Is Self-Sovereign Identity the ultimate GDPR compliance tool? (2 of 3)

In Part 1 of this 3-part series, we introduced the core concepts of self-sovereign identity (SSI) and the specific example of Sovrin, a global public utility for self-sovereign identity. We then provided an overview of the General Data Protection Regulation (GDPR) and discussed the compatibility between its key objectives and those of SSI.

In Part 2, we first examine how the Sovrin approach to SSI advances the core data protection principles set out in Article 5 of the Regulation, and secondly, how Sovrin meets the privacy by design and default requirements of Article 25.

In Part 3, the final part in this series, we look at the rights of individuals under the GDPR and examine how each one is supported by Sovrin’s approach to SSI.


GDPR core data protection principles

Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.

The first core data protection principle is the lawfulness, fairness and transparency principle, which requires the data controller to have a lawful basis for processing personal data and to openly and honestly communicate this purpose to the data subject. Article 6 of the GDPR sets out six lawful bases for the processing of personal data, the first of which is consent. In some respects, consent appears to be the ultimate or “purest” basis for processing. However, it is hard to achieve in practice as the GDPR sets an extremely high standard for what constitutes valid consent of the data subject.

“Consent” is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Additionally, the data subject has the right to withdraw this consent at any time and must be notified of this right at the time that consent is obtained. Finally, the data controller must be able to provethat this level of consent was obtained.

In sum, under the high standard set out in the GDPR, valid consent must be:

  1. freely given;
  2. obtained through an affirmative act of the data subject;
  3. revocable; and
  4. provable.

In the Sovrin model, nearly all transactions in personal data (and data in general) rely on consent as the lawful basis for processing because nearly all sharing and use of data is directly authorized by the Identity Owner. The Identity Owner has full information about, access to, and other substantive rights in respect of the personal data that is being collected and processed. The Identity Owner also has full data portability and a greater ability to switch Agents or Wallet providers, which results in more bargaining power, increasingly the likelihood that the Identity Owner’s consent would be deemed to be freely given. The Identity Owner expresses this consent through an affirmative act by accepting a Proof Request from a Verifier. Finally, because the Identity Owner’s Agent tracks all such acceptances, the Identity Owner can easily later revoke access to the shared Credential or Claim.

Because both the Identity Owner and the Verifier both maintain a log of these digitally signed transactions on their respective copies of the Microledger they share, either can provide proof of these consents to any auditor. In sum, the fact that the individual Identity Owner controls the sharing of her personal data, coupled with a technical infrastructure that provides consent receipts for that sharing, enables new levels of transparency never seen before. This transparency can be further enhanced where a digitally signed Proof Request or Credential itself includes an attestation that the Identity Owner or Verifier is operating under the rules of a particular Trust Framework.

Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.

The purpose limitation principle means that personal data collected for one purpose should not be used or repurposed for a new, incompatible purpose. It is closely related to the lawfulness, fairness, and transparency principle and is designed to minimize correlation risks to the individual data subject and to prevent data controllers and processors from exceeding the limits of lawful processing of personal data. Under the EU data protection framework, a party who is not necessarily a data controller can become one by exceeding the scope of processing that it has been authorized to undertake (at which point it can incur controller-level liabilities under the Regulation — more on liability here). Thus, it is in the interest of processors to comply with the purpose limitation principle by not exceeding their authorized scope of processing.

In the context of Sovrin, a Proof Request can show the purpose(s) for which data is being requested. A Verifier can delete this data once it has executed whatever transaction it was needed for, and then can simply request it again if and when it’s needed. The Verifier can, if necessary, make multiple requests with different purposes, each time making those purposes fully transparent to the Identity Owner who is the subject of the Proof Request. Through the use of a Sovrin Agent, an individual can vet the scope of a Proof Request and its purpose(s) against pre-defined consent parameters to more efficiently determine whether the data is being requested for a purpose that is “specific, explicit and legitimate.” In this way, the Agent acts like an intelligent browser and the individual can implement mechanisms akin to browser settings that help enforce the parameters of data sharing about herself (this is also forward-looking towards compliance with the forthcoming e-Privacy Regulation).

Personal data must be adequate, relevant and limited to that which is necessary in relation to the purposes for which it is being processed.

The data minimization principle has multiple dimensions to it, including in respect of limiting the personal data that is collected, processed, and stored. In terms of collection and processing, the same features of Sovrin that give effect to the purpose limitation principle (as outlined above) assist in achieving data minimization. Collection is limited by the Identity Owner’s control over the sharing of her data and technical methods that minimize the amount of data that is shared to achieve a given purpose, thereby minimizing the data that is collected and ultimately processed. In Sovrin’s model, the Identity Owner decides precisely which, if any, identity attributes it wants to disclose in the form of the Proofs it produces about the Credentials and Claims in her Wallet.

For example, in determining whether an individual is old enough to purchase alcohol, the individual need only “prove” to a Verifier that she is over or under a certain age, without having to reveal her date of birth, height, home address, eye color, or donor status, among other irrelevant data that may be included on a driver’s license or similar identity card. In fact, zero knowledge proofs (“ZKPs”) allow the Identity Owner to exercise SSI and access services without ever sharing or disclosing any personal data at all, making ZKPs the ultimate data minimization tool.

Sovrin is also specifically designed to minimize the storage of personal data. Despite concerns about the incompatibility of blockchain with GDPR over data storage implications, Sovrin solves this problem by not storing personal data “on-chain” (i.e. on the public Sovrin Ledger). Rather, all personal data — including Credentials and Claims — live off the ledger in the Wallets and Agents under the Identity Owner’s control. Furthermore, all transactions of this data take place off-ledger in the Agency Layer.

In fact, the only information that is ever stored on the public Sovrin Ledger (i.e. Public DIDs, Schema, Credential Definitions, and Revocation Registries, as outlined above) does not pertain to individuals, which means it is outside the scope of the GDPR as the Regulation only applies to “natural persons” and not entities or things.

Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

The accuracy principle means that data controllers are responsible for taking reasonable steps to ensure that the personal data they hold and process is kept accurate and up to date. The accuracy principle is designed to prevent decisions that have legal or other significant effects on data subjects from being taken on the basis of incomplete or inaccurate information, and is closely related to the lawfulness, fairness and transparency principle. The accuracy principle is also the basis for several of the data subject’s substantive rights, including the rights of access, rectification, and erasure.

The distributed ledger technology that underpins Sovrin’s approach to SSI allows for constant updating and pruning of the public digital record and allows a Verifier to ascertain the status or validity of a Credential or Claim in near-real time by referencing Revocation Registries housed on the Sovrin Ledger. As described above, these Revocation Registries use an advanced privacy-respecting “subset” technology to determine whether a Credential is (or is not) within the set of revoked Credentials at any given point in time.

Moreover, if data about a data subject changes (e.g. as with a change of address), the Issuer can simply issue a new Credential to the data subject using their already-established secure, private, and unique pairwise Connection. And since every exchange of a Credential between the data subject and a Verifier is digitally signed by the data subject, both parties have an auditable record of the accuracy of the data.

Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is being processed.

The storage limitation principle is closely related to the purpose limitation and data minimization principles and is designed to prevent unlawful and unauthorized processing and to limit the data security risks posed by the long-term storage and retention of personal data. It is also related to the accuracy principle and the right to be forgotten in so far it is aimed at preventing decisions taken and legal effects for data subjects on the basis of inferences that may be drawn from stale data. Moreover, in the event of a request to be forgotten per the data subject’s right to erasure, the acceptable data retention period for a controller or processor may be further shortened from what would ordinarily be a lawful period of time. The exception is for data retained and processed for “historical, statistical or scientific purposes,” in which case the public interest may override the data subject’s interests.

Sovrin enables new data retention strategies that move from a traditional “data management” approach to a “data access” approach where you only use the precise data that you need when you need it, then delete it. You can then repeat if and when necessary. On the whole, this minimizes long-term storage requirements, presents a much lower organizational risk to processors and facilitates compliance more effectively than the data management approach. Upon receipt of some personal data, the Verifier can execute the transaction they need to carry out and then simply delete the data if it is not needed it anymore. All they need to retain is the DID for the Identity Owner. If the data is needed again, it can be requested again using the secure, private and mutually authenticated Connection with the data subject via their DID.

Finally, because the vast majority of data exchanges in Sovrin happen in the Agency Layer in the context of private encrypted pairwise channels, the storage limitation principle is somewhat self-enforcing. Unique DIDs are created when a pairwise Connection is made and only utilized for purposes of that Connection. When the Connection is terminated (by either party), so does the storage of information in the context of that pairwise relationship.

Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

The integrity and confidentiality principle is fundamentally concerned with data security and the security of processing. It is, in many ways, a threshold principle based on the philosophy that data protection cannot exist without data security. The obligation attaches to all processing, whether by a controller or processor and applies to both external (e.g. hacks) and internal (e.g. employees) security threats. One key technical or organizational measure for data security that is encouraged by the GDPR is pseudonymization, defined as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” In other words, minimize correlation risks to the individual in order to mitigate the impact of a potential security breach.

The Sovrin approach promotes the integrity and confidentiality principle by minimizing the frequency and amount of data exchanged in the first place. As demonstrated in reference to the purpose limitation, data minimization and storage limitation principles above, Sovrin has made technical and policy decisions to minimize the amount of data that is shared, collected, processed and stored, including through the use of Zero Knowledge Proofs, microledgers, and private DIDs. Moreover, pseudonymization is a pillar of the Sovrin approach. All peer-to-peer communications and Credentials exchanged via Agent-to-Agent messaging are end-to-end encrypted. This means the data is not only encrypted in transit, such as it would be with HTTPS transport-layer encryption, but that the transmitted data is also encrypted at rest after receipt by the Verifier, and can only be decrypted by a person or process at the Verifier that has access to theVerifier’s private key.

In respect of the public ledger, Sovrin has implemented a public permissioned model, whereby anyone can access the ledger (in terms of reading/writing to it) but only those with permission (e.g. Stewards) can run a node and participate in the consensus protocol to validate the record. This means that there is a level of governance that you could not have with a public permissionless ledger. The Sovrin Foundation implements this governance through a public trust framework that includes both security and privacy policies and practices that must be implemented by all Stewards to ensure the security and integrity of the Sovrin public ledger.

The controller shall be responsible for and be able to demonstrate compliance with the GDPR principles.

The accountability principle is closely related to the lawfulness, fairness and transparency principle and requires, at its core, an effective means to demonstrate and audit compliance with the Regulation. Data controllers are primarily responsible for compliance with the data protection requirements and obligations under the GDPR. Therefore, in order to determine the degree to which the accountability principle is given effect, we have to evaluate compliance and the auditability of that compliance, in light of who the controller is in any given data transaction.

The Sovrin approach to SSI promotes accountability through its BLT Sandwich approach to governance. Because there are technical, legal, and commercial policies and design principles that build in automatic compliance with the rights of information and access, there are levels of lawfulness, fairness and transparency that were previously unattainable. At a technical level, the formation of private pairwise channels of communication, the mutual authentication that happens through Connections, and an automatic, digitally signed, auditable record of each transaction taking place on microledger provides an unprecedented level of accountability.

The use of a the Sovrin public distributed ledger allows for a fully transparent and auditable record of the public events that transpire in the Sovrin ecosystem. More importantly, in Sovrin, Trust Frameworks include legal and commercial policies that reinforce the accountability achieved by technical design decisions and introduce additional mechanisms for governance and accountability. Finally, because accountability attaches to the controller (usually the Verifier in a Sovrin-style exchange of Credentials), there are strong incentives for corporations and organizations acting as Verifiers to adopt the Sovrin solution as a means to demonstrate compliance.

Privacy by design & default

In addition to the seven core principles outlined above, the GDPR imposes a general obligation to implement technical and organizational measures that give effect to all of these principles of data protection in an integrated fashion, an approach known as privacy by design and default. Rather than the conventional approach that companies have taken — where privacy and data protection were treated as afterthoughts left to compliance departments — privacy by design and default asks organizations to consider privacy and data protection from the start and build them in as key features of their products and services (this requires a degree of legal engineering of product offerings).

Sovrin as a global public utility for SSI was custom-built from the very outset with a privacy by design and default approach. A number of key features and design decisions illustrate this well — namely:

  1. the use of pairwise pseudonymous DIDs (the DID specifications themselves were designed and built to encompass certain privacy by design and privacy by default principles);
  2. pushing personal data and private key management to the edges of the network (including through the use of Microledgers and Agents)
  3. the use of zero knowledge and ZKPs
  4. robust governance mechanisms, including the use of a permissioned ledger and various Trust Frameworks.

Summary

We have seen how each of the core data protection principles in the GDPR map onto SSI infrastructure as implemented by Sovrin.

Continue reading

Part 3 — Data subject rights. We’ll look at the rights of individuals under the GDPR and examine how each one is supported by Sovrin.

(Part 1 — Core concepts and key objectives, can be read here)