Storing diplomas or data on the blockchain will certainly infringe regulations on personal data’s protection. Lexing Alain Bensoussan’s Legal Opinion analyses compliance of the BCDiploma solution with the GDPR.
The general regulation on personal data (GDPR) will be the new reference text on the protection of personal data, defined as “all information related to a physical person”. It will take effect on May 25th, 2018. As a new standard in terms of privacy protection, we especially find among its contributions the granting of new rights for individuals whose data are undergoing treatment:
– The right to erasure (i.e. the right to be forgotten).
– The right to portability;
– The right of rectification.
The GDPR has a worldwide scope and applies to all companies having or processing data of EU residents. The regulation gives to the regulator the power to inflict financial sanctions up to 4% of a company’s global turnover. As a consequence, one can figure out that the conformity with this new regulation is a major stake for companies, CIOs and lawyers.
Blockchain and the GDPR: An inevitable conflict?
“The GDPR also provides EU citizens with a right to erasure: to be able to require that businesses holding their data irrevocably erase the data upon request (also known as the “right to be forgotten”). (..) This may end up putting the GDPR on a collision course with blockchain technologies in unexpected ways.” Luther Martin
New services based on blockchain technologies are created every day, in various domains: finance, insurance, logistic, healthcare, but also education, with diploma certification. However, due to the unalterable character of the blockchain, a data is impossible to erase once it has been “written” on it. At first glance, blockchain and right to be forgotten don’t seem compatible. Inalterability and decentralization not only imply that the register is made of indelible data, but also imply that this register is shared with all user in the network… In case of application of the right to be forgotten, we might expect to go against the very principle of inalterability, which lies at the core of the blockchain technology. In order to comply with the blockchain principles, it would be necessary to erase the data from each and every node of the network, and its records, which is technically impossible. For stakeholders and users of the blockchain technology, it becomes urgent to find answers to this issue in order to not slow down the adoption of this technology. All the more since the material and territorial application field of the GDPR is extremely broad.
CRYPTOGRAPHY AND SECURED ALGORITHM: THE LEXING ALAIN BENSOUSSAN LAW FIRM ENVISAGES COMPLIANCE WITH THE GDPR/
The cryptographic perspective seems to be the most likely to reconcile personal data and storage on a public blockchain, but the challenge is to propose an algorithm sufficiently secure to be accepted by the regulator.
“Assuming personal information is encrypted before it is written to a blockchain, destroying the key renders the data unreadable. But is this enough to comply with the right to be forgotten, if the data is technically still there? Regulators should accept the destruction of a key as an erasure for the purposes of the GDPR, so long as the destruction is done in accordance with best practices and in an auditable way.” Greg McMullen.
To meet this technical and essential requirement, BCDiploma has taken up this question and proposes an open source framework – EvidenZ – capable of storing diplomas and personal data on Ethereum while respecting the GDPR. The data is encrypted and secured using a set of 3 keys:
I. Graduate Key. This is the property of the graduate, and is integrated into the diploma’s URL.
II. Persistent Key. It is kept by the educational establishment. When the graduate wishes to exercise his or her right to be forgotten, he only has to destroy this key.
III. School Permanent Key. This is kept by the educational establishment. Those stored data cannot be exploited for commercial purposes without the graduate’s consent.
“BCDiploma has designed an algorithm allowing total security of the diploma’s AES key. This is not stored and can be generated only by assembling three keys through a derivation process. BCDiploma guarantees establishments and diploma holders that data on Ethereum is encrypted and can be read only with possession of all three keys thanks to algorithm AES_256_GCM. BCDiploma’s 256-bit key guarantees one of the safest encryption processes on the market.”
Legal Opinion, Lexing Alain Bensoussan
Lexing Alain Bensoussan, a specialist in data law and new technologies, has produced a Legal Opinion on the BCDiploma solution. This is one of the first time that compliance of an Ethereum solution with GDPR and the right to be forgotten is considered. BCDiploma paves the way for the storage of personal data on the blockchain and facilitates the legal compatibility between blockchain and GDPR regulation.
Blockchain Certified Data offers a solution for certifying your data on the Ethereum blockchain. BCDiploma makes diplomas tamper-proof.
Any questions? Please join us on Telegram: https://t.me/BCDiploma