2021 was the record year for sanctions and formal notices issued by the CNIL for non-compliance with General Data Protection Regulation (GDPR). From Amazon to Google to Facebook, there are many digital players who have to undertake heavy compliance procedures to adapt to European standards.
At the heart of the transition from Web 2.0 to Web 3.0 is the issue of personal data management, a key issue for the large platforms that have developed their activities through the monetisation of such data. With the development of blockchain technology and the growing popularity of the Self-Sovereign Identity (SSI) approach, the question of the compatibility of SSI with GDPR arises.
Let's take a look at the founding principles of Self-Sovereign Identity, as outlined by Christopher Allen, a specialist in the field, and see if they are indeed aligned with the objectives of GDPR.
A reminder of what Self-Sovereign Identity is
As we discussed in a recent article, Self-Sovereign Identity refers to theapproach where an individual should be able to control their identity from end to end and be able to revoke a third party organisation's access to their personal data at any time.
This definition is simple and intuitive: one should not have to share more information than necessary to access a service.
However, the opposite is true in both the physical and virtual worlds:
- In the "real world", if you want to rent a car from a car rental company, all you have to do is present your driving licence, which proves that you are able to drive... However, by presenting your driving licence, the car rental company can also find out your age, since your date of birth is shown on it.
- In the virtual world, when you create an account on a social network, you have to provide an email address, then create a username and password... but you also have to accept the terms and conditions of use that allow the platforms to use your browsing data, the content of the messages you send and the publications you interact with to present you with advertising content.
With Self-Sovereign Identity, since you control your identity, you manage who has access to your personal data and, more importantly, what personal data you agree to disclose.
What applications for Self-Sovereign Identity?
What would the life experiences seen above look like, such as renting a car or creating an account on a social network? To understand the diagram below, it is worth recalling the following roles:
- The Issuer refers to the actor who electronically signs the certificates and delivers them to the holder. This may be the State, since it is the State that issues the certified identity documents.
- The User is the person who holds an identity and who initiates a request for access to a service. In the ISS approach, all relationships are established with the user at the centre.
- The Verifier is the actor who verifies the authenticity of the user's credentials for accessing a service.
So this is what the life experiences we have seen above would look like:
1. The Issuer issues the credential to the user - a driving licence or ID card, for example - and anchors the user's attributes in an evidence register.
2. The User stores the credential and its associated attributes in his wallet / digital wallet.
3. The User wishes to access a service without having to disclose more information than necessary (whether it is to create an account on a social network or to rent a car). With his wallet, the User presents the attributes that the Verifier needs and nothing more. For the car rental company, it is simply a matter of proving that the person has the capacity and authorisation to drive. For the social network, it is simply a matter of proving that the person exists. It therefore presents proof of eligibility to access the service offered by the Verifier.
4. The Verifier will check the authenticity of the data provided by the user in the evidence register.
As we can see, the Self-Sovereign Identity approach is a small revolution since it allows an individual to access any service without disclosing more information than necessary. Other use cases are envisaged and promise to transform our relationship with health, the banking world or public institutions (we mention some of them in our white paper on decentralised identity)
This is made possible by the principle of selective disclosure - I only disclose what a company needs to give me access to a service - and by the Zero-Knowledge Proof, which makes it possible to confirm a piece of data without disclosing it (for example, proving that I am 18 without disclosing my date of birth).
We will explore these two concepts in more detail in a future blog post.
With the basics in place, let's now look at how Self-Sovereign Identity can be compatible with GDPR.
How is Self-Sovereign Identity compatible with GDPR?
Christopher Allen, an entrepreneur committed to personal data sovereignty issues, outlined the 10 core principles of Self-Sovereign Identity in a blog post that continues to be a reference. Although there are many ways to apply SSI, compliance with these rules can be considered a sine qua non for a truly self-sovereign approach to identity.
Let's look in detail at GDPR articles and identify the parts that apply to these principles.
- Existence: users must have an independent existence | the GDPR "establishes rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data. "(Article 2)
- Control: users must control their identity | "Individualsshould have control over their personal data. "(Recital 7)
- Access: users must have access to their own data | "The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, where such data are processed, access to such data" (Article 15)
- Transparency: systems and algorithms must be transparent | "Personal data must be processed lawfully, fairly and transparently in relation to the data subject (lawfulness, fairness, transparency)" (Article 5a)
- Persistence: identities must have a long life while respecting the right to deletion | "Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed" (Article 5e)
- Portability: identity-related information and services must be made available in a portable form. "Data subjects shall have the right to receive the personal data relating to them which they have supplied to a controller in a structured, commonly used and machine-readable format, and shall have the right to transmit those data to another controller" (Article 20)
- Interoperability: Identities should be as widely usable as possible | "To further strengthen their control over their own data, data subjects should also have the right (...) to receive their personal data (...) in a structured, commonly used, machine-readable and interoperable format and to have it transmitted to another controller.
- Consent: Users must consent to the use of their identity | "Processing shall be lawful only if and insofar as (...) the data subject has consented to the processing of his personal data for one or more specific purposes" (Article 5a)
- Minimisation: Disclosure of requests must be kept to a minimum - "Personal data must be adequate, relevant and restricted to what is necessary for the purposes for which they are processed (data minimisation)" (Article 5c)
- Protection: Users' rights must be protected and take precedence over the needs of the network.
Here is a small summary table to summarise.
Towards web3 with SSI
With the transition to the web 3.0 ecosystem, the development of distributed registries (blockchain technology) and the regulatory environment that is forcing digital players to favour privacy by design, the SSI approachwill become the new standard, whether for entering into customer relations, managing digital identities or ensuring compliance of administrative processes in companies and institutions.
This is why it is essential for companies to address the issue of personal data management and to explore SSI solutions, whether it is to comply with GDPR or to simplify the relationship.
Contact us to find out how Archipels can assist you with ISS issues.