Secure and Privacy-Preserving Authentication for Data Subject Rights Enforcement

TL;DR

This paper proposes a secure, privacy-preserving authentication architecture for data subjects to exercise their rights under GDPR, utilizing attribute-based credentials and independent identity providers.

Contribution

It introduces a standardized authentication architecture that enhances security and privacy for data subjects using attribute-based credentials and eIDs.

Findings

Enhanced privacy protection for data subjects.

Secure verification of data subject identities.

Supports GDPR compliance with standardized authentication.

Abstract

In light of the GDPR, data controllers (DC) need to allow data subjects (DS) to exercise certain data subject rights. A key requirement here is that DCs can reliably authenticate a DS. Due to a lack of clear technical specifications, this has been realized in different ways, such as by requesting copies of ID documents or by email address verification. However, previous research has shown that this is associated with various security and privacy risks and that identifying DSs can be a non-trivial task. In this paper, we review different authentication schemes and propose an architecture that enables DCs to authenticate DSs with the help of independent Identity Providers in a secure and privacy-preserving manner by utilizing attribute-based credentials and eIDs. Our work contributes to a more standardized and privacy-preserving way of authenticating DSs, which will benefit both DCs and DSs.