[OpenID-Specs-eKYC-IDA] Issue #1198: 9. Privacy considerations - reference to legal basis (1st sentence) (openid/ekyc-ida)
issues-reply at bitbucket.org
Fri May 1 16:05:38 UTC 2020
New issue 1198: 9. Privacy considerations - reference to legal basis (1st sentence)
The revised language is unclear : if the legal basis is to be established before any PII is exchanged, then what does ‘in the course of the OpenID process’ means in practice? It also appears to imply that a contract must be put in place between the OP and the RP, which could in theory be a good thing, in practice much less so I fear.
More importantly, I suspect OPs are unlikely to give away customer PIIs ‘upon request' without either a clear representation from the RP that the end-user’s consent has been obtained in accordance with applicable privacy rules or the RP submitting verifiable consent evidence originating from the end-user - and my guess is that OPs will insist on the latter unless there is an established relationship between the OP and the RP. It goes back to the liability issue already discussed - why should they when there are liability implications arising either from GDPR or, for financial institutions, banking secrecy rules?
More information about the Openid-specs-ekyc-ida