This article is a continuation of the Article Data Governance Act meets ToIP Framework. It will explain why many of the provisions of the Data Governance Act, proposed updates to electronic identification and trust services (eIDAS), alongside recent Requests for Proposals made by the European Commission, suggest that a payment layer for Verifiable Credentials is crucial to the proper functioning of a data-sharing model using Verifiable Credentials.
In December 2020, the European Parliament announced that it “…reached a provisional agreement on a new law to promote the availability of data and build a trustworthy environment to facilitate its use for research and the creation of innovative new services and products.”
This new agreement is in the form of the Data Governance Act (DGA).
Some TL;DR, please
The Data Governance Act addresses four key points:
- Reusability of public sector data;
- Reusability of data between businesses;
- Reusability of personal data, directly controlled and consented to by individuals (data subjects); and
- Reusability of non-personal and aggregated data for ‘altruistic’ purposes, such as scientific research.
This sounds pretty exciting for everyone in the world of digital identity, because, as we highlighted in a previous blog: data is currently single-use, which is inefficient and costly for all parties involved.
By making data reusable you can kickstart a new economy for data sharing.
This overlap between the intentions of the DGA and the self-sovereign identity (SSI) community was explained well in Trust over IP’s recent article, which explained how the Data Governance Act complemented the core “trust triangle” that the SSI community is familiar with.
Figure 1 from Trust over IP’s recent article
The Intermediary in the diagram above is nothing new to the SSI ecosystem. Usually, in visualisations, the Intermediary is bundled together with the holder, acting as a consent and credential management engine, an “identity agent”, acting on behalf of the user.
And whilst, the Act does not necessarily state that ‘data intermediaries’ must be decentralised, there is a specific section that illustrates a specific category of data intermediaries will need to exist to act in the SSI ‘agent’ capacity.
Recital 23 states:
“A specific category of data intermediaries includes providers of data sharing services that offer their services to data subjects in the sense of Regulation (EU) 2016/679 [GDPR]. Such providers focus exclusively on personal data and seek to enhance individual agency and the individuals’ control over the data pertaining to them. They would assist individuals in exercising their rights under Regulation (EU) 2016/679 […] In this context, it is important that their business model ensures that there are no misaligned incentives that encourage individuals to make more data available for processing than what is in the individuals’ own interest.”
Let’s break this down methodically:
- “[Intermediaries that] seek to enhance individual agency and the individuals’ control over the [personal] data pertaining to them”
In an SSI paradigm, this clause is describing intermediaries that enable individuals to have direct control over their personal data. Technically speaking, this type of functionality would be carried out by a digital identity wallet, which supports the EU’s work in creating a framework for digital identity wallets in Europe.
2. “Assist individuals in exercising their rights under Regulation (EU) 2016/679 [GDPR]”
This function is what is commonly thought of as the role of a digital identity agent, allowing users to meaningfully and explicitly consent to the uses of their Credentials and data, including access, rectification and erasure of data.
3. “No misaligned incentives that encourage individuals to make more data available for processing than what is in the individuals’ own interest.”
This clause is interesting and suggests that companies will not be able to scalp customer data in the same way they do today, nor will they be able to offer services in return for data — rather, they will have to specifically receive explicit consent from the user. This could also potentially open up the option for the customer to selectively disclose data, perhaps in return for a monetary incentive. This could be enabled through the use of Verifiable Credentials with BBS+ signatures or through the use of AnonCreds layered on top of cheqd.
In this way, the Data Governance Act directly compliments the work done in the world of SSI, and while it does not mandate the use of SSI, it gives the technology a huge leg-up, legitimising the method of data sharing in law.
eIDAS Bridge and eIDAS v2
Concurrently, alongside the work to reframe the way data is shared, the European Commission has been strategising about how to update eIDAS to best encompass Verifiable Credentials for functioning SSI. Nacho Alamillo Domingo explains the different steps that the EU may consider here. There has since been work to give Verifiable Credentials the same legal effect for cross-member state identity as “Qualified Electronic Signatures (QESs)”. This work has been labelled eIDAS bridge. This would mean that instead of Member States having to exchange SAML files with Qualified Electronic Signatures and timestamps, they could rely on the native cryptographic proofs in Verifiable Credentials.
eIDAS bridge has since published numerous legal and technical deliverables laying out how Verifiable Credentials can be incorporated into an updated eIDAS framework.
What this means for the SSI industry as a whole is that it is being taken very seriously at a supranational legal level. eIDAS v2 is very likely going to update the eIDAS framework with compatibility for Verifiable Credentials.
The value here is that cross border data exchange, as well as third-party KYC reliance in regulated industries such as Financial Services, will both be able to leverage Verifiable Credentials. This will make SSI a much more lucrative offering for such regulated industries, which currently are hesitant to use VCs, as they cannot rely on the contents of the data without doing their own standalone KYC check on new customers.
After eIDAS 2, organisations will be able to legitimately rely on the contents of a Verifiable Credential or Verifiable Presentation as a completed KYC requirement.
cheqd and fees
One pertinent aspect of the Data Governance Act that hasn’t seen too much discussion is the economic angle for data reuse and data sharing between businesses.
Recital 5 highlights that the core goal of the framework for data sharing services is to increase trust in sharing personal and non-personal data and “lower transaction costs” linked to B2B and C2B data sharing.
This supports cheqd’s hypothesis that current costs to onboard new users onto services is onerous and overly expensive because Know-Your-Customer (KYC) checks need to be repeated at every instance of KYC in a regulated industry.
By reducing this KYC cost down to a percentile of the current fee, data sharing will become much more frictionless and will create opportunities for increased trust in industries that do not have the margins for current KYC costs. This, on top of the work of eIDAS v2, seems like it is gravitating towards a similar model to cheqd.
Perhaps more importantly, the Explanatory Memorandum of the Act indicates that the law should be applied to “data sharing amongst businesses, against remuneration in any form”. This means that if data flows in one direction between businesses, there may be a payment or fee as remuneration in the other direction. The specific wording here of “in any form”, may also presuppose that this payment doesn’t necessarily need to be in fiat currency. Article 6 and, to some extent Article 18, supports this within the main body of the Act, laying out transparency requirements for “the fees paid by natural or legal persons processing the data, if any”.
Currently, no payment mechanism has been incorporated into the technical EBSI architecture for SSI, and for this reason, we believe that cheqd has a place in layering on top of both eIDAS v2, the Data Governance Act, EBSI; as it combines the Verifiable Credential flow with a customisable and optional payment flows and fees.
The model above complements the intentions and scope of both the Data Governance Act and eIDAS v2 proposals. Moreover, cheqd is architecting its payment rails to be able to work on top of any other identity ledger, such as the European Blockchain Services Infrastructure (EBSI), did:web, did:ion, KERI or other, in a flexible and interoperable way to accommodate for use cases across different jurisdictions and verticals. In this way it does not compete with the likes of EBSI and other utilities, but works alongside them to complete the SSI stack from an economic perspective.
Change on the horizon?
The Data Governance Act, in combination with the latest eIDAS v2 changes, will begin to catalyse change in the way public sector bodies, businesses and individuals interact with data. If properly enforced in conjunction with the GDPR, we will hopefully see fewer abuses of data, and more data sovereignty and direct data control.
We strongly believe that the work of the SSI community, such as Trust over IP, alongside the optionality for fees and native payments by cheqd, creates a functional and privacy-preserving foundation for the goals and intentions of this new Data Governance Act.
And finally, we believe that cheqd can perform a valuable and unique function, overlaying on top of the European framework for data sharing and we hope it can support the European Blockchain Services Infrastructure (EBSI) and European Self Sovereign Identity Framework (eSSIF) going forward.
This is the world cheqd is building for, and it is encouraging to see it being written into formal legislation.
We, at cheqd, help companies leverage SSI. cheqd’s network is built on a blockchain with a dedicated token for payment, which enables new business models for verifiers, holders and issuers. In these business models, verifiable credentials are exchanged in a trusted, reusable, safer, and cheaper way — alongside a customisable fee.
Find out more about our solution here or get in touch if you wish to collaborate and/or join our ecosystem by contacting us at [email protected].