Attendees
Click here for → Zoom meeting March 15 2022
Agenda
- GDPR Issues with ACDCs
Article 17 of the GDPR which summarizing states:
Right of Erasure applies IF:
The personal data is no longer necessary for the purpose an organization originally collected or processed it.
- Right of Erasure does not apply IF:
- The data is being used to comply with a legal ruling or obligation.
Performance-of-Contract = Compliance with a Legal Obligation:
One of the reasons that an organization collects PII is as part of a transaction (contract) such as a sale. In order to meet legal obligations for book-keeping, clearing, proof of ownership, receipt of sale etc associated with such a transaction the organization may keep a copy of said transaction details. Any transaction between two parties may be viewed as a form of contract especially if either or both parties incur obligations or exchange value as part of the transaction.
A commonly cited example are e-receipts. A company may request and keep an email address as PII in order to send an e-receipt but may not use the email address for marketing purposes unless specifically authorized.
Likewise if a sale or a product or service comes with a warranty then keeping PII associated with the warranty may be classified as “performance-of-contract” which is another way of describing compliance with a legal obligation.
Performance-of-contract is not dependent on continued consent during the lifecycle of the contract. In other words the contract itself is consent to keep the PII and lasts for the length of the lifecycle of the contract. i.e. the PII is needed in order to provide the product or service purchased or requested for the time you are obligated to perform the service or warranty the product. Performance of includes credit card chargeback and refunds.
“The interesting thing about performance of a contract as a basis for processing data, is that it’s not dependent on continued consent if the use of the data is required for the product or service’s lifecycle (such as subscriptions, warranties or credit card chargebacks).
You still can’t use this data for any other purpose. But it’s much easier to prove you’re providing a good or service than proving that you have consent or dealing with consent withdrawals.”
Right-of-Erasure Paradox:
- A request to erase includes PII. But keeping the right of erasure request means keeping the PII. But without the PII in the right of erasure request there is no way to ensure that erasure persists. A new copy of the erased data may be added without knowing that it was erased.
The legal obligation to comply with a right of erasure request should be reason enough to keep the right of erasure request including the necessary PII to ensure performance of contract and not erase it. Only the PII not directly related to the right of erasure transaction may be kept. The performance of contract in this case is the erasure of PII. The service you have requested (erasure of PII) can't be provided unless I have enough PII to ensure that I have correctly erased the PII you have requested. If the request for erasure is indefinite (i.e. erased for all time) the the lifecycle of the contract erasure request is also indefinite. This could mean therefore that a cryptographic digest of the PII being erased could be maintained indefinitely as a performance of contract to ensure that the exact PII is never un-erased because the check against the digest for any new data stored would match the digest. Without the digest there is no way to ensure performance of contract.
- Draft Specification HackMD Review
- Revised labels and sections due to selective disclosure mechanisms and better clarity on schema as type.
- Composed schema
- Robert Mitwickicomment: We must include in the specification a prohibition of using schema references in ACDC JSON Schema (links to external websites).
- Chain link confidentiality exchange
- Offer with verifiable metadata with terms. Partial disclosure
- verify with Composed Schema
- Accept terms
- Full Disclosure
- verify with decomposed schema
- Offer with verifiable metadata with terms. Partial disclosure
- Exploitation Model as the basis for selective disclosure
- first party (discloser)
- second party (disclosee)
- implicit permissiond correlation
- explicit permissioned correlation
- malicious (explicit unpermissioned correlation)
- third party (observer)
- implicit permissioned correlation
- explicit unpermissioned correlation via collusion
- Note: Meeting went for 2 hours and was fully recorded. If you were only able to attend the first hour make sure to watch the second hour. We covered the spec in detail in the second hour.