Data Governance in Data Wallets

We are about to create another cookie problem :cookie: - with Digital Credentials in Data Wallets.

My previous article on Data Wallets discussed what Verifiable Credentials were - and where they fit into regulatory frameworks such as eIDAS in Europe and the proposed Digital Verification Scheme (DVS) in the UK.

Such credentials can contain sensitive personal information, that often requires the verifier to establish a legal basis upon which they can process the data - such as user consent. Within the W3C Verifiable Credentials Specification this is recognized, and a termsOfUse entry is supported to support in precisely describing the permissions (e.g. Service Personalization) for which data may be used, what usage of data within the credential is prohibited (e.g. Marketing) and any obligations that must be met when using the data (e.g. report any 3rd parties this data is shared with). The formal language often used to describe these permissions, prohibitions and obligations is known as the Open Digital Rights Language (ODRL).

However, without the legal infrastructure to recognize the inclusion of this termsOfUse entry as a valid way of creating a legal basis for data processing - such as being a valid way of proving consent; this entry is relegated to merely being a descriptor of the basis' for processing that have already been established. How are these bases' established? Likely, the mechanism that we know and love - a pop-up consent box, every time you use the credential¹!

As I discussed in my previous article the Digital Verification Scheme is proposed within the UK's Data (use and access) Bill. The DVS provides a mechanism for the Secretary of State to create a list of certified service providers to provide services related to credential issuance, management and verification.

The Digital Identity and Attributes Framework (DIATF) is a framework that explicitly describes the different types of service providers that can be implemented under the DVS - including technical roles and responsibilities.

If we are specifically talking about the Digital Identity and Attributes Framework (DIATF) in the UK, it could take the form of terms of use term within Verifiable Credentials. Specifically in the context of DIATF what regulators could do is state that when a Verifiable Credential is sent from a Holder:

1. The Holder is legally obliged to use pre-defined user preferences or ask directly from the user, the privacy terms they wish to apply to the data. These would likely be described as a set of permissions, obligations, and prohibitions within an ODRL Rule
2. The service receiving the data is legally obliged to adhere to the stated privacy preferences.

In most cases - the rules would largely enumerate the DPV Purposes for which the user consents their data to be used.