logoalt Hacker News

petercooperlast Monday at 10:08 PM2 repliesview on HN

(I'm naive in this area, but..) I wonder if the various "proof of age" laws coming into play will clash with the GDPR in insidious ways. Like requiring identity providers to hold definitive "proof" of why they made an assessment rather than merely proving and discarding. I assume/hope there is some cryptographic way to do this rather than hang on to passport and ID images, however.


Replies

charles_fyesterday at 5:22 AM

I'm somewhat knowledgable on privacy topics, pasting my answer to another comment:

The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".

^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.

show 4 replies
lschuellerlast Monday at 10:46 PM

There are established ways / protocols to hold and provide cryptographically valid proof of a verification process, without any need to keep the actual id images in any storage. And to my knowledge there is no requirement for compliant KYC (Know your customer) to provide their ID as a proof as long as the verification process itself is compliant and audited in accordance to certain criteria.

You can compare this in a certain way to file hashes. A successful verification with a predefined minimum level of credibility can be encrypted to a special string for later being used, if a service needs to verify the person again. It doesn't matter then, that the original passport images or video ident has been deleted the second after id verification has been completed.