It is now possible to store diplomas and personal data on Ethereum in compliance with the GDPR. Lexing’s Legal Opinion is analyzing the compliance of the BCDiploma solution. The EU’s General Data Protection Regulation (GDPR) will take effect on May 25th 2018. This will be the new reference text regarding the protection of personal data, defined as «any information relating to a natural person.
Within this new pillar of privacy protection, one of its main contributions is the granting of new rights to individuals whose data are undergoing treatment:
- The right to erasure (also called right to be forgotten);
- The right to portability;
- The right of rectification.
The GDPR has an extra-territorial scope and applies to all companies owning or processing data of EU residents. The regulation gives to the regulator the power to impose financial penalties of up to 4% of a company’s annual global turnover. It is therefore easy to imagine that compliance with this new regulation is a major challenge for companies, IT Departments and lawyers.
BLOCKCHAIN AND THE RIGHT TO BE FORGOTTEN
“The GDPR also provides EU citizens with a right to erasure: to be able to require that businesses holding their data irrevocably erase the data upon request (also known as the “right to be forgotten”). (..) This may end up putting the GDPR on a collision course with blockchain technologies in unexpected ways.” Luther Martin
Not a day goes by without the creation of new services based on blockchain, in many fields: finance, insurance, logistics, health, and also education, with the certification of diplomas. However, because of the unalterable character of the blockchain, once a data is ”written“ on a blockchain, it is impossible to erase or modify it. At first glance, blockchain and the right to be forgotten do not seem compatible. Inalterability and decentralization not only imply that the registry is indelible, but above all it must be shared by all users. If the right to be forgotten is exercised, one would therefore expect to have to go against the very principle of the blockchain’s inalterability. The data of each node in the blockchain should be erased, along with its history, which is neither desirable nor possible. For the actors and users of blockchain technology, it is becoming urgent to find answers to this question so as not to slow down the adoption of this technology, especially since the scope of the Regulation, both physical and territorial, remains very broad, as we have already mentioned.
STORING ENCRYPTED DATA ON THE BLOCKCHAIN: LEXING ALAIN BENSOUSSAN LAW FIRM ENVISAGES COMPLIANCE WITH THE GDPR
The cryptographic perspective seems to be the most likely to reconcile personal data and storage on a public blockchain, but the challenge is to propose an algorithm sufficiently secure to be accepted by the regulator.
“Assuming personal information is encrypted before it is written to a blockchain, destroying the key renders the data unreadable. But is this enough to comply with the right to be forgotten, if the data is technically still there? Regulators should accept the destruction of a key as an erasure for the purposes of the GDPR, so long as the destruction is done in accordance with best practices and in an auditable way.” Greg McMullen
To meet this technical and essential requirement, BCDiploma has taken up this question and proposes an open source framework – EvidenZ – capable of storing diplomas and personal data on Ethereum while respecting the GDPR. The data is encrypted and secured using a set of three keys:
- Graduate Key. This is the property of the graduate, and is integrated into the diploma’s URL.
- Persistent Key. It is kept by the educational establishment. When the graduate wishes to exercise his or her right to be forgotten, he only has to destroy this key.
- School Permanent Key. This is kept by the educational establishment.
Those stored data cannot be exploited for commercial purposes without the graduate’s consent.
“BCDiploma has designed an algorithm allowing total security of the diploma’s AES key. This is not stored and can be generated only by assembling three keys through a derivation process. BCDiploma guarantees establishments and diploma holders that data on Ethereum is encrypted and can be read only with possession of all three keys thanks to algorithm AES_256_GCM. BCDiploma’s 256-bit key guarantees one of the safest encryption processes on the market.” Legal Opinion, Lexing Alain Bensoussan
Lexing Alain Bensoussan, a specialist in data law and new technologies, has produced a Legal Opinion on the BCDi– ploma solution. This is one of the first time that compliance of an Ethereum solution with GDPR and the right to be forgotten is considered. BCDiploma (www.bcdiploma.com) paves the way for the storage of personal data on the blockchain and facilitates conformity blockchain-RGPD regulation.
- BCDiploma’s website
- BCDiploma Legal Opinion by Lexing Alain Bensoussan Law firm
- When blockchain and degrees become compatible with the GDPR
- Any questions ? Join us on Telegram
Source: Crypto Coins News