GDPR and Storing User Data

Hello everyone!
I was redirected here for a question initially asked on Discord.

How does storing User Data on the IC comply with the GDPR?
Building a Dapp for the Encode hackathon and wanna make sure my team and I don’t tread on any toes. Is it ok to store all user data on chain / canisters?

As far as I understand canisters can be set to private where only specific actors can make a query but in relaying all data on the subnets does that comply with data minimization as set out in the GDPR?

Any guidance is welcome ^^


This is a huge topic for discussion. I spent a good bit of time looking at GDPR stuff and can certainly give my opinion, but it will be in no way authoritative. The key pieces of architecture that are relevant to GDPR are where your data is and who has access.

Nodes share the data and the node providers could theoretically look into your canister and see the data. Typically you have an agreement with Amazon or Microsoft saying that they won’t do that and will be held liable for data breaches. These agreements allow you to tick certain boxes that say you’ve done your due diligence and that you have a plan for data protection. I don’t know if the IC has one of those, but I would imagine in the future it would be helpful for someone to organize the independent datacenters into some kind of shared entity that makes it easy for those vendors to make the same kind of assurances without having to sign 23 different agreements.

Official access can be programmed just like any other application, so as long as you follow GDPR best practices around logging and data access restrictions you should be fine.

The real question is what happens when a DAO is running a canister and there aren’t any entities to hold responsible for GDPR. That one is going to throw the regulators for a loop. I don’t have any answers and there is certainly room for bad actors to enter that space with mal-intent. It is going to be a fun ride and we’re all going to have to figure it out together.