REGULATION ON DIGITAL IDENTITY AND IMPLEMENTATION OF SSI
A version of you has a digital identity and is worth more than you think. This ID 2.0 is what we are on the web, and for this reason, it is always important to know what is being said about us, where and why, both towards ourselves and our organization. Therefore your personal data needs to be protected and out of the hands of the ones that can manipulate it for their own benefit.
WHAT WE UNDERSTAND BY IDENTITY?
International human rights instruments often include the notion of identity in terms of a person’s name, nationality, or reputation, particularly in the case of minors. For the purposes of defining what is meant here by identity, we will use the meaning provided by the World Economic Forum in its 2016 report entitled “A Blueprint for Digital Identity”. Following this definition, identity is not a concept made up of a single element – such as name or nationality – it is a collection of individual attributes that describe an entity and determine the transactions in which that entity can participate.
This way, identity would be given by three types of personality attributes:
1. INHERENT ATTRIBUTES
They are those that are intrinsic to an entity. In reference to an individual, it responds mainly to their unalterable biological characteristics, such as age, height, date of birth, fingerprints. In case of legal entities it would be the industry they are working in or business status.
2. ACCUMULATED ATTRIBUTES
They are the characteristics that are obtained or developed throughout life, such as behavior, self-perception and self-definition, knowledge, among others. These attributes may change multiple times or evolve throughout an entity’s lifespan. E.g.: Health records, preferences and behaviors (e.g. telephone metadata), business record, legal record
3. ASSIGNED ATTRIBUTES
Attributes that are attached to the entity, but are not related to its intrinsic nature. These attributes can change and generally are reflective of relationships that the entity holds with other bodies. E.g.: National identifier number, telephone number, email address, legal jurisdiction, directors.
All of these attributes can be classified as PERSONAL DATA, which means digital identity is governed by the legal regime of data protection applicable to each jurisdiction.
Identity is not something that is presented by itself, it’s inserted into a system. Every identity system works with trusted third parties that validate certain attributes of an identity.
Pursuant to Argentine legislation (“Personal Data Protection Law” No. 25,326), personal data is understood as “information of any kind referring to determined or determinable natural or ideal persons”. It also provides a definition of the concept of sensitive data and states that it is “personal data that reveals racial and ethnic origin, political opinions, religious, philosophical or moral convictions, union affiliation and information regarding health or sexual life”. Within this concept, the notion of biometric data can be included, according to Resolution 4/2019 of the Agency for Access to Public Information (laIP), which is defined as “those personal data obtained from a specific technical treatment, relative to the physical, physiological or behavioral characteristics of a human person, which allow or confirm their unique identification”
For the purposes of this research, personal data will be understood as all information that allows a human person to be identified or made identifiable.
IDENTITY OWNERS RIGHTS
Latin American countries have similar regulatory frameworks that recognize certain rights to the identity holders. Next, we are going to introduce you to a series of rights to be taken into account when processing personal data.
Habeas data: this is a constitutional right that enables every inhabitant of a certain country to file a judicial action with expedited resolution when there is any affectation on their personal data. That person can request the rectification, actualization or the destruction of the personal data held.
Right of access: gives individuals the right to obtain a copy of their personal data, as well as other supplementary information that the requested entity has under its control.
Right to rectification: this right allows the owner of the data to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. It is normal for this right to be exercised jointly or after the right of access.
Right to erasure: this right allows the owner of the data to request that certain data be deleted for various reasons, such as that they no longer need the data for the original reason they collected or used it for, or the owner initially consented to the organization using personal data, but have now withdrawn his o her consent.
Right to be forgotten: The right to be forgotten is the right to have private information about a person be removed from Internet searches and other directories under some circumstances. Similar to the right to erasure but for data that is held on the internet.
Right of opposition: this right grants the owner of the data the power to request that their data not be processed in a certain way or that a data processing activity be stopped.
Right to portability: this right allows the owner of the data to request a copy of all the data that an entity has so that they cease to be processed by it and begin to be processed for similar purposes by another entity.
Blocking right: it is a power that the legal systems give to the owner of the data so that he can instruct the data controller to stop processing the data but not order its elimination since they can be useful for the owner of the data.
Right against automated decisions: this is the right of the owner of the data to prevent them from suffering the legal consequences of a decision made by an entity that is not a human being.
There is no exact definition on what SSI is yet, but for now we are going to describe what we are referring to when using this term. SSI proposes that individuals or organizations have total control over their identities, and how their personal data is shared and used. Also means that the identity holder can reveal only the necessary data for any given transaction or interaction.
Up to the present time, all identification systems have the problem of depending on a centralized entity and, consequently, taking the focus off the user. That’s why the regulation about personal data and id systems are based on user and service provider relationships. This relationship changes in self-sovereign systems and, consequently, leads us to think about how the norm should be interpreted to fit in these systems.
Regarding the legal effects that can cause the implementation of SSI we could say that the rights of the owners would have a strong protection since entities own and control the data. This also means they can decide whom to share it with, and how the data can be used, so in this case there is no question of collecting any data without the owner’s knowledge. Besides, the owner can revoke access if the data was used for a different purpose than it was shared.
To conclude, the role of owner and holder of the data would be concentrated in a single individual or legal entity, so their personal identity would hardly be compromised by a third party that can cause a violation of personal data rights.