Airnode — The First Fully GDPR-Compliant Oracle Node
Following API3’s announcement on January 13th of this year to join the EEA, our ongoing mission has been to build out and reinforce the use case for Airnode as the preferred solution for connecting off-chain APIs with blockchain-based enterprise applications and solutions.
In the first quarter of 2021, API3’s Airnode oracle solution went through an extensive audit by GDPR compliance specialist Tacita, and was found to be fully GDPR-compliant when operated as intended, i.e. by the API provider as a first-party oracle. As the first oracle node specifically built to be API provider-operated, this establishes Airnode as the first fully GDPR-audited and compliant solution for bridging DLT-based applications with APIs.
Results of Tacita’s GDPR audit of Airnode:
What is GDPR and why is compliance vital for any enterprise?
GDPR (General Data Protection Regulation), is defined as the legal framework that sets guidelines for the collection and processing of personal data by companies, from individuals who live in the European Union (EU). Any company that does business in the EU involving EU citizens, or is an EU entity, must be GDPR compliant, which carries requirements concerning (among other things) data minimization, accuracy and storage limitations, as well as integrity and confidentiality of the processed data.
The penalties for non-compliance are significant. Organizations found to be in breach of GDPR can be fined up to 4% of their annual global turnover or 20 Million Euros (whichever is greater). Due to this, for a business to operate in the European market, their ability to demonstrate full and verifiable GDPR compliance is an essential requirement that extends to all operations of the company, including the technology stack it employs.
Why is GDPR important for Airnode?
The lack of regulatory compliance can be seen as one of the most significant barriers to enterprise adoption of blockchain technology. This is due to the fact that in their current form, immutable, publicly transparent and globally accessible permissionless networks, such as Ethereum, generally fall short of fulfilling the data privacy requirements of either enterprise users or international data regulators. Once external data is written onto a public, permissionless blockchain, it becomes simultaneously immutable and visible to all nodes in the network, making the enforcement of data protection principles (such as data minimization and confidentiality) intractable.
Enterprise-focused blockchain solutions like Linux Foundation’s Hyperledger, R3’s Corda and ConsenSys’ Ethereum-based Quorum have moved in to fill the need for added data privacy through their permissioned network designs. However, for these platforms to query data external to the blockchain, the commonly proposed solution of utilizing decentralized networks of third-party oracle nodes (who in the process of the data delivery attain visibility to the data), can break the chain of custody required for full GDPR compliance due to uncontrolled third-party access to private information.
To these challenges, Airnode provides a middleman-free and easy-to-use open source solution, that, when used as intended, can be shown to fully comply with the strict European GDPR requirements due to its first-party design. We believe this to constitute a significant step towards the development and adoption of enterprise blockchain applications that utilize APIs for information about real-world data and events.
Who is Tacita?
Tacita is a specialist service provider for addressing all aspects of GDPR compliance, from general organizational compliance assessments to specialized, targeted process audits. They ensure their customers’ staff and data protection officers are fully trained in all aspects required to maintain the highest standards for regulatory data protection. This includes full audit and review services to verify product and service GDPR compliance across the board. Ken Morgan and Andy Main, the founders of Tacita, have a combined eight decades of experience working at senior levels in small and medium enterprises and blue chip organizations related to these areas of specialization.
If your company is working on a blockchain use case or application that will need access to data from the real world via APIs, we would be happy to cooperate in making this happen through the use of Airnode. On all enterprise-related matters, you can reach us directly at joeri@api3.org.
