GDPR & self-sovereignty: how blockchain can be at the advantage of regulators

The general data protection regulation that is enforced in EU from the 25 of May 2018 do not have any mention of blockchain, sadly.

The vision of GDPR

At point (7) of the regulation, the purpose of the new enforcement is clearly stated:

“Natural persons should have control of their own personal data.”

Since many large organizations compete to collect and process personal data, the concern of EU is well justified.

It is resumed at point (40):

“personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis”

The regulation furthermore add many rules to make sure the consent is given freely. Moreover, the purpose of data processing should be clear and also be given consent.

The regulation add many other basis under which data collection and processing should be done, following the same principles of consent and transparency.

This is clearly positive for EU citizens, and yet….

The GDPR is the logical venue to protect EU citizen from data collection and processing abuses. It would have been at the best interest of individuals if it has been apply a decade ago on a global scale.

The premises of GDPR are all based on the concept that organizations need to collect and process personal data. It implies that there is no such thing as self-sovereignty, that your data is always own by someone else: social media, operating system, browser, APP, hospital, government and many others.

This was mostly true a decade ago, but there is now a global trend utterly reshaping the ownership of personal data: BLOCKCHAIN.

Personal data on blockchain is not stored on your PC or paper, but on distributed network. Contrary to cloud, which is a centralized network, the actual owner of the data can be the rightful owner, without needing any consent.

A technology that store data, but not your personal data

The main difference between cloud and blockchain regarding GDPR is how the data in stored. For cloud, it is managed centrally, the cloud admin can read the data, process it or send it to others for profit. This is why GDPR was created, to enforce an industry that has too much power and often abused from it.

Blockchain, on the contrary, doesn’t “store” any personal data.

What it stores are impossible cyphers.

So impossible that breaking one of them could take billion of years with current technology. Blockchain store codes that can only be read using the right key, which should and can be in the hand of “data subject concerned”.

In other words, with blockchain technology, your personal data cannot be stored or process without your consent.

The personal data cannot be considered “stored” in the same meaning of GDPR, because only codes are stored in the blockchain, not the actual personal data. If the key to decrypt a personal data is lost, this personal data inside the blockchain is lost forever.

Another key element in this comparison: The security of cloud is seriously lacking and cases of massive data breach are only increasing every year. Large corporation dealing with personal data cannot protect their users against their own weakness.

Tested blockchain solutions can.

GDPR, as it is, rely on all participants to follow their guideline, while those participants have financial incentives elsewhere.

They are missing the fact that technology is now allowing a much more effective enforcement of their vision.

Enforcing a regulation is not about punishing for each infringement, but about providing the best practices and guidelines.

Dealing with infringement is what you do when you don’t have tools to ensure the proper compliance in the first place.

As long as personal data regulations doesn’t include self-sovereignty, distributed technology or blockchain, it doesn’t feature the best practise to protect its citizens.

Examples of self-sovereignty and personal data on the blockchain

  1. IDGO project — Isolated communities on the blockchain

ID card for Tao people on Orchid Island

In IDGO project, community members can issue their own ID which is certified by the community.

Their personal data from different ID is stored on the blockchain. Having a digital identity on blockchain allow them the convenience of one ID for all services while reducing to zero the security risk of a third party processor.

https://taopassport.idgo.im/

https://idgo.im

2. phrOS — The blockchain operating system of healthcare

TMUH patients in Taiwan can have their medical data stored on the blockchain. This allow them to bring their medical data anywhere in the world, safely.

Moreover, for pharma company collecting their data for research purpose, they need the authorization of the patient to use their medical data. Soon, they will have to pay the patients (and the hospital) for their medical data.

https://phros.io

Projects that gives ownership of data to the rightful owner are now countless on the blockchain. They are in healthcare, trading, identity, governance and soon in social media. They embody the vision of GDPR well beyond its current application.

Please, Mr. Regulator, raise your head and look around you.

The blockchain based RegTech(regulatory technology) is here.


Originally published at medium.com on June 1, 2018.