Saving Private Ryan: Reconciling Blockchain technology with the GDPR’s “Right To Be Forgotten”
Blockchain technology is currently used mostly for financial purposes, but notary applications, i.e. application associated to records of documents and claims, are hot prospects eager to steal the limelight. However, issuing personal claims (such as academic diplomas) on the Blockchain implies processing personal data, for which compliance with relevant legislation is a must.
The “Right to be forgotten” is one of the novel concepts introduced in the EU General Data Protection Regulation (GDPR) that will become law on May 25, 2018. In layman’s terms, this represents a right granted to data owners to request, to a company or any entity that process personal data, the erasure of their personal data under certain circumstances. In this short article we introduce the particular challenge of inserting personal data on the Blockchain, where the immutability of the ledger seems to be in direct contradiction with the right to be forgotten.
The Challenge
Regardless of the legislation, it is clear that the on a public Blockchain, clear text personal data should not be stored. As anybody has access to the data, this would constitute a breach of privacy. Hence, recreatable cryptographic digests are widely used instead.
While the privacy issue is resolved with cryptographic hashes, the right to be forgotten has not been addressed, as data is stored in the Blockchain and can be used for verification purposes. Let’s consider the example of Ryan, who was an unruly student: Ryan achieves his degree and its cryptographic digest is inserted in the Blockchain. Some time after having issued the degree, the university discovers that Ryan cheated in his exams, and decides to revoke it. Because the Blockchain is immutable, the only thing the university can do, is to flag that the degree has been revoked, but cannot modify the ledger in any way.
Twenty years later, Ryan is a high-flying army officer, with a new well-deserved degree and a great career. Ryan has left the unruly past behind, and does not want anybody to know about it. He has asked the university to remove his data from the registry. While the revoked degree would be taken off university systems, by searching the immutable Blockchain it would be possible for any employer to find out that Ryan’s degree was issued and revoked, suggesting cheating or other problems, without Ryan consenting to the search! So how can Ryan’s past stay truly private?
A Solution
The solution to this conundrum lies in the GDPR legislation itself, which is not prescriptive in the way the erasure of data should be conducted. Companies, for example, could make the data permanently unintelligible by some cryptographic means that are controlled by the owner of the data. This solution enables the data to be stored permanently, but as nobody can have access to it, it would be equivalent to “being forgotten”. With the right cryptographic means personal data can be safely inserted on the Blockchain and in Ryan’s case, the wish for people not to find out about a juvenile mistake can be fully satisfied.
Gradbase is an EdTech company that works hard to ensure the full benefits of the Blockchain can be reaped, while remaining compliant to the GDPR and other data protection laws. By issuing academic qualifications on the Blockchain, we cut background checks from 4 weeks to 4 seconds and make honest job candidates a lot more competitive. Check us out at www.gradba.se!
