Rights Layer Specification

Privacy Considerations

Status: Draft v0.1.0 — This section is informative except where RFC 2119 keywords are used.

Rights Layer expressions can contain personal data. A Subject is often a natural person; a Right can reveal what a person is entitled to do; and the append-only Event history of Exercises is, for a natural person, a behavioral history. This document discusses the privacy properties of the model and the obligations that fall on deployments. As everywhere in this specification, no technology is mandated (Principle P1 in Core Principles); deployments choose mechanisms appropriate to their obligations.

1. Where Personal Data Appears

2. Data Minimization

The model is built around references rather than copies (Principle P2), and deployments should use that property deliberately:

3. Purpose Limitation

An expression produced for one purpose (say, verifying eligibility to drive) can technically serve many others (profiling the Subject’s movements from Exercise Events). Rights Layer cannot prevent this — it is a descriptive layer — so purpose limitation is a deployment obligation:

4. Event Histories Are Sensitive

Because Events are append-only and explain the present (Principle P6), a Right’s history accumulates indefinitely by design. For natural persons this means an ever-growing behavior trail.

5. Pseudonymous Identifiers

Rights Layer is identifier-scheme-neutral (Data Model, section 1.1): any URI scheme may be used, and none is privileged. Pseudonymous identifiers are therefore fully compatible with the model:

6. Erasure and Append-Only Events

Many jurisdictions grant natural persons a right to erasure of personal data. This is in tension with append-only Events (a recorded Event MUST NOT be modified or deleted; Data Model, section 3.13). Guidance:

7. Aggregation and Linkage Across Domains

A common expression layer lowers the cost of correlating a person’s rights across domains — that is partly its purpose, and it is also its principal privacy risk. A directory that aggregates a person’s driving licence, medical qualification, insurance policies, and shareholdings, each with exercise histories, is a profile of unprecedented breadth.

8. Jurisdictional Compliance

Compliance with jurisdiction-specific privacy and data-protection law is out of scope of this specification, but it is flagged deliberately: almost every deployment handling natural persons will be subject to such law, and the obligations above (minimization, purpose limitation, access control, retention, erasure) are where that law will bite. Deployments are responsible for their own legal analysis in every jurisdiction they touch.

9. Summary of Deployment Obligations

Concern Obligation
Inline personal data Express references, not attributes; omit name where the identifier suffices
Purpose limitation Bind exchanges to declared purposes; scope what is emitted
Event histories Control access separately; define retention; scope retrieval
Identifiers Pseudonymous identifiers are compatible; prefer non-identifying schemes for persons
Erasure Keep personal data behind references so erasure happens in the referenced system
Linkage Weigh aggregation topology and identifier reuse; no correlation is required by this specification
Privacy law Out of scope here; the deployment’s own obligation everywhere