Among the privacy-enhancing technologies explored in the context of the European Digital Identity (EUDI) Wallets, zero-knowledge proofs stand out for their ability to maintain established levels of cryptographic verifiability while enabling data minimisation – relative to the requirements expressed by the relying party (RP). However, legal frameworks in many sectors require the collection of verifiable data beyond the RP’s immediate needs, which may substantially narrow down the scope of data minimisation that can be achieved in regulated domains. Accordingly, this paper examines the tensions between the strict data minimisation requirements for the EUDI Wallets and the extensive legal proof obligations that relying parties must fulfil. Our analysis of the regulatory foundations and relevant technical mechanisms identifies documentation, audit, and long-term preservation obligations as key sources for friction. We explore the implications of the corresponding tensions, point to gaps in current standardisation and compliance regimes, and suggest potential technical and non-technical solution approaches that could help reap the benefits advanced privacy-enhancing technologies can offer in practice.
Horvat et al. (Thu,) studied this question.