Is Self-Sovereign Identity the ultimate GDPR compliance tool? (3 of 3)

Data subject rights of the GDPR

The GDPR takes a risks-based approach to data protection, outlining certain data subject rights without prescriptively dictating how these principles and rights are given effect. The rights of the data subject are not absolute but conditional, and always balanced against the legitimate interests of other stakeholders — including corporate and organizational data controllers, governments, law enforcement, and (importantly) other data subjects. Several of the substantive rights outlined below — including the rights of access, rectification, restriction of processing, and objection — are subject to override for scientific, historical, or statistical purposes (as further described below). Additionally, these rights must always be assessed in light of the GDPR’s dual purposes, with the free movement of data sometimes prevailing.

Right of information

Per Articles 13 and 14 of the GDPR, individual data subjects have the right to be informed about the collection and use of their personal data. This right is designed to give effect to the lawfulness, fairness, and transparency principle. This means that at the time when personal data is collected from an individual, the individual must be provided with information regarding the identity of the party who is collecting or requesting the data, the purposes for collecting or processing the data, how long the data will be retained, and who the data will be shared with (if anyone). This information must be provided in a concise, transparent, intelligible and easily accessible format, using “clear and plain language.” These requirements do not apply where the data subject already has the information.

When a Proof Request is received by an individual Identity Owner, it contains the details describing the requesting party (i.e. the Verifier) and the data that is being requested. The Identity Owner keeps their own record of this request through their Agent. If a given Verifier has already identified and authenticated itself to the Identity Owner in the process of establishing a pairwise Connection and making a Proof Request, the individual can be said to already have the information, meaning these obligations are automatically fulfilled for a repeat of the same Proof Request. In Sovrin’s implementation of SSI, the Identity Owner has full control over her Credentials and identity attributes. This means that the Identity Owner, as the data subject, will always already have this information, which means the right of information is automatically realized in Sovrin’s implementation of SSI.

Right of access

Per Article 15 of the GDPR, individual data subjects have the right to request and obtain access to their personal data and certain other supplementary information. This right is also designed to give effect to the lawfulness, fairness, and transparency principle. The right of access gives the individual data subject a right to obtain confirmation that their data is being processed, access to their personal data, and other supplementary information that would typically be provided to the individual via a privacy policy per their right to be informed. Upon the request of the data subject, this data must be provided without delay and at the latest within one month of receipt of the request. As a best practice, “Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.” Finally, a party who receives a request for access has a duty to use “reasonable means” to verify the identity of the person making the request.

With Sovrin’s pairwise Connections and Microledger technology, each individual Identity Owner will have a record of every data sharing event with every individual or entity they ever interact with. They will therefore be able to prove precisely what they shared, with whom, and when. Not only can the Identity Owner use this information to demand access, but the recipient of a subject access request can use their private Connection (and their private key dedicated to this Connection) to authenticate the identity of a peer making this request. This solves the problems of both an Identity Owner (i.e. data subject) needing access and a Verifier (i.e. data controller) needing to provide it. This private channel can also be used by the Identity Owner to request access to any other personal data generated by the Verifier, or personal data disclosed to or shared with others.

Right to rectification

Per Article 16 of the GDPR, individual data subjects have the right to have inaccurate personal data rectified or incomplete data completed, including by way of supplementary information. This right is designed to give effect to the accuracy principle and to prevent decisions with legal or other significant effects on the data subject from being made on the basis of inaccurate or incomplete information.

As described above, an individual Identity Owner in the Sovrin ecosystem can use the Microledgers generated in the context of each pairwise Connection to prove exactly what information was shared, when it was shared, and with whom it was shared. Moreover, through its respective Agent, either party in a pairwise relationship has a seamless means to request a correction or other modification to their personal data from their peer on the other end of the Connection. Such a request itself becomes a provable event via their shared Microledger, such that if the changes are not implemented the requesting party (who is the subject of a rectification request) can use this proof of sharing and requested rectification to enforce its rights against the peer (acting as the data controller in respect of that data). This mechanism also helps reinforce the accountability principle.

Right to erasure (or the “right to be forgotten”)

Per Article 17 of the GDPR, individual data subjects have the right to have personal data erased under certain circumstances, including where the personal data is no longer necessary for the purpose(s) for which it was originally collected; where the personal data was processed on the basis of consent and the individual withdraws their consent; where the individual objects to continued processing of personal data processed on the basis of legitimate interests and there is no overriding legitimate interest to continue to process it; where the data was processed unlawfully; where required by law; or where the data was processed to offer information society services to a child. This right is also designed to give effect to the accuracy principle and the lawfulness, fairness, and transparency principle.

Just as in the case of rectification, an individual Identity Owner can use the records generated by their Microledgers and pairwise Connections to prove what information they shared, when they shared it, and with whom they shared it to make a request to have certain data erased. Each Identity Owner in a pairwise Connection can use their respective Agent to seamlessly request the erasure of their data by the peer on the other end of the Connection. As with requests for rectification, the request for erasure itself can be a provable event, such that if the erasure is not made, the individual Identity Owner can use this proof of sharing and requested erasure to take action against a peer who continues to hold and process their data unlawfully. Again, this mechanism also helps reinforce the accountability principle.

In respect of the Sovrin Ledger, since no personal data is ever stored on the public ledger, the right to erasure will not apply. And even if any of the data stored on the Sovrin Ledger could ever be deemed to be personal data, there are several misunderstandings about the right to erasure that need to be addressed (and that will be addressed in greater detail in a subsequent post). For purposes of this post, we note that the right is not absolute but requires that one of six conditions are met and at least six broad categories of exemptions apply. Moreover, the GDPR does not define the term “erasure” and the extent to which technical solutions that de-identify or sufficiently anonymize certain data (such that it no longer constitutes personal data under the Regulation) remain a subject of active debate. Finally, the public permissioned nature of the Sovrin Ledger, coupled with its robust trust architecture and governance mechanisms, mean that compliance with the right to erasure is far more achievable than it would be in the context of other ledgers (as in the case of SSI solutions utilizing a public permissionless blockchain).

Right to restrict processing

Per Article 18 of the GDPR, individual data subjects have the right to restrict processing by a data controller where the accuracy of the personal data is contested (while accuracy is under review); the processing is unlawful but the data subject requests restriction rather than its erasure; the controller no longer needs the data for processing but the data is required for the establishment, exercise or defense of legal claims; or where the data subject has objected to processing and the controller is considering whether its legitimate grounds override those of the individual data subject.

As covered extensively in respect of the rights to rectification and erasure, the Sovrin solution — primarily through the use of private pairwise Connections and corresponding shared Microledgers — allows the Identity Owner (who is the subject of certain personal data) to easily and verifiably exert this right over any personal data shared with a Verifier in the context of that pairwise channel. Moreover, in respect of the public ledger, to the extent that no personal data is ever stored on the public ledger, there is no obligation to restrict processing in respect of the Sovrin Ledger.

Right to data portability

Per Article 20 of the GDPR, individual data subjects have the right to view, access and obtain their personal data from one data controller and to reuse or transmit that personal data to another controller for their own purposes. According to the Article 29 Working Party, the right “represents an opportunity to ‘rebalance’ the relationship between data subjects and data controllers, through the affirmation of individuals’ personal rights and personal data concerning them.”

The right applies where three conditions are met:

1. the personal data was provided directly by the data subject to a data controller;
2. the processing was based on the consent of the data subject or the performance of a contract;
3. where processing is carried out by automated means.

The data controller must provide the personal data in a “structured, commonly used and machine-readable format.” Where requested by the individual and technically feasible, the data controller may be required to transmit the data directly to another controller. Finally, data portability and the transfer of personal data thereunder requires that the transferring party take reasonable measures to verify the identity of the receiving party.

At first glance, data portability feels as though it has little to do with the protection of the personal data of a natural person, perhaps apart from a tangential connection to the transparency principle. Rather, this right encapsulates the GDPR’s second objective — namely, to promote commerce and growth by enabling the free movement of data across the EU. Data portability is mutually beneficial for the individual who can more conveniently access and move her data across service providers or organizations with ease, as well as the commercial entity who can more readily absorb and onboard new users and customers. Data portability also fosters competition when individuals are not locked into the products or services of one service provider and can switch providers without many impediments. This is in line with other pro-competition initiatives in the EU such as the Open Banking initiative.

Sovrin’s version of SSI is the ultimate data portability tool. Just as in the physical world, I can take my documents with me from one location to another and present them to verifying or requesting parties as needed, Sovrin enables the same functionality in the digital realm. Because the Identity Owner holds Credentials and other personal data in a portable digital wallet, the Identity Owner is free to use and move these credentials as desired. This in squarely in line with the Article 29 Working Party’s view that primary aim of data portability is enhancing individuals’ control over their personal data and making sure they play an active part in the data ecosystem. Finally, Sovrin offers a strong technical solution in respect of a transferring party’s ability to authenticate the party receiving the data that is subject to a transfer request per the right data portability.

Right to object

Per Article 21 of the GDPR, individual data subjects have the right to object to three kinds of processing:

1. direct marketing;
2. processing based on legitimate interests of the data controller or the performance of a task in the public interest or the exercise of official authority;
3. processing for research or statistical purposes.

The right to object to direct marketing is absolute in the sense that the individual need not demonstrate any grounds for this objection and as soon as the individual objects, the processing must cease. In the case of the other two bases for objecting, the controller must cease processing unless it can demonstrate compelling legitimate grounds which override the interests of the data subject or the processing is for the establishment, exercise or defense of legal claims.

As with the right to restrict processing, Sovrin Connections and Microledgers enable Identity Owners to easily and verifiably exert this right over any personal data shared with a Verifier.

Rights in respect of automated decision-making and profiling

In addition to seven core data subject rights outlined above, the GDPR provides the data subject with additional rights in respect of automated decision-making and profiling. Per Article 22 of the GDPR, individual data subjects have the right “not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

The only exceptions are:

1. where this kind of automated processing or profiling is necessary for entering into or the performance of a contract between the data subject and data controller;
2. the decision-making is authorized by applicable laws that include suitable measures to safeguard the rights of the data subject;
3. the decision-making is based on the data subject’s explicit consent.

Once more, Sovrin Connections enable data subject to easily and verifiably exert this right. While it might appear that Sovrin Agents would themselves be subject to this automated decision-making rule, in fact Sovrin Agents only act on behalf of the data subject and always remain under the control of the data subject. So a Sovrin Agent is never operated under the control of an external data controller that would be subject to this rule.

Summary

We have looked at the rights of individuals under the GDPR and examined how each one is supported by Sovrin’s approach to SSI.

Additonal reading

(Part 1 — Core concepts and key objectives, can be read here)

(Part 2— Key data protection principles, can be read here)

Conclusion

While there are some tensions between SSI and the GDPR, at least in respect of the letter of the law and the structure of the data models they set out, Sovrin’s version of SSI is highly compatible with, and in fact, an effective tool for promoting the spirit and ends of the Regulation. In many ways, the concept of SSI is even more radical than the GDPR in respect of the protection of personal data and, perhaps more importantly, privacy and data portability. We believe that as SSI takes hold, the paradigm shift that it represents will bring new levels of trust to the data ecosystem in a way that simultaneously promotes individual and collective interests. We will continue to explore the applicability and compatibility of the GDPR and Sovrin in future posts, including in the next one about what constitutes personal data and where it is stored in the Sovrin ecosystem. Stay tuned.