EU General Data Protection Regulation Self Sovereign Identifiers

The New European General Data Protection Regulation (EC Regulation 2016/679) which aims to give citizens back control of their personal data and create a high, uniform level of data protection across the EU fit for the digital era was given its final approval by European Parliament on the 14th April 2016. The reform also sets minimum standards on use of data for policing and judicial purposes.

The new rules include provisions on: * a right to be forgotten, * the right to object and the right to erasure; * "clear and affirmative consent" to the processing of private data by the person concerned, * the right to inhibit additional processing of data * a right to transfer your data to another service provider, * the right to know when your data has been hacked, * ensuring that privacy policies are explained in clear and understandable language, and * stronger enforcement and fines up to 4% of firms' total worldwide annual turnover, as a deterrent to breaking the rules

But how to actually implement the rights set forth in the GDPR and subsequent legislations and regulations? More generally, how to operationalise the growing international, supranational and national standards aiming at reinforcing individual rights and empowering individuals? To date, individuals have very little means of adjusting to the challenges of big data. In the meantime, their concerns over the use and control of their personal data are likely to be growing while their fundamental rights can be endangered.

Awareness of where and how individuals' data are used is essential. The self-sovereign identifier that is at the core of the project presented in this paper has the potential to implement the requirements set forth in recent legislation, regulations and policies that aim to regulate big data, in particular the GDPR.

This identifier would enable companies, agencies, and other entities collecting individuals' data to comply with the requirements from the GDPR, in particular in relation to the right to portability of data or right to be forgotten. In return, this identifier would help consumers track their data, facilitate their portability, know where their data is used, how it is used and control this use while retaining possession of their data and choosing where to transfer it and under which conditions. With towards the empowerment and protection of individuals, this identifier system would enable individuals to retain control over their linkability and /or correlation across different contexts.

The self-sovereign identifier offers individuals, also known as data subjects, the possibility e.g. by hashing and data watermarking technologies to sign and mark their stream of data. Such identifier system is proposed to be called the ISÆN: Individual perSonal data Auditable addrEss Number. I ndividuals could generate themselves an ISÆN allowing them to retrieve information about the exact localisation and use of their data. This smart navigation can be compared with a GPS for the data.

This innovative and technical proposition for the ISÆN as a new self-sovereign identifier will be accompanied by an innovative mode of governance to build up the legitimacy of the ISÆN amongst all stakeholders, both public and private including companies, governments, civil society advocates and individuals. The proposed CEN Standardisation Workshop will focus on a self-sovereign identifier suitable for personal data ownership and usage control.

Benefits to all stakeholders

For Institutions and Academics: ISÆN is a framework that will ease Data 'A Posteriori' compliance audits as recommended by the European General Data Protection Regulation (GDPR) with an application as early as May 2018. ISÆN acts as a data provider framework towards the National and European Digital ID provider, facilitating the 'Know Your Customer' governance (KYC).
For the Private sector: ISÆN will help businesses to add a new 'Private Data Accountability' dimension in their Sustainability report: economic, environmental, social and private data governance. ISÆN will help businesses leverage Privacy by Design (PbD) as a unique differentiator ISÆN will reduce ambiguity for secondary usage of personal data.
For Citizens: ISÆN provides an answer to Digital Citizens’ main concern 'Where are my Data? Who is Using them?' ISÆN will help them to self-administer their online consents, authorizations, revocation (OptIn/OptOut) and set the roadmap for a Public Smart Contract/Consent on data privacy. ISÆN will help them to minimize the disclosure of their persona’s attributes while complying with most “KYC” requirements.
For All stakeholders: ISAEN will promote the creation of innovative data services and businesses where all the stakeholders transparently monitor the common public governance and share the benefits of the new personal data economy.

This standardisation is open to all stakeholders, an we would like to invite the Web Of Trust Community to join this initiative: http://www.cen.eu/work/areas/ICT/Pages/WS-IS%C3%86N.aspx

The complete Business Plan of this standardisation is available under: https://standards.cen.eu/BP/2136045.pdf

Looking forward to discuss this extensively during the rebooting-the-web-of-trust-fall2016

david.robert@aeternam.eu