Sovrin Foundation announces 30-day public review for data protection regulation revisions to the Sovrin Governance Framework

August 28, 2019

By Drummond Reed, Chair of the Sovrin Governance Framework Working Group

The second generation of the Sovrin Governance Framework (SGF V2) was approved by the Sovrin Board of Trustees on March 27, 2019. This established a new baseline set of legal agreements for participants in Sovrin Infrastructure. Once this baseline was established, the Sovrin Governance Framework Working Group (SGFWG) and Global Policy Working Group (GPWG) together with Sovrin Stewards and Sovrin Foundation counsel began the process of determining what further changes would be needed to enable compliance with data protection regulations such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Province of British Columbia Freedom of Information and Protection of Privacy Act (FOIPPA).

The outcome of this process is the following set of new and revised Controlled Documents of the SGF that we are now publishing for public review.

New Controlled Documents

1. Sovrin Steward Data Processing Addendum (DPA)
2. Sovrin Steward Technical and Organizational Measures (TOMs)
3. Sovrin Transaction Endorser DPA
4. Sovrin Transaction Endorser TOMs

Revised Controlled Documents

1. Sovrin Transaction Endorser Agreement
2. Sovrin Transaction Author Agreement
3. Sovrin Ledger Access Policies
4. Sovrin Glossary Revisions

This set of documents represents hundreds of hours of community work determining how to map the unique new capabilities of self-sovereign identity (SSI) infrastructure to the requirements of data protection regulations such as GDPR. This is a very deep and multi-faceted topic. In particular, there is tension between the core concept of SSI—that individual identity owners are not just passive “data subjects” but can actually be the data controllers of their own verifiable credentials—and the implicit assumption under GDPR and other data protection regulations that a data controller is always a separate organization that determines “the purposes and means of personal data processing”.

The ultimate resolution of this tension in terms of the legal roles and responsibilities (and the resulting legal agreements) in Sovrin infrastructure is summarized in the following diagram:

The full context of this diagram and a description of the legal agreements are described in a proposed new Appendix to the Sovrin Glossary. You can review this draft Appendix, together with the six proposed new Glossary terms, in the Sovrin Glossary Revisions document.

The SGF V2 requires that any changes to the SGF be subject to a 30-day public review period. That period starts today (August 28, 2019) and extends through the next meeting of the Sovrin Board of Trustees on September 25, 2019.

We invite you to review and comment on any of the proposed new or revised documents. For further instructions, please see the Sovrin Governance Framework home page.