Is the way Cardano distributes information GDPR compliant?

Trying to ask question that are not critical for the sake of being critical but to ensure Cardano has a bright future one thing that came across my mind is with the new GDPR regulations in place how data is stored about users will be quite important. Currently very little personal data is stored (my impression after reading documentation on Cardano) but in the future if we are moving beyond a pure settlement layer I suspect GDPR compliance will become a thing. In particular I am thinking if it will be hard to withdraw a consent once given (one of the requirements of GDPR is the ability to be able to withdraw consent) if information is consented and spread on the blockchain it would be hard to remove it. Perhaps a solution would be in how this type of information is seperated from the cardano settlement layer allowing for users to withdraw consent to such information. Perhaps it could be coded that users can update “flag” such information if it is consented or consent is withdrawn. In any case it seems important Cardano will be compliant with one of the major revisions of data protection laws and that this is dealt with before it becomes a problem.

5 Likes

I think this might be adressed mostly with the concept of sealed glass proofs, or similar techniques. Let you prove something with the assurance that none of it will be kept. Please specialists, chime in if I’m in the wrong …

1 Like

Good topic @Eystein_Hansen. I think it´s generally a question of legal compliance (GDPR, Territoriality, Tax, etc.) and Blockchain.

This will just get more & more attention as regulation progresses for crypto.

here is a nice statement on this by the “officials”: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/dealing-citizens/do-we-always-have-delete-personal-data-if-person-asks_en

one statement in that page is: “Data can also be kept if it has undergone an appropriate process of anonymisation.” --> the consequence for a solution built on top of a blockchain is that you have to think which data has to be stored in the areas of the blockchain which are hard (read: should not) be changed, and where it might be better to just reference (hash?) data residing off-chain. This would allow to delete the critical data under GDPR later on. Since in the area of blockchain for business we will likely see these cases regularly, I believe a blockchain infrastructure should therefore provide certain support for off-chain data.

3 Likes

What I understood from various videos that I have watched that at some point various Cardano side-chains will have the ability to store this data to meet various regulatory requirements. It will be the users choice if they wish to divulge this data and participate in that side-chain. Having the ability to meet regulatory requirements at the users discretion is definitely part of the plan.

Hyperledger Fabric has private data designed & implemented to support such compliance requirements.

https://hyperledger-fabric.readthedocs.io/en/release-1.4/private-data/private-data.html

The important thing here is to allow for control of privacy whenever needed and have such supporting features.

It would be nice to understand in depth how this will be handled in Cardano. I am sure there is a solution, but don’t know the details.

It would be also interesting to know who is personally in charge of compliance and following up of global developments in regulations and get some casual updates from this person. One of the most exciting happening it is.

Corda also has features for private data. And yes, I do believe that such features are needed to support “digitization” use cases

Thanks guys for the good discussion. Sealed glass proofs seems a good idea to anonymisation. I agree with peter_g a model with reference on the blockchain and off-chain data storage seems a wise way to handle the issues where you do need to store user data and in a way that is not anonyme. I agree with donnybaseball as well that sidechains can be used for this and frankly it also shows the importance of sidechains. Imagine if the main chain was not in compliance because a company failed to protect user data correctly. Suddenly the whole blockchain is distributing none anonymous and potentially not in compliance data and it becomes a problem larger than the original company. (How much liable would then other companies be could be an interesting legal question and under what circumstances). I think just as we have formal methods for implementing Cardano from a mathematical standpoint it would be nice if we have clarity on how the legal aspects of Caradano is ensured and implemented.

The paper is actually really quite something, but technically not quite relevant to the discussion at hand as it focuses more on the fact that it anonymizes and allows for offline computations which can be proven. From the paper:

We design, implement, and evaluate Zexe(Zero knowledge EXEcution), a ledger-based system that enables users to execute offline computations and subsequently produce publicly-verifiable transactions that attest to the correctness of these offline executions.

For the discussion at hand it probably wouldn’t be the best technology for a side-chain to tackle the GDPR compliance problem. Nonetheless I do look forward to Zexe (or future variants of it) to one day be a side-chain on Cardano :ok_hand:

1 Like

Answer to this community question here: Is the way Cardano distributes information GDPR-compliant?

Wouldn’t it be better to just say something about the intent of the design? From everything I’ve read, the overall intent is to design and prove that the tech delivers on exactly this sort of feature. In other words, if there is a credible issue with compliance to privacy requirement, that would be considered a design problem needing a solution.

This is a correct reading of the foundations overall intent and deeply embedded in the core principles, no?