GDPR-Compliant Personal Data Management: A Blockchain-Based Solution

The General Data Protection Regulation (GDPR) gives control of personal data back to the owners by appointing higher requirements and obligations on service providers who manage and process personal data. As the verification of GDPR-compliance, handled by a supervisory authority, is irregularly conducted; it is challenging to be certified that a service provider has been continuously adhering to the GDPR. Furthermore, it is beyond the data owner’s capability to perceive whether a service provider complies with the GDPR and effectively protects her personal data. This motivates us to envision a design concept for developing a GDPR-compliant personal data management platform leveraging the emerging blockchain and smart contract technologies. The goals of the platform are to provide decentralised mechanisms to both service providers and data owners for processing personal data; meanwhile, empower data provenance and transparency by leveraging advanced features of the blockchain technology. The platform enables data owners to impose data usage consent, ensures only designated parties can process personal data, and logs all data activities in an immutable distributed ledger using smart contract and cryptography techniques. By honestly participating in the platform, a service provider can be endorsed by the blockchain network that it is fully GDPR-compliant; otherwise, any violation is immutably recorded and is easily figured out by associated parties. We then demonstrate the feasibility and efficiency of the proposed design concept by developing a profile management platform implemented on top of the Hyperledger Fabric permissioned blockchain framework, following by valuable analysis and discussion.

[1]  David Schwartz,et al.  The Ripple Protocol Consensus Algorithm , 2014 .

[2]  Christian Wirth,et al.  Privacy by BlockChain Design: A BlockChain-enabled GDPR-compliant Approach for Handling Personal Data , 2018 .

[3]  Arvind Narayanan,et al.  An Empirical Study of Namecoin and Lessons for Decentralized Namespace Design , 2015, WEIS.

[4]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[5]  Ricardo Neisse,et al.  A Model-Based Security Toolkit for the Internet of Things , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[6]  Yonggang Wen,et al.  A Survey on Consensus Mechanisms and Mining Strategy Management in Blockchain Networks , 2018, IEEE Access.

[7]  Jong-Hyouk Lee,et al.  BIDaaS: Blockchain Based ID As a Service , 2018, IEEE Access.

[8]  Oscar Novo,et al.  Blockchain Meets IoT: An Architecture for Scalable Access Management in IoT , 2018, IEEE Internet of Things Journal.

[9]  Muneeb Ali,et al.  Blockstack: A Global Naming and Storage System Secured by Blockchains , 2016, USENIX Annual Technical Conference.

[10]  Andrew Lippman,et al.  MedRec: Using Blockchain for Medical Data Access and Permission Management , 2016, 2016 2nd International Conference on Open and Big Data (OBD).

[11]  Silvio Micali,et al.  Algorand: Scaling Byzantine Agreements for Cryptocurrencies , 2017, IACR Cryptol. ePrint Arch..

[12]  Paul Voigt,et al.  The EU General Data Protection Regulation (GDPR) , 2017 .

[13]  Matthias Berberich,et al.  Practitioner's Corner ∙ Blockchain Technology and the GDPR – How to Reconcile Privacy and Distributed Ledgers? , 2016 .

[14]  Ravikiran Vatrapu,et al.  BPDIMS: A Blockchain-based Personal Data and Identity Management System , 2019, HICSS.

[15]  Hubert Ritzdorf,et al.  On the Security and Performance of Proof of Work Blockchains , 2016, IACR Cryptol. ePrint Arch..

[16]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[17]  Yaling Zhang,et al.  A Blockchain-Based Framework for Data Sharing With Fine-Grained Access Control in Decentralized Storage Systems , 2018, IEEE Access.

[18]  Christian Cachin,et al.  Architecture of the Hyperledger Blockchain Fabric , 2016 .

[19]  Phil Hunt,et al.  OAuth 2.0 Threat Model and Security Considerations , 2013, RFC.

[20]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[21]  Joseph J. LaViola,et al.  Byzantine Consensus from Moderately-Hard Puzzles : A Model for Bitcoin , 2014 .

[22]  Björn Scheuermann,et al.  Bitcoin and Beyond: A Technical Survey on Decentralized Digital Currencies , 2016, IEEE Communications Surveys & Tutorials.

[23]  Shawn Wilkinson,et al.  Storj A Peer-to-Peer Cloud Storage Network , 2014 .

[24]  S A R A H M E I K L E J O H N,et al.  A Fistful of Bitcoins Characterizing Payments Among Men with No Names , 2013 .

[25]  Shanzhi Chen,et al.  A Security Authentication Scheme of 5G Ultra-Dense Network Based on Block Chain , 2018, IEEE Access.

[26]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[27]  Marko Vukolic,et al.  Hyperledger fabric: a distributed operating system for permissioned blockchains , 2018, EuroSys.

[28]  Daniel Davis Wood,et al.  ETHEREUM: A SECURE DECENTRALISED GENERALISED TRANSACTION LEDGER , 2014 .

[29]  Ricardo Neisse,et al.  A Blockchain-based Approach for Data Accountability and Provenance Tracking , 2017, ARES.

[30]  Jun Han,et al.  Blockchain as a Notarization Service for Data Sharing with Personal Data Store , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[31]  Yun Peng,et al.  Efficient key management scheme for health blockchain , 2018, CAAI Trans. Intell. Technol..

[32]  Alex Pentland,et al.  Decentralizing Privacy: Using Blockchain to Protect Personal Data , 2015, 2015 IEEE Security and Privacy Workshops.

[33]  Iddo Bentov,et al.  Proof of Activity: Extending Bitcoin's Proof of Work via Proof of Stake [Extended Abstract]y , 2014, PERV.

[34]  Elaine Shi,et al.  Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[35]  Prateek Saxena,et al.  Making Smart Contracts Smarter , 2016, IACR Cryptol. ePrint Arch..

[36]  Marko Vukolic,et al.  XFT: Practical Fault Tolerance beyond Crashes , 2015, OSDI.

[37]  Vitalik Buterin A NEXT GENERATION SMART CONTRACT & DECENTRALIZED APPLICATION PLATFORM , 2015 .

[38]  Juan Benet,et al.  IPFS - Content Addressed, Versioned, P2P File System , 2014, ArXiv.

[39]  Hong Li,et al.  Blockchain for Large-Scale Internet of Things Data Storage and Protection , 2019, IEEE Transactions on Services Computing.

[40]  Feng Tian,et al.  An agri-food supply chain traceability system for China based on RFID & blockchain technology , 2016, 2016 13th International Conference on Service Systems and Service Management (ICSSSM).

[41]  Vincent Gramoli,et al.  From blockchain consensus back to Byzantine consensus , 2017, Future Gener. Comput. Syst..

[42]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[43]  Aggelos Kiayias,et al.  Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol , 2017, CRYPTO.

[44]  Sachin Shetty,et al.  ProvChain: A Blockchain-Based Data Provenance Architecture in Cloud Environment with Enhanced Privacy and Availability , 2017, 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID).

[45]  Bo Zhou,et al.  Strengthening the Blockchain-Based Internet of Value with Trust , 2018, 2018 IEEE International Conference on Communications (ICC).

[46]  Moritz Petersen,et al.  Blockchain in logistics and supply chain : trick or treat? , 2017 .

[47]  Simon Duquennoy,et al.  Towards Blockchain-based Auditable Storage and Sharing of IoT Data , 2017, CCSW.