new provisions in Danish law to strengthen protection against non-consensual digital reproductions of a person's appearance, voice, or distinctive features. The model would allow the affected person to demand the removal of the content, the cessation of its use and, where appropriate, compensation for damages. It also provides for enhanced protection for performing artists and maintains traditional exceptions such as parody or satire.
In Spain, this debate is also being addressed within the framework of the reform of the Artist's Statute promoted by the Ministry of Labor and Social Economy. In that process, measures have been proposed to regulate the use of generative artificial intelligence systems in cultural production, with express agreements for certain uses, possible economic compensations, and limits to the substitution of human artistic work.
A line of work open in the AEPD
The text is framed within a broader line of reflection on digital identity and data protection, in connection with other materials disseminated by the Innovation and Technology Division of the AEPD on eIDAS2, the European digital identity wallet and the GDPR during 2025. The underlying idea is that the defense of identity is no longer limited to accrediting who a person is, but also extends to control over how they are represented, profiled, and used in the digital environment.