Right to Erasure
privacyFull Name: Right to be Forgotten
Definition
The Right to Erasure, codified in Article 17 of the General Data Protection Regulation (GDPR), is a fundamental data protection right that enables individuals to request the deletion of their personal data from any data controller when specific conditions are met. These conditions include when the data is no longer necessary for its original purpose, when the individual withdraws consent, when the data has been unlawfully processed, or when there is no overriding legitimate interest for continued processing. In the EUDI Wallet ecosystem, the right to erasure applies at multiple levels: users can delete credentials and associated keys from their wallet device, request that credential issuers revoke and delete issued attestations, and demand that relying parties who received personal data through credential presentations delete that data. The eIDAS 2.0 regulation explicitly integrates GDPR requirements into the EUDI Wallet framework, making the right to erasure a core design principle of the European digital identity infrastructure.
Right to Erasure in the EUDI Wallet Architecture
The EUDI Wallet architecture implements the right to erasure through multiple technical mechanisms operating at different levels of the identity ecosystem. At the device level, the wallet provides a straightforward user interface for deleting individual credentials. When a user deletes a credential, the wallet application removes the credential data from secure storage and destroys the associated device-bound private keys in the secure enclave. This ensures that the credential cannot be recovered or presented, even if the device is later compromised.
At the issuer level, the right to erasure enables users to request that the credential issuer revoke an attestation and delete the associated personal data from their systems. The EUDI Wallet may facilitate this through an automated revocation request mechanism built into the wallet-issuer communication protocol. When an issuer revokes a credential, it adds the credential identifier to a revocation status list, ensuring that any previously shared presentations of the credential will fail verification if a relying party checks the revocation status.
At the relying party level, the right to erasure requires verifiers who have received personal data through credential presentations to delete that data upon request. The EUDI Wallet ecosystem encourages privacy-preserving verification patterns where relying parties verify credentials in real-time without storing the presented data, minimizing the scope of erasure requests. However, when data retention is necessary (for example, for regulatory compliance or contractual obligations), relying parties must provide clear data deletion mechanisms accessible to the data subjects.
Technical Challenges of Data Erasure in Digital Identity
Implementing the right to erasure in a distributed identity ecosystem presents unique technical challenges that the EUDI Wallet architecture must address. Unlike centralized systems where a single database deletion achieves complete erasure, the EUDI Wallet ecosystem involves multiple independent parties (wallet providers, credential issuers, relying parties, and potentially backup services) that may each hold copies of personal data.
One significant challenge involves transaction logs and audit trails. Credential issuers and relying parties may maintain logs of issuance and verification events for security, compliance, or dispute resolution purposes. The right to erasure must be balanced against these legitimate retention needs. The EUDI Wallet framework addresses this by recommending that logs store only the minimum necessary data (such as credential identifiers and timestamps) rather than full personal data, and that logs be subject to defined retention periods after which they are automatically purged.
Another challenge involves the distinction between credential revocation and data erasure. Revoking a credential (making it invalid for future presentations) is technically different from erasing the underlying personal data. A user might want their medical credential revoked (so it can no longer be presented) while the underlying medical records remain in the healthcare system for continuity of care. The EUDI Wallet must support these nuanced scenarios, allowing users to exercise granular control over revocation and erasure independently.
Wallet Instance Deletion and Account Closure
The most complete exercise of the right to erasure in the EUDI Wallet context is the complete deletion of a wallet instance. When a user decides to stop using their EUDI Wallet entirely, the wallet must provide a clear account closure process that ensures all personal data is thoroughly removed. This includes deleting all stored credentials and their cryptographic keys from the secure enclave, removing any locally cached data such as issuer certificates or presentation history, deregistering the wallet instance attestation with the wallet provider, and notifying credential issuers that the wallet instance is no longer active.
The wallet provider (the entity that certifies and distributes the wallet application) must also honor erasure requests by deleting any wallet instance data they hold, such as device attestation records, push notification tokens, or anonymized usage analytics. Under the eIDAS 2.0 regulation, wallet providers are explicitly prohibited from collecting or retaining data about credential presentations, so their data holdings related to individual users should be minimal.
Cross-border erasure adds an additional layer of complexity. A user who has presented credentials to relying parties in multiple EU member states has the right to request erasure from each of those parties. The EUDI Wallet ecosystem does not maintain a centralized registry of all presentations (as that would itself be a privacy violation), so the user must exercise their erasure rights directly with each relying party. Future developments may include standardized APIs for erasure requests that simplify this process across borders.