Can a Verifiable Credential-based SSI Implementation meet GDPR Compliance?
World over, there’s a greater push towards data protection and privacy. In the EU, in particular, the General Data Protection Regulation (GDPR) has been a big step forward in this direction.
One of the primary goals of GDPR is to give individuals complete control over their personal data including with whom and how they are shared. Two important data protection and privacy principles of GDPR are:
- Giving users complete control over the transactional aspects of their digital identity including its monetization
- Free movement of data across the union to enable commerce.
While this may sound simple, in reality, it requires a whole new way of storing and managing personal data, and many of the technologies we use today may not be conducive for it because they were created at a time when security and privacy were afterthoughts.
Before going into whether SSI is the answer for GDPR compliance, let’s understand the provisions of GDPR with respect to the data owner’s rights.
Articles 13 to 22 of the GDPR describe the rights of the data subject concerning the collection and sharing of the subject’s data. Let’s briefly look into each of these articles to have a brief understanding of GDPR in the context of data protection.
Please note that under the GDPR, the data subject is the owner of a piece of personal data while a controller is the one using the owner’s data for any purpose.
- Article #13 — When data is collected with the knowledge of the owner, the controller must give information as to how it will be used.
- Article #14 — The onus is on the controller to provide information to the data subject on how the data will be used and when it was collected without the subject’s knowledge.
- Article #15 — The subject has the right to know how the data is being processed and even get access to the same at any time.
- Article #16 — The data subject has the right to rectify inaccurate personal data and has the right to complete any inaccurate piece of information
- Article #17 — The data subject has the right to erase data and the controller must comply with it.
- Article #18 — The data subject can restrict the controller from processing his or her personal data, provided it is inaccurate, unlawful, and illegitimate.
- Article #19 — The controller has to communicate any rectification or erasure of personal data
- Article #20 — The data subject has the right to obtain personal data in a structured and machine-readable format and can transfer the same to another controller at any time.
- Article #21 — The data subject has the right to object to the grounds on which his or her data is being processed, especially when it is used for profiling purposes and marketing through it.
- Article #22 — The data subject has the right to oppose any decision that’s based on automated processing, including profiling, that can create legal or any significant impacts.
A common theme among all these provisions is to empower the data subject and put him or her in complete control over personal data including the way it is shared and used.
Now, it’s time to see if Self-sovereign identity (SSI) addresses each of these provisions.
SSI is a digital identity philosophy where an entity owns and controls its information completely, including who can see what parts of the personal information and how they are shared. Here’s an interesting article that compares SSI and Federated Identity Management.
There are many ways to implement SSI, and in this article, we will be looking at a general concept of potentially using verifiable credentials (VCs) for the implementation of SSI. At the most basic level, verifiable credentials are tamper-evident credentials that can be verified cryptographically. There are three essential components of verifiable credentials, and they are:
- It is machine verifiable
- It is secure and tamper-evident
- Has been issued by a trusted authority.
Here’s a list of possible VC use-cases.
When you examine SSI implementation through VCs, you can visualize VCs to be the replacements for physical documents while SSI is the solution/ platform that allows a subject to host his or her data and control the way it is shared and handled.
Does SSI meet the GDPR requirements?
Let’s examine how SSI may meet each of the articles from #13 to #22.
- Article #13 — Since the data subject (called the owner/holder) owns and controls the data, he or she can decide to whom to share it with, and how the data can be used.
- Article #14 — The data holder is the one who shares the information, so there’s no question of collecting any data without the owner’s knowledge.
- Article #15 — Again, the holder shares the data with chosen entities, so it is completely aware of how the PII is being processed and where it is used.
- Article #16 — The data holder can reach the issuer in case of any corrections before sharing them with the verifiers.
- Article #20 — VCs are in a machine-readable format, and in the future, may be stored in an individual’s personal wallet for easy sharing.
- Article #21 and 22 — The data owner can revoke access if it was used for purposes besides which it was shared by the owner.
By implementing SSI frameworks in their products and services, it would be easier for companies to remain in compliance with personal data protection laws, such as the GDPR.
The information materials contained in this article is for general information and educational purposes only. It is not intended to constitute legal or other professional advice.