Topic L: User requesting data deletion to relying parties and Topic M: User reporting unlawful or suspicious request of data to DPAs

[phin10]

Welcome to the discussion on the topics L and M, as part of the ongoing development of the Architecture and Reference Framework (ARF) for the European Digital Identity (EUDI) Wallet. Topics L and M are discussed in one document:

• Topic L - User requesting data deletion to relying parties
• Topic M - User reporting unlawful or suspicious request of data to DPAs

This discussion is based on the document L+M - Requesting erasure of personal data at a wallet-relying party and lodging a complaint with the competent data protection supervisory authority.

According to Article 5a (a) of Regulation (EU) No 910/2014 a wallet solution shall support common protocols and interfaces for:

• (ix) requesting a relying party to erase the personal data stored at a wallet-relying party pursuant to Article 17 of Regulation (EU) 2016/679 and
• (x) reporting a relying party to the competent national data protection authority where an allegedly unlawful or suspicious request for data is received.

The document refers to the current high Level requirements already in Annex 2 of the ARF Topic 48 and Topic 50. The discussion paper focusses on the current high level Requirements.

This discussion is part of a structured process to refine and complete the ARF, with your input playing a vital role. We invite you to share your comments, insights, and suggestions here. Your contributions will be carefully reviewed and considered as we work towards the next version of the ARF, which will incorporate updates on this topic.

Thank you for participating in this important conversation.

[AEPDmbeltran]

On behalf of the Spanish Data Protection Authority (AEPD)

The attached document contains our comments on this topic.

topicL+M AEPD response.pdf

Thank you very much for this opportunity to contribute to this important discussion.

[phin10]

@AEPDmbeltran, thank you for your input to the discussion on topics L+M. Please find below the response of the @eu-digital-identity-wallet/arf-writers:

AEPD comment: The discussion paper suggests that a Wallet Unit should provide an interface to report suspicious requests from a Relying Party to the DPA of the Member State that provided the Wallet Unit. This approach potentially restricts the right of users under Article 77 of the GDPR interact with a DPA in the Member State of their habitual residence, place of work, or place of the alleged infringement.

Response: Please be informed, that RPT_DPA_01 has been revised to the following text:
“When prompted by the User, a Wallet Unit SHALL provide the contact details of the DPA, which supervises the Relying Party, if available, and SHALL make it easy for the User to send a report of allegedly unlawful or suspicious Relying Party presentation requests to this DPA. If these are not available, the Wallet Unit SHALL provide the contact details of the DPA of the region in which the Wallet Provider is residing. In addition, the Wallet Unit MAY also provide contact details of other DPAs taken from the "European Data Protection Board" website (https://www.edpb.europa.eu/about-edpb/about-edpb/members_en), and allow the User to choose a DPA to continue the reporting process.”

AEPD comment: We find it particularly worrying that reporting suspicious requests may pose an identification threat in use cases where the user requires anonymity. What mechanisms exist to present these reports anonymously from the Wallet Unit? This could be explicited in the HLR RPT_DPA_04.

Response: Please be informed, that the general approach for realizing the reporting mechanism is to use the communication interfaces already provided by the supervisory authorities (see also Note in clause 2). Among the possible communication interfaces are web forms, which do not require any form of identification, or email for example.

AEPD comment: In this regard, it is probably necessary to clarify whether the HLRs under RPT_DPA refer to “lodge a complaint” within the meaning of the GDPR (some DPAs do not allow this to be done anonymously), or to report suspicious behavior, which can be done as a concern or tip-off. This can be always done anonymously.

Response: Please be informed, that the text has been corrected to clarify that only the reporting of a relying party, which issued an allegedly unlawful or suspicious request, is in scope here and not the lodging of a complaint according to Article 77 of (EU) 2016/679.

AEPD comment: The discussion paper states that “According to Article 5a (a) of Regulation (EU) No 910/2014 a wallet solution shall support common protocols and interfaces for (ix) requesting a relying party to erase the personal data stored at a wallet-relying party pursuant to Article 17 of Regulation (EU) 2016/679”. But this is not correct, since, as specified in the HLR DATA_DLT_01 “A Wallet Provider SHALL ensure that its Wallet Units support the technical specifications mentioned in DATA_DLT_02, allowing a User to request from a Relying Party the erasure of their attributes that were presented by that Wallet Unit to that Relying Party”. Therefore, we are not considering the erasure of any personal data but the erasure of attributes that were presented by the Wallet Unit exclusively.

Response: Yes, you are absolutely right. Only the attributes that have been previously presented by the wallet unit are subject to the deletion request. The text has been corrected to reflect this fact accordingly.

[burdges]

As a related question, what can the national DPA even do?

Afaik, there is only one realsitic answer: National DPAs should retain ultimate authority over who could verify their credentials.

In other words, all credential requesters should present a valid certificate chain that goes all the way back to a national DPA, which the user's credential software must always verify, and the user's credential software must already know and have verified a certificate chain from all national DPAs to to national DPA that issued the user's credentials.

I'll give an example:

Ireland might grant Facebook the ability to demand proofs of users' real names. France might disagree that Facebook should be granted real names. It's totally worthless to debate this in the courts, because the French users will all be harmed in the meantime. Instead, there should be a certificate chain from the French DPA all the way to Facebook, so that the French DPA can cut that chain somewhere.

In this example, the French DPA would initially certify the Irish DPA who then certifies the Irish auditor who finally certifies Facebook. The French DPA could then require the Irish DPA revoke that auditor. If the Irish DPA refuses, then the French DPA could cut off the Irish DPA entirely, which certifiate revokation system then propogates. All Ireland based auditors would've their certificates cancelled here.

This resembles where the CA infrastructure evolved towards. Although imperfect, national DPAs holding absolute revokation powers seems like the only scheme that can produce a resonable incentive towards better beahvior. If all national DPAs must trust one another then we'll quickly have a reace to the bottom.

It maybe good if other parties like OS and browser vendors should've cutting right too, like in this example Apple might revoke Ireland too, just to strengthen the French protest. This is a more sublte question.