On the Compliance of Self-Sovereign Identity with GDPR Principles: A Critical Review

TL;DR

This paper critically reviews self-sovereign identity (SSI) frameworks, evaluating their compliance with GDPR principles, and discusses their potential, limitations, and research gaps in the context of privacy and data control.

Contribution

It systematically assesses recent SSI and blockchain solutions for GDPR compliance, highlighting gaps and opportunities for future research.

Findings

Many SSI solutions show potential for GDPR compliance.

Current SSI frameworks face limitations in full GDPR adherence.

Research gaps include scalability and interoperability issues.

Abstract

Identity Management Systems (IdMs) have complemented how users are identified, authenticated, and authorised on e-services. Among the methods used for this purpose are traditional IdMs (isolated, centralised and federated) that mostly rely on identity providers (IdPs) to broker trust between a user and service-providers (SPs). An IdP also identifies and authenticates a user on-behalf of the SP, who then determines the authorisation of the user. In these processes, both SP and IdP collect, process or store private users' data, which can be prone to breach. One approach to address the data breach is to relieve the IdP, and return control and storage of personal data to the owner. Self-sovereign identity (SSI) was introduced as an IdM model to reduce the possibility of data breaches by offering control of personal data to the owner. SSI is a decentralised IdM, where the data owner has sovereign control of personal data stored in their digital wallet. Since SSI is an emerging technology, its components and methods require careful evaluation. This paper provides an evolution to IdMs and reviews the state-of-the-art SSI frameworks. We explored articles in the literature that reviewed blockchain solutions for General Data Protection Regulation (GDPR). We systematically searched recent SSI and blockchain proposals, evaluated the compliance of the retrieved documents with the GDPR privacy principles, and discussed their potentials, constraints, and limitations. This work identifies potential research gaps and opportunities.