A little more than a week after the General Data Protection Regulation (“GDPR”) went into effect, the world is adjusting to the new comprehensive regulatory regime with global reach, designed to protect the personally identifiable information (“PII”) of residents of the European Union (“EU”).
Unlike other privacy statutes, GDPR does not use safe harbors which traditionally have enabled organizations to avoid strict compliance with EU privacy regulations. Rather, under the GDPR, organizations in every part of the world that touch EU citizens’ PII are required to comply with stringent regulations pertaining to how PII may be used, associated reporting requirements and individuals’ rights pertaining to PII that is no longer used by the organization.
And, because so many organizations have activity in the EU, the GDPR’s impact is far reaching, effectively raising the bar for all global organizations. Consider the following:
GDPR’s definition of PII is broad; it encompasses information that, when taken together, can be used to identify a specific person. That could include a name and an address without much more, or a photo, a name and a city, clearly minimal information.
A key provision of the GDPR is that it requires the organization to keep an accounting of all the ways that the PII was used. Once the organization no longer needs to use the PII, it is required to stop using the PII, period. The organization cannot use the PII for a different purpose. Finally, and, significantly, the GDPR gives its EU citizens the “right to be forgotten.” EU citizens can demand that organizations remove their PII from active use so that nobody else can access that information ever again.
Between the reporting requirements and the destructibility requirements, organizations that dabble in PII will now be awash in new obligations and massive potential liabilities in the event they fail to comply. Many in the blockchain space are exploring how the GDPR and the blockchain can coexist, as the right to erasure appears to conflict with immutability of the information on a blockchain. That certainly is an important question with lots of variations depending on whether the blockchain is private or public and whether the PII is sufficiently cryptographically protected.
But my mind moves to a different place. Rather, I consider a different model for protecting the sanctity of our PII, one where individuals control their own digital identities using blockchain technology. This model, called self-sovereign identity, suggests that individuals control the information related to their existence on this planet, including birth, education, marital status, professional credentials, and medical records. It is all encompassing. Under this regime, individuals give limited access to third parties, and provide only that information that is needed to transact the business at hand, and only for that specific purpose.
If individuals were able to take full control of their PII, they would be able to share their most personal information on the most limited basis. Because the record of the access is recorded to the blockchain, just like the GDPR requirements, there would be an immutable record of who was accessing the information and how the information was being used.
Sovrin, a protocol for self sovereign identity, contemplates that a universal blockchain-based self-sovereign identity solution would operate as a global public utility. The Sovrin Foundation is an international non-profit established to develop a platform to allow individuals and organizations to manage their personal data by using a combination of a public blockchain and private distributed agents all operating peer-to-peer without third-party intermediaries.
The GDPR has the right idea in making organizations accountable to the individuals whose information it uses in the delivery of products and services. However, the problem is that even these regulations — although helpful– do not get to the root of the problem which is that organizations, and not individuals, are in control of PII. Self-sovereign identity technology can change that, and put the control in the hands of individuals.
Perhaps, as regulations like the GDPR become more expansive and prevalent, organizations will work together with governments, blockchain and other emerging technology companies to facilitate and otherwise enable self sovereign identity.
And for me, that time can’t come soon enough.