The IOG team gave a great update earlier across a broad range of topics.
One point that got me a little worried was an update around Atala Prism where they mentioned that DID documents will be stored on the Cardano public blockchain.
My question is if these DIDs will just be for public organisations, or if they will be for individuals too?
If they are for individuals, even if the DID documents contain no personally identifiable information (PII), the DID itself, if identifying a user, could be seen as PII with correlation concern and GDPR risk.
Also with a public blockchain there’s no way to adhere to the “right to be forgotten” if you bake PII into a block. This opens up all types of legal issues if a DID of an individual is publicly associated with them and they want it removed.
First of all, I appreciate your interest on our project, let me try to answer.
The approach we are following is that public organizations need to publish their DID on Cardano, also, we are evaluating an alternative approach to not do so in some scenarios.
In the case of individuals, the goal is to give them the choice, most of them shouldn’t ever need to get any of their DIDs published on Cardano. so, individuals get a new private DID generated by default when interacting with a new institution.
About KERI, we looked into it time ago, the plan is to revisit it in the future to see what we can take from it.
I am planning on writing my masters’ thesis on SSI and GDPR compliance. Of course it would be awesome to include Atala Prism and the Africa project in such an early stage! However, I am afraid that there’s still insufficient info to do so… The above is something of interest for me and I am wondering what the status is as of now. Maybe someone is able to guide me to some useful publications?