Key Points
- address use cases for PII, personal usage data etc
- summarize regs - GDPR, CCPA, TCPA, HIPAA, HL7
- review opportunity, challenges
- summarize HLF features related - cryptography, identities, private data, off-chain etc
- demo cpaper private data
References
Key Concepts
Potential Value Opportunities
Potential Challenges
EU Study 2020 - Can DLT be reconciled with GDPR?
eu-can-DLT-support-GDPR-2020-study-document.pdf
Thanks @Biser Dimitrov for the report. I agree with the issues raised. GDPR is challenging to comply with. Even more, legal interpretations of key GDPR requirements are not yet settled.
I disagree with the concept that compliance may not be achievable with today's advanced DLT solutions. We looked at scenarios for different interpretations of key features such as "right to erasure" etc and found it possible to engineer DLT solutions that were compliant in all cases. Beyond technology, a compliant solution requires "end-to-end" engineering in most cases. In addition, operation of the solution matters, especially operation and governance on data management and compliance rules.
Candidate Solutions
Microsoft announces the phased rollout of the EU Data Boundary for the Microsoft Cloud begins January 1, 2023
https://blogs.microsoft.com/eupolicy/2022/12/15/eu-data-boundary-cloud-rollout/
Microsoft will begin a phased rollout of our EU Data Boundary solution to public sector and commercial customers in the European Union (EU) and the European Free Trade Association (EFTA).
Microsoft offers data residency and proximity in more locations than any other cloud provider, enabling residency options for the entire Microsoft Cloud suite of online services, including Microsoft 365, Dynamics 365, Power Platform and Azure.
Microsoft will offer customers the ability to store and process their customer data within the EU Data Boundary for Microsoft 365, Azure, Power Platform and Dynamics 365 services. With this release, Microsoft expands on existing local storage and processing commitments, greatly reducing data flows out of Europe and building on our industry-leading data residency solutions.
In coming phases of the EU Data Boundary, Microsoft will expand the EU Data Boundary solution to include the storage and processing of additional categories of personal data, including data provided when receiving technical support.
Microsoft’s cloud services already comply with or exceed EU requirements, and the EU Data Boundary will further enable public sector and commercial customers in the EU and the EFTA to have their data processed and stored within the region. In addition, with the rollout of the EU Data Boundary, Microsoft will publish new data flow documentation on the new EU Data Boundary Trust Center webpage to provide transparent data insights for customers whose services will be included in the boundary.
Microsoft European Cloud Principles - 2022
Blockchain article on GDPR and Fabric - Priti
- Off-chain storage (Private database)
- Hash or fingerprint of data or metadata on a blockchain (limitations for small-sized data)
- Anonymization of data (Pseudonymization not permitted)
Private data collection in Hyperledger Fabric
Hyperledger Fabric uses cryptography mechanisms to maintain transaction confidentiality and access control. Fabric offers an in-built facility of using a private database where a hash of private data is stored on blockchain. As hash is a one-way function, guessing the private data from the hash is difficult. To make the hash more resilient to brute-force attack – a. Hashing algorithms generating longer bits like SHA-512 b. random salt with the private data should be used.
Transient field – To maintain the privacy of data while communicating from client to authorized peers in organizations, transient field is used which is excluded in channel transaction.
blockToLive – This property in private data collection defines the lifetime of data on a private database. If the blockchain achieves a certain block height (a value can be set), data automatically gets deleted from the private database and to keep data forever in the private database the value of blockToLive is set to 0. Referring to one of the fundamental rights of GDPR, ‘right to erasure’ is also supported in a controlled way by Hyperledger Fabric.
Step-by-step guide for Example
sample code block