GDPR compliant nodes and subnets

I am discussing with a few friends from an insurance industry solution based on the IC. Because this project is related to certain EU legislation it will require GDPR compliance. As I understand, for now IC nodes and subnets are not.
I believe ICP will have to eventually face the GDPR issue. The EU will start enforcing GDPR on all crypto platforms, especially ones dealing with private financial information. Or somebody just simply files a lawsuit against the application provider or Dfinity for non compliance. It has to be taken seriously. Also being GDPR compliant can definitely boost ICP adoption, especially among corporate users. It also applies to other major jurisdictions (USA, India, China).

5 Likes

The big issues here are:

  1. Some kinds of data needs to be on EU servers only.
  2. Some kinds of data needs to be removable at the user’s request.

Number 1 can be handled with geo-specific subnets.
Number 2 is much more difficult. It is hard removing data from an immutable data store. It takes a bit of data architecture. You can’t just send someone’s passport number across a boundary node or it ends up in the logs of 13 different organizations and you can never put the BBs back in the box even if you do have a way to delete the data from your canister.

If you push it in encrypted, then one could argue that if you cut any relation between the principal and the data that it has been ‘forgotten’, but who knows if the regulators will see it that way.

4 Likes

I agree that it’s not easy but most probably much easier than in other blockchains.

A few thoughts:

  • The data stored on the IC is actually mutable (controlled by canister code). The immutable log (the blocks) gets garbage collected quickly.
  • I don’t think boundary nodes and replicas keep logs with payload.
  • GDPR distinguishes between data controllers and data processors. From my (limited legal) understanding, I’d argue that if the canister is controlled by some entity, then the entity would be the data controller, if the canister is blackholed, it’s harder to embed it into the legal framework :slight_smile:
  • In any case, I think the node providers would count merely as data processors, which have fewer responsibilities.
4 Likes

I would say that in this specific use case (but also others involving business transactions between multiple parties) No 2 will not apply. Actually, you have to legally maintain immutable data for at least several years (for example images from accident, timestamp, geolocation). Also provide access to data for regulators, in case of legal dispute, for example. Perfect use case for blockchain.
We just have to be sure of data privacy and that data will never leave the EU.
We need to be sure that critical personal data is always stored encrypted.
But, it would still be interesting to have a feature to purge all canister related data from nodes and subnets.
Also, from a data lifecycle perspective I would like to see some ‘glacier’ data storage type, where canister data can retire. Extra low cost.

1 Like

Threshold encryption could help here. If the use cases allow for end-to-end encryption, it’s possible the user could be considered the controller, and the processors would simply be processing fully anonymized data, relieving them of their responsibilities under the GDPR as I understand it.

If end-to-end encryption won’t work for the use case, then perhaps the application can be designed such that the user is the controller of the data. If a canister is black-holed or controlled directly by the user, perhaps there’s a case under the law that there is no other entity but the user as the controller of the data.

As for the nodes being data processors, secure enclaves may help if data is not end-to-end encrypted.

The most difficult piece here will be if the data cannot be end-to-end encrypted, and if a company wants to be the controller of data.

Based on my understanding of the laws.

3 Likes

As a really wild thought here, what if we use the new motoko VM so we could ship the analysis code around to different personal data wallets such that only the aggregates of queries ever leave the wallets owned by individuals?

2 Likes