GDPR + Blockchain + Companies. Public sector adoption and compliance. Sovrin, LTO Network, and HOLO.
In this article, we focus on some aspects of blockchain adoption by the public sector. Starting with GDPR, we will explain its relevance, but also its issues, when combined with the blockchain technology. Then we will take a global look at the ecosystem and three projects able to solve the issues of GDPR: Sovrin, LTO Network, and HOLO (holochain). And in the last part, we look at the DLT matrix.
Grab a cup of tea and enjoy the read!
Introduction to GDPR
Some of you might have heard about GDPR, but what is it really? The General Data Protection Regulation (GDPR) came into force on the 25th of May. Its aim is to protect data privacy of all individuals in the EU and EEA areas. Meanwhile, companies that are not GDPR compliant risk huge fines of up to €20 mln or 4 percent of annual global turnover. It is a big deal. And it is not just Europe — California is moving in a similar direction.
Why should you care?
— spoiler: it’s very relevant.
- Facebook, Google, and other giants have been hit with lawsuits of $8.8 billionright after GDPR came into force.
- Some media even claimed that it is easier to restrict EU usersfrom accessing services than to comply with the new law.
- Recently Facebook confessed to being hacked and having data of over 50m users leaked — the largest breach in Facebook’s history.
- Just today, on the 8th of October, it became known that Google tried to cover up data breach of around 500,000 Google+ users, which has been happening from 2015 till March 2018.
No wonder that GDPR compliance is on top of the agenda for many firms, including those in the blockchain space. Without going too much into legal detail, the three most crucial aspects of GDPR are:
- the right to access, which gives citizens the right to access their data and to know in which way it’s being handled;
- the right to rectification, enabling citizens to amend and correct their personal data;
- the right to erasure, a.k.a. the right to be forgotten, allowing subjects to request deletion of their personal data.
GDPR + Blockchain
In the context of blockchain technology, GDPR poses an even greater challenge due to the intrinsic characteristics of the technology, even causing some projects to shut down and go out of business.
Blockchain technology brings numerous advantages when comes to security and trust. The irreversibility attribute makes blockchain the perfect tool for dispute resolution and transparency.
This feature makes any blockchain, public or private, incompatible with GDPR: one just can’t possibly erase or amend data once it’s on the chain.
One might say that for community- or purely-decentralization-focused projects GDPR compliance might not be needed. However, compliance is of utmost importance when it comes to the huge public sector market, where blockchain technology is already finding some adoption.
GDPR + Blockchain + Companies
Companies diving into the blockchain are very much different from projects focusing on dApps. For dApps, first and foremost a proper use case is needed. This because, so far, users have been disregarding hacks and other privacy issues which have been plaguing major platforms like Facebook.
However, for companies, the issue is much more significant, and also much more urgent. Sensitive information like financial data, confidential agreements and the like has to be handled with utmost care. Handling of business processes, legal agreements, and third-party data has to be done in a secure and GDPR compliant way.
Essentially any company with European partners or clients, which means the majority of the public sector market worldwide, cannot use the majority of existing blockchains.
GDPR and regulatory compliance are intertwined with the core architectural setup of any project. This has the unfortunate consequence that many projects will not be able to adapt to it. A few of them, like APEX, VeChain, and Waltonchain are trying, but their approach is not clear yet. Among projects that are GDPR-compliant on an architectural level are Sovrin, LTO Network, and HOLO (Holochain).
Sovrin
Sovrin’s GDPR compliance comes from distinguishing between data that is stored on the public ledger and data that is kept locally. Other key features implemented by Sovrin include ZK-proofs. You can read more about it here and in this technical overview from Sovrin.
The primary purpose of SSI is to give individuals control over their identity attributes and the exercise thereof. From the Sovrin point of view, the first test of true SSI is the extent to which identity is, and will always be, under the control of the Identity Owner. A second and important objective of Sovrin’s approach is to enable and expand the exchange of Credentials between Identity Owners and other entities in the data ecosystem in large part by facilitating a high degree of trust. Hallmarks of this approach include the Sovrin Trust Framework and Domain-Specific Trust Frameworks. In this way, Sovrin mirrors the dual purposes of the GDPR. — Elizabeth M. Renieris, Evernym [source]
LTO Network
LTO Network has a hybrid approach towards data privacy as well. Each process, or Live Contract (which is an extended deterministic Finite State Machine), rests upon its own miniature ad-hoc permissionless private chain. These chains are created using the developer toolkit. The events happening on them are anchored on a permissionless public chain for Proof-of-Existence. With LTO Network, the node of the user is the controller. You are only a processor. You can read more about their solution to GDPR.
Essentially any business process, any legal agreement or any inter-party process can be automated as a Live Contract: supply chain processes, third-party data handling, KYC, real estate lease agreements, NDAs, and so on. LTO Network has quite a vast client base and some serious adoption. You can read more about their product demo and testnet in their recent article.
HOLO (Holochain)
HOLO is not something you would imagine a blockchain project to be. In fact, it is not even a blockchain. Its premise is that data is not stored on a public ledger and that, instead, processes are agent-centric. Each agent has its own DNA, and the data is shared only in a P2P manner. You can read more about it here.
As the team claims, GDPR compliance is situational and based on hApp rules (like a dApp, but on HOLO, hence a different name). However, the important part is that the technology allows for a not-so-complicated compliancy switch, which will turn HOLO into a GDPR compliant solution if needed.
DLT Matrix
The potential for blockchain to become a new open-standard protocol for trusted records, identity, and transactions cannot be simply dismissed. Blockchain technology can solve the need for an entity to be in charge of managing, storing, and funding a database. True peer-to-peer models can become commercially viable due to blockchain’s ability to compensate participants for their contributions with “tokens” (application-specific cryptoassets) as well as give them a stake in any future increases in the value. — McKinsey [source]
Let’s take a look at how this relates to the projects being discussed. Although HOLO is not a blockchain, it can be regarded as a unique solution with permissionless private ‘chains’ similar to LTO Network (this is not a precise fit as HOLO cannot really be fit into the DLT matrix, but it most closely relates to the private permissionless category).
As we have seen, the projects discussed use similar tech setups in the form of a hybrid approach: agent-centric storage of data, and a global chain for verification of events — whether it’s anchoring as Proof-of-Existence or ZK-proofs. In the next issues, we will look deeper into the applicability of blockchain technology to public sectors, and the corresponding challenges.
