Potential GDPR misstatement?

[kdenhartog]

I'm not very familiar with GDPR, and was wondering if this is true under the regulation:

Because only the parties to a given relationship know them, there is no concern about personal data and privacy regulations due to third party data controllers or processors.

Since the DID Document is likely being stored on a cloud agent, would this be consider a 3rd party data processor? Also, does it make a difference that the counterparty has a copy of the DID Document which contains a DID and other associated metadata. Are we certain that all data that is supposed to go within the DID Document is not considered PII?

[dhh1128]

The cloud agent would belong to one of the two parties in the relationship, not to a 3rd party. Any other agents that ever hold the DID doc would do so only in the same way that an encrypted pipe does--as some opaque bytes that they can't understand. So I do think the spirit of this comment is in the right ballpark.

However, you make a good point that maybe this verbiage is a bit too glib. I'm going to update the verbiage to say that "concerns about personal data and privacy regulations are greatly reduced" instead of "there is no concern." Would that be enough to resolve this issue, or do you think we should do more research or more wordsmithing? (I will make this first change regardless.)

[kdenhartog]

I think this new verbiage is good. I think we should also double check that our interpretation is correct.

Right now we interpret a cloud agent to be within an entities domain, however because the device is co-controlled (one controller is the entity represented by the domain, and the entity that controls the agency is the second) we may need to consider the implications on the agency controller.

I feel like the idea of a custodial wallet aligns somewhat well with a cloud agent if you squint at it right. However, I'm not sure how custodial wallets are treated under GDPR, and when I first read it I assumed that we may be making an over statement.

With the current verbiage we at least acknowledge the risk and place the burden of due diligence on the reader/implementer.

[dhh1128]

Some background info from my research: https://www.itgovernance.eu/blog/en/does-the-gdpr-apply-to-me

The net is that GDPR doesn't apply to individuals that are not engaged in economic activity with respect to a relationship. This means that between Alice and Bob acting as private individuals not buying or selling with one another, we can take the GDPR worry off the table.

Of course, that's only a subset of peer DID usage. Any private individual or any business, no matter how small, that is engaged in economic activity with an EU citizen is subject to GDPR in that context, it looks like. So this leaves us with the question of whether/how much we should teach/say anything more about GDPR issues in the spec.

[dhh1128]

I think we can close this ticket insofar as it relates to the original issue; we've done some research and clarified the verbiage in the spec. However, I've opened a related issue in the spec's new repo home to track the need for GDPR guidance in the case where the receiver of the peer DID is an org. See decentralized-identity/peer-did-method-spec#15.