Communication of data erasure requests

[Sakurann]

Protocols and Interfaces Implementing Act draft (available here) has a following requirement:

Article 6 Communication of data erasure requests

1. Wallet providers shall ensure that wallet solutions support protocols and interfaces allowing wallet users to request from wallet relying parties with whom they have interacted through those wallet units, the erasure of their personal data provided through those wallet units, in accordance with Article 17 of Regulation (EU) 2016/679.
2. The protocols and interfaces referred to in paragraph 1 shall allow wallet users to select the wallet relying parties to which data erasure requests are to be submitted.
3. Wallet units shall display to the wallet user previously submitted data erasure requests made through those wallet units.

we should probably define a mechanism for this - verifier's endpoint that can accept wallet's data erasure requests, etc?

[tlodderstedt]

I see a couple of issues with this requirement and wouldn’t aim for a fully automatic solution.

1. the user data is typically provided in the context of a registration process, which established a business relationship between user and RP. The user might have signed up for a paid, long running subscription. That cannot be wiped through the click of a button in a wallet.
2. the request needs to be authenticated and authorized. The wallet doesn’t know how that works with the RP.

I think a viable solution would be the wallet provider would send the user to a web site (determined by the RP), where the user could terminate the relationship after she/he has properly logged in. The respective URL could be determined through RP metadata.

[Sakurann]

looks like this is out of scope of opendi4vp. closing it as a reporter