March 2018

A US Perspective on the LIGHTest Project: Commercial equivalence as a lubricant for the information economy

From the US commercial perspective, leveraging the DNS infrastructure to publish trust schemes (or contractually bound identity trust frameworks of various kinds) offers, for the first time, the promise of easy global access to authoritative and authentic trust information, and the notion of publishing trust schemes and their policies – representing commercial equivalence in trusted information versus legal equivalence – is built expressly on the EU foundation of two of the most extraordinary legal achievements of our era: the eIDAS Regulation and the GDPR. Now LIGHTest unleashes the ability for both the US and EU commercial sectors to leverage fully these pathbreaking regulations as the basis for a trust infrastructure to grow the global information economy.


At the General Meeting in Graz, Jon Shamah highlighted two important objectives for LIGHTest:

1. Providing scalable transparency to trust services, globally.

2. Extending the EU strategy of eIDAS influence outside of original geographic and sector boundaries.

 

This is echoed in the D2.9 Report on page 15 – “Observing that the eIDAS Regulation provided a strong and credible trust model for electronic identification and trust services within the European Union, the goal was to find a way to extend this model both geographically (identities and trust services outside the EU) and contextually (other trust information than the trust schemes of the eIDAS Regulation).

 

The first category of added value LIGHTest brings involves digital identity providers, attribute providers, identity brokers, and Trust Mark issuers. Because the eIDAS cross-border recognition provisions for electronic identification apply only to public sector identity credentials issued by EC member states, EU-US commercial interests still have immediate need for private sources of digital identity
credentials, as well as identity attribute brokering services to enable international transactions and data transfers. From the US perspective, the LIGHTest trust model of assurance that is legally defined, based on independent audits, and discoverable through public trust lists, provides a technology and policy tool for achieving identity assurance that can unleash opportunities for international data transfer.  As the Social Impact Report notes – “LIGHTest can be used for any trust scheme and any trust decision, whether based on a legislative framework, contractual assurances or even individual preferences, even at a very small ad hoc scale.” (D2.9 at page 15.)

 

The second category of added value occurs when service providers offer validation of non-qualified trust services and the commercial equivalent of such services outside of the EU. Though the usefulness of qualified trust services for achieving legal equivalence is without doubt in a vast number of use cases, US commercial interests merely need the ability to leverage non-qualified electronic signatures, electronic seals, and delivery services. Currently, there is no easy or scalable means by which to find these non-qualified trust services, validate their authenticity, and translate assurance levels. “Since the number of application areas is practically unlimited – LIGHTest can be used whenever trusted information must be published, validated or translated.” (D2.10 page 25.) The third category of added value results from ability of the LIGHTest infrastructure to enable trust translation. “Trust translation essentially relates to an assessment and finding of equivalence between specific trust schemes.” (D2.10 page 22.)  In particular, EU and US commercial interests will be able to use LIGHTest  to assist with publishing and discovering trust information relating to the GDPR compliance.  “Compliance with data protection law is particularly crucial to LIGHTest: at its heart, LIGHTest uses a global technology (the DNS) for the publication, validation, and translation of trust information.” (D2.10 page 8.) In relation to international data transfers, this could include, for example, use of LIGHTest as a method of discovering all Data Controller and Data Processor registration of certification mechanisms, data protection seals, and data protection marks with the EU Data Protection Board (GDPR Articles 42(8) ,43(6), and 46(2)(f)). 

 

With respect to LIGHTest’s value add for trust translation, of special interest is the current legal challenge to the validity of Standard Contractual Clauses (SCC) as a channel for EU-US data transfers. The Court of Justice of the EU will soon be weighing whether EU citizens have sufficient legal recourse in the US for GDPR violations by US Data Processors when using the SCC data transfer method. One US-based response could be to achieve suitable recourse under the Virginia Electronic Identity Management Law, which specifies that privacy/data protection is a matter to be addressed by identity trust framework providers and operators as minimum criteria. Also the proposed Virginia guidance documents relating to this law contemplate that, for some identity trust framework providers, data protection requirements such as the GDPR will be expressly incorporated. Therefore, the LIGHTest infrastructure could be used to publish the trust policies of such identity trust framework providers (or trust schemes) so as to make it convenient for EU Data Controllers to locate Data Processors in the United States who are members of such a framework and who could be subject to legal recourse in the United States for GDPR violations.

 

US commercial interests will take great interest in the LIGHTest’s implementation of the EU trust management model as a method for achieving commercial equivalence in electronic identification and trust services as well as GDPR compliance. “If two partners (e.g. the EU and the USA) have decided that they wish to acknowledge the equivalence of certain electronic identities and/or trust services, they could use the tools that LIGHTest will provide to discover their trust scheme information, to validate it in individual transactions, and even to facilitate the translation of trust via the DNS based on their agreed equivalence rules.” (D2.9 page 10.) Similarly, in the US, the Virginia Electronic Identity Management Law leverages the EU trust model in the form of legally recognized identity trust frameworks that provide a basis for governance and legal recourse relating to electronic identification, identity-related trust services, data protection. Thus, LIGHTest gives US commercial interests a trustset with which to leverage eIDAS, GDPR, and the US-based Virginia law to grow the information economy.

 

Author: Timothy S. Reiniger, The Timothy Reiniger LLC Advisory Practice