The legislation

Three companion model statutes that together constitute a complete constitutional architecture for government's digital relationship with citizens. Each is designed for introduction in a state legislature. Each addresses a distinct layer of the problem. All three are required for the architecture to hold.

VIDA

Verifiable Identity and Digital Autonomy Act

VIDA mandates that government digital identity systems be built on decentralized, citizen-controlled architecture. It prohibits centralized identity repositories, surveillance-capable systems, and rent-seeking conduct by vendors. VIDA is the technical foundation on which the other two statutes operate: without compliant identity infrastructure, the fiduciary duties PDTA imposes and the algorithmic accountability GAAFA requires cannot be architecturally enforced.

Constitutional grounding

VIDA's general warrant prohibition (Section 3A) derives directly from the Fourth Amendment's guarantee against unreasonable searches. Digital identity systems that exhibit the four characteristics of general warrants, perpetual retention, universal scope, discretionary access, and delegable authority, are constitutionally prohibited regardless of administrative convenience.

Section 3A

General warrant prohibition

Digital identity systems may not exhibit perpetual retention, universal scope, discretionary access, or delegable authority. Centralized aggregation enabling mosaic surveillance is prohibited.

Section 7

Verifiable credential architecture

Government must deploy privacy-preserving, citizen-controlled identity systems consistent with W3C VC and DID standards, supporting selective disclosure and zero-knowledge proofs.

Section 8

Sequestered databases

Each public function's data must be maintained in a purpose-specific database. Cross-agency aggregation enabling mosaic surveillance is constitutionally prohibited.

Section 6

Open standards and anti-rent-seeking

Only open, publicly available technical specifications may be used. Proprietary lock-in and monopolization of identity infrastructure are prohibited.

PDTA

Personal Data Trusteeship Act

PDTA establishes citizens as the primary trustees of their own personal data and imposes binding fiduciary duties of loyalty, care, and confidentiality on all government actors who handle that data. Its structural innovation is a private right of action that citizens can enforce directly against government, without depending on agency enforcement discretion. Prior privacy law imposed duties enforceable by government against citizens. PDTA reverses the direction.

Constitutional grounding

PDTA's fiduciary framework rests on the founding-era relationship between government and governed: citizens are constitutional principals; government actors are their agents, holding delegated authority subject to enforceable duties of loyalty and care. Personal data is a commons of unownable facts, not property, and the obligations that govern its handling arise from the fiduciary relationship itself.

Section 4

Personal data trusteeship

Every natural person is the primary trustee of their own personal data. This trusteeship is inalienable and may not be waived, contracted away, or extinguished by government action.

Section 4B

Duty of loyalty

Seven specific, binary, objectively verifiable obligations derived from the Fair Information Practice Principles. Breach of any single obligation is breach of the duty of loyalty, regardless of purpose or absence of harm.

Section 8

Private right of action

Citizens enforce fiduciary obligations directly against government. No showing of harm or intent required. Four categories of conduct designated as per se breach.

Section 4A

Bilateral trust structure

Government entities serve as limited secondary fiduciaries, authorized only to endorse or verify factual claims. Repurposing data beyond the original justified purpose requires fresh authorization.

GAAFA

Government Algorithmic Accountability and AI Fiduciary Act

GAAFA extends fiduciary obligations to AI systems making decisions about citizens. It requires pre-deployment assessments, establishes the right to algorithmic explanation, and classifies autonomous AI agents as statutory secondary fiduciaries. GAAFA closes the accountability gap that VIDA and PDTA cannot reach: neither identity architecture nor data trusteeship alone governs what happens when an algorithm, rather than a human official, exercises judgment about a citizen's rights, benefits, or obligations.

Constitutional grounding

GAAFA's constitutional foundation is that fiduciary obligations cannot be delegated to automated systems without accountability. When government delegates decision-making authority to an algorithm, the constitutional duties of loyalty, care, and transparency follow the delegation. An algorithm that exercises discretionary authority over citizens is a fiduciary agent subject to the same constraints as a human official.

Section 4

AI fiduciary classification

AI systems and autonomous agents exercising governmental authority are classified as secondary fiduciaries, subject to enforceable duties of loyalty, care, and transparency toward affected individuals.

Section 5

Pre-deployment assessment

Government agencies must complete algorithmic impact assessments before deploying AI systems that affect individual rights, benefits, or obligations, with public summary disclosure.

Section 7

Right to algorithmic explanation

Citizens have the right to know when an algorithm affected a decision about them, what data was used, and how to challenge the outcome through human review.

Section 8

Prohibited practices

Government AI systems may not engage in mass scoring, predictive profiling, or social credit systems. Automated decision-making without human oversight is prohibited for consequential determinations.

Understanding the legislation

Why three separate statutes instead of one comprehensive bill?

Each statute addresses a distinct architectural layer: identity infrastructure (VIDA), data governance duties (PDTA), and algorithmic accountability (GAAFA). Separating them allows a legislature to adopt them individually or together, and ensures each layer can be debated, amended, and enforced on its own terms. But the architecture is designed so that all three reinforce each other, and the constitutional protection is strongest when all three are enacted together.

How does this differ from ordinary privacy legislation?

Most existing privacy law relies on notice-and-consent frameworks, which fail structurally when citizens have no meaningful choice about whether to interact with government. The Fiduciary Commons framework replaces consent with fiduciary duty: government actors owe enforceable obligations of loyalty, care, and confidentiality regardless of whether citizens "agree" to data collection. The key structural difference is the private right of action, which allows citizens to enforce these duties directly rather than depending on agency discretion.

Are these statutes designed for any specific state?

The statutes are model legislation, designed for introduction in any state legislature. Bracketed provisions (such as implementation timelines and agency designations) are intended to be filled in by the enacting jurisdiction. Utah has enacted identity-layer legislation (SB 260 and SB 275) that converges substantially with VIDA's architecture, demonstrating that the technical requirements are implementable at state scale.

What is the relationship between these statutes and NIST SP 800-63?

The framework mandates NIST's strongest recognized identity assurance architecture and adds constitutional and legal superstructure that NIST, as a voluntary technical standards body, cannot provide. NIST SP 800-63-4's subscriber-controlled digital wallets, verifiable credentials, and enhanced data minimization represent significant technical convergence with VIDA's requirements. The controlling divergence is NIST's voluntary nature, absence of private enforcement rights, and silence on constitutional dimensions.

What is a fiduciary duty and why does it matter here?

A fiduciary duty is a legal obligation to act in the best interests of another party, arising when one party holds power or authority over another's interests and the vulnerable party cannot adequately protect themselves. Government's relationship with citizens regarding personal data meets every structural condition for fiduciary obligation: citizens entrust information involuntarily, government exercises discretionary authority over that information, and citizens cannot exit the relationship or bargain for protections. The fiduciary framework gives these constitutional realities enforceable legal force.