When blockchain and degrees become compatible with the GDPR
Aurélie Bayle, Legal Compliance Advisor
Consultant lawyer for the be-studys R&D business unit within the be-ys group.
Doctoral CIFRE student at the University of Montpellier, preparing a thesis on the compatibility of distributed registers with the European General Data Protection Regulation (GDPR) under the supervision of Professor Mainguy.
Blockchain & GDPR expert
Mankind has always shown a willingness to put down in writing and record information related to his daily life or exchanges. From the clay tablets and after the invention of paper, printing, reprography and computer science, the time has come for registers so dear to mankind to experience a new era.
While none of the above-mentioned means could guarantee in many respects the inalterability and inviolability of documents or data, it is now possible to assert that this has been made possible thanks to the blockchain.
Why the blockchain?
Blockchain technology is often compared to a secure, public, general ledger of accounts held by all network users (thus decentralized) and containing all transactions or actions carried out since its creation.
The blockchain, although mediatized from a financial and transactional point of view, deserves special attention in that it allows plenty of uses in all sectors. The blockchain is not just about the fluctuations of the Bitcoin. Some states have even seized the opportunity of blockchain technology for managing sovereign activities, while others are leaving it to the private sector (especially to many start-ups) in order to implement solutions.
BCDiploma precisely grasped this matter of fact, by giving a special place to diplomas within the blockchain and its smart contracts, which are absolutely adapted to their authentication and certification.
What opportunity to certify diplomas in the blockchain?
The founders of BCDiploma, with their respective experience and networks in higher education and French schools, have well-understood the opportunity presented to the diploma market.
With more than 8 million graduates each year in the world, a growing degree-fraud phenomenon is not surprising. It’s a fraud with which many players had previously struggled with. BCDiploma’s main mission will enable them to weaken the market of fake diplomas through a certification system that combines the Ethereum public blockchain, smart contracts and cryptographic processes. There are currently no certification standards for diplomas, and the blockchain standard could overcome this difficulty.
Ordinary law does not currently preclude this authentication from being admissible on a probative basis, and there is no indication that the legislator may opt for a contrary position, since it has increasingly recognised the potential of the blockchain for a certain number of years now (ordinance of the mini-cash vouchers of 28. April 2016, “Vocabulaire Informatique” of 26. May 2017).
What about personal data?
The GDPR, which will enter into force in May 2018, is now the new reference text on the protection of personal data.
The latter are defined by the GDPR as “any information related to a natural person”, and it must be noted that the diploma falls within this qualification, no matter how broad it may be.
From the point of view of graduate students, if the term “blockchain” can appear as perplexing or worrying because of its complexity, everything has been thought to put in place a simple, free and practical access, allowing them to promote their authenticated skills, without losing control over this personal data of which they are owners (Article 26 of the Lemaire Law and its right to the free disposal of personal data).
Can we concretely expect the possibility of a “right to be forgotten” on the blockchain and conform to the principles identified by the GDPR?
At first glance, blockchain and the right to be forgotten do not seem compatible. Inalterability and decentralization not only imply that the registry is indelible, but above all it must be shared by all users. If the right to be forgotten is exercised, one would therefore expect to have to go against the very principle of the blockchain’s inalterability, but above all to interfere with the registers of each user individually in order to remove the desired hash.
With its triple cryptographic key process (graduate/key of persistence/key of the institution), BCDiploma has found the right balance to be in conformity with the European Regulation: the graduate has only to ask the institution (his/her school) to delete the key of persistence, and it will remain impossible to decipher or even to go back to the encrypted data in the blockchain, for anyone.
Obviously, the right to be forgotten is not the only modality of the GDPR to be applied, but it is instinctively the first issue to call for questions when it comes to blockchain.
This compliance demonstrated by BCDiploma is a guarantee of credibility and responsibility towards its customers and partners.
This ethic and sense of accountability are principles dear to the be-studys group, which is why we are confident about the BCDiploma project.
October 07, 2017 — Aurélie Bayle