The latest revision of the Sovrin Governance Framework is aimed squarely at showing how the Sovrin identity metasystem is compliant with GDPR and other privacy regulations. Compliance is an important part of adoption and creating "identity for all."
Yesterday the Sovrin Board of Trustees approved the latest revision to the Sovrin Governance Framework (SGF). This revision has been about a year in the making and gives us a way to satisfy GDPR and other privacy regulation requirements and giving Sovrin Stewards the comfort of knowing that they are not in violation of GDPR because they run a validator node. (I'll just use GDPR in the remainder of this message, but understand it's not just GDPR, but any privacy regulation.)
At present all Sovrin ledger writes are permissioned. If you read the SGF, Transaction Authors (TAs) will still need to work with a Transaction Endorser (TE) to write to the ledger. But the SGF anticipates moving to public writes where a TE is not required. There are two things standing in the way of public writes: (a) having a token on the ledger so that TAs can pay for writes directly to the ledger (payments reduce SPAM) and (b) an understanding of how the ledger can be compliant with GDPR if an individual can write DIDs to the ledger for themselves (these are considered peronally identifying information, or PII, under GDPR).
Others in the blockchain space might wonder why Sovrin spends so much time, energy, and money complying with regulations. It's not just about various actors in the system being risk averse. An identity system that you can't use everywhere is just a different technology implementation of what we have now with Login with Apple (or Amazon or Google or Facebook or...). Credential issuers and credential verifiers of all stripes, including banks, governments, educational institutions, etc, must be comfortable with using Sovrin for it to gain universal adoption as an identity metasystem. These institutions will avoid using any system that is perceived as rogue or otherwise non-compliant.
Being compliant with regulation of all sorts, while being true to the principles of Sovrin (PDF) and protecting against censorship, is a fine line. The SGF is a critical tool in staying on that line because it's a clear statement by everyone in the Sovrin ecosystem of what they believe, what principles they follow, and how they operate. The SGF is a public statement of how the Sovrin network functions. This is the key to global adoption of the identity metasystem that provides a universal trust framework for the Internet.
In addition to the revisions to the SGF, we've promoted the Guardianship Task Force to an indepedent working group. You've probably noticed that Sovrin's tagline is "identity for all". But it's more than a tagline, it's our vision. The community volunteers in the Guardianship WG are working to ensure that Sovrin can serve people who don't have digital access or legal capacity. These people might be refugees, but the group also includes minors, the infirm, people using a power of attorney, and others.
Recently the Guardianship WG published a white paper that I think is the state of the art in understanding guardianship in digial identity systems. You can find the whitepaper and more information about the working group on their homepage.
I'm very grateful for the many volunteers who make up the SGF Working Group. They do this important work because they care about an internet that respects human autonomy and dignity and are willing to sacrifice their time and effort to bring it into being.