Is the Right to Be Forgotten on Ethereum Blockchain Possible?

Stockpiling diplomas or data on the blockchain will transgress regulations on the privacy of personal data. Lexing Alain Bensoussan came up with his analysis and legal opinion on BCDiploma solution’s compliance with the GDPR.

Starting May 25, 2018, the new reference text on the protection of personal data will be adopted from the general regulation on personal data (GDPR). It will cover, as defined, “all information related to a physical person.” As a new standard regarding privacy protection, it will post new rights for individuals whose data are undergoing treatment. The entitlements are as follows:

  • The right to erasure (ex. the right to be forgotten)
  • The right to portability
  • The right to rectification

All companies who have or process data of EU residents worldwide comply with the GDPR. The regulation enables regulators to inflict financial sanctions up to 4% of a company’s worldwide turnover. As an effect, conformity with the rule is a significant stake for CIOs, businesses, and lawyers.

Luther Martin explained that the GDPR’s provision of a right to erasure, also known as the right to be forgotten, to EU citizens would demand the businesses holding their data to erase the information upon request. He concluded that this might unexpectedly put the GDPR and blockchain technologies on a collision course.

New services based on blockchain technologies such as finance, insurance, logistic, healthcare, education, diploma certification, etc. are affixed in various domains. Although, the unalterable character of the blockchain makes it impossible to wash out the data once it has been encoded. On the face of it, blockchain and right to be forgotten do not appear to be compatible. The unchangeable and decentralized nature implies that the register is made of permanent data and is generated to all users in the network. When the right to be forgotten is applied, it may go against the principle of inalterability which lies at the core of the blockchain technology. To conform to the laws, data from all the node of the network and its records should be deleted, which is technically impossible. Stakeholder and users are urged to find immediate solutions to the issue to prevent slowing down the technology adoption considering the broadness of the material and territorial application field of the GDPR.

The Lexing Alain Bensoussan Law Firm envisions cryptography and secured algorithm in compliance with the GDPR. Cryptography will most likely syncretize personal data and storage on a public blockchain. However, the challenge is to find an algorithm that is secure enough to be accepted by the regulator.

Greg McMullen explained that destroying the key in an instance wherein encryption of personal information comes before it is written to a blockchain, the data becomes unreadable. Based on his judgment, there is not enough reason to comply with the right to be forgotten if the data is still technically available. He suggested that regulators should consider the destruction of a key as an erasure for GDPR as long as it is auditable by best practices.

BCDiploma brought up the question and proposes EvidenZ, and open source framework capable of storing diplomas and personal data on Ethereum while respecting the GDPR, to achieve technical and essential requirements. The data is encrypted and protected using a set of 3 keys:

  1. Graduate Key. This is owned by the graduate and is integrated into the URL of the diploma.
  2. Persistent Key. The educational establishment conserves it. If the graduate wishes to forget it, he only has to disfigure the key.
  3. School Permanent Key. This is within the care of the educational establishment and exploitation of stored data is banned unless authorized by the graduate.

Data law and contemporary technology specialist Lexing Alan Bensoussan authored a Legal Opinion on the BCDiploma solution. This is among the few instances wherein the compliance of an Ethereum solution with GDPR and the right to be forgotten is considered. BCDiploma enables personal data storage on the blockchain and aids the legal affinity between blockchain and GDPR regulation.

Blochain Certified Data suggests a solution to certify data on blockchain and Ethereum while the BCDiploma ensures that diplomas are tamper-proof. BCDiploma also guarantees diploma holders and establishments that because of the algorithm AES_256_GCM, the personal data can only be accessed using all three keys. Additionally, the 256-bit key property provides the safest encryption process.