With GDPR being a comprehensive set of instructions, it is beneficial to break down key aspects of the regulatory framework and see how they may be relevant to DApps running on EOS.
The right to be forgotten (or right to erasure) enshrined in Article 17 says “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…” (Read the complete Article here). This Article is perhaps the most unique part of GDPR and one that can be a bit challenging given the immutable nature of the blockchain. It is also one that developers need to keep in mind at the onset while designing and dealing with personal data and the EOS blockchain.
When in doubt … be cautious
Since blockchains are public ledgers their information is available to everyone. That’s why all sensitive information needs to be encrypted if it is to be stored on the blockchain. There are different ways to achieve this, namely storing personal data off-chain or on-chain. While off-chain is easily compliant, you lose the key benefits of using the blockchain, namely immutability. On-chain, though difficult, offers the protection and security of the blockchain, however, it is not exactly compliant when it comes to ‘the right to be forgotten’. So, we propose a different way of securing personal data on the blockchain while at the same time being compliant to GDPR. Yes, on the chain. How?
We believe that using secondary keys to bring in the flexibility of “burning” data might be the most efficient, and compliant way forward. While the data is not “erased” from the blockchain per se, it is rendered inaccessible (at least until quantum computing kicks in, which is well, a different story altogether). As illustrated below, one can see how secondary key pairs can be created in order to encrypt personal data on EOS.
Illustration: Using secondary key pairs to encrypt personal data
An EOS account contains a public account name as well as a public and private key pair. Your account name and public key are openly stored on the blockchain. While your private key is secret and used to sign transactions on the network. You can generate multiple keys and associate them with your main account.
Applications needing identity verification involving personal data storage can ask that an EOS account signs a transaction using a private key as well as an identity hash. The identity information is encrypted and only decryptable by using your secondary private key. By openly burning the private key you burn the access to the information. Your private information is not deleted, but it has been made unreadable. Not only is this compliant, but it also empowers the user to burn or “delete” his or her own information rather than waiting for some centralised authority to do it for them. This combines the core principle of the blockchain - decentralisation - with the GDPR regulation, thus maintaining the sanctity of empowering the end user. By having multiple key pairs in an EOS account, we have the possibility to encrypt our personal information on the blockchain and hence allow for industrial use cases to emerge on the EOS platform.
Join us as we continue to explore what those use cases may be for EOS in particular and blockchain in general in future articles.