Data Privacy Compliance
PRIVACY BY DESIGN WAS EMBEDDED AS A HIGH PRIORITY NON-FUNCTIONAL REQUIREMENT FOR THE VELOCITY NETWORK RIGHT FROM THE START. THE NETWORK IS DESIGNED TO COMPLY WITH GDPR AND OTHER PROMINENT PRIVACY REGULATIONS. COMPLIANCE TO THE FAIR CREDIT REPORTING ACT (FCRA) AND INTERNATIONAL EMPLOYMENT LAWS ARE ALSO CONSTANTLY VALIDATED.
Privacy by Design was embedded as a high priority non-functional requirement for the Velocity Network right from the start. The network is designed to comply with GDPR and other prominent privacy regulations. Compliance with the Fair Credit Reporting Act (FCRA) and international employment laws are also constantly validated.
Safety and security are our highest priorities. Security is built into the very design of the Velocity Network to prevent malicious activity.
COMPLIANCE WITH DATA PRIVACY REGULATIONS
Compliance of Blockchain implementations with prominent privacy regulations including GDPR and the California Consumer Privacy Act is not a trivial discussion. These regulations emerged in a world of traditional, centralized data models and certainly did not anticipate an innovation like distributed ledgers.
The GDPR, for example, assumes a tri-party data model, while Blockchain sets out a fundamentally different data model that is flat, decentralized, and peer-to-peer. Nevertheless, we would claim that Blockchain and Self-Sovereign Identity are the ultimate GDPR compliance tool.
It is useful to remember that data protection regulations operate in a wider context. GDPR, for example, promotes two objectives: data protection and free movement of data. This second objective is concerned with stimulating economic growth by creating the trust that will allow the digital economy to develop. Blockchain shares similar goals to GDPR. Privacy regulators will collaborate with the industry in defining standards and finding solutions that will allow for the adoption of blockchain and other Distributed Ledger Technologies.
It is useful to remember that data protection regulations operate in a wider context. GDPR, for example, promotes two objectives: data protection and free movement of data. This second objective is concerned with stimulating economic growth by creating the trust that will allow the digital economy to develop. Blockchain shares similar goals to GDPR. Privacy regulators already collaborate with the industry in defining standards and finding solutions that will allow for the adoption of blockchain and other Distributed Ledger Technologies.
GDPR CORE PRINCIPLES
Discussions on blockchain’s compliance with privacy regulations tend to focus on the technical details about the implementation of specific features or functionality in the network, often losing sight of the bigger picture, in which Velocity Network is completely aligned with the regulator goals, adhering to its regulations core principles of: Lawfulness, fairness, and transparency, Purpose limitation, Data minimization, Accuracy, Storage limitation, Integrity and confidentiality, and Accountability:
Consent: Article 6 of the GDPR sets out six lawful bases for the processing of personal data. It seems that the “highest” basis is Data Subject consent for its data to be processed. Valid consent must be: freely given; obtained through an affirmative act of the Data Subject; revocable; and provable. In the Velocity Network, all data transactions (sharing and use of data) are directly authorized by the Identity owner through an affirmative act by accepting a Data Access Request from an interested party. Both the Identity Owner and the receiving party track all such acceptances. the Identity Owner can easily later revoke access to the shared Credential and also has full data portability.
Purpose limitation: Personal data collected for one purpose should not be used or repurposed for a new, incompatible purpose. In Velocity Network, a data access Request shows the purpose for which data is being requested. A receiving party can delete this data once it has executed whatever transaction it was needed for, and then can simply request it again if and when it’s needed.
Data minimization: limiting the personal data that is collected, processed, and stored. In Velocity Network, the Identity Owner decides precisely which, if any, Career Credentials it wants to disclose.
Accuracy: data controllers are responsible for taking reasonable steps to ensure that the personal data they hold, and the process is kept accurate and up to date. In Velocity, Credential Issuers update Credential status in near-real-time, to keep it always up to date and accurate.
Now let’s review the rights of individuals under the GDPR and examine how each one is supported by The Velocity Network:
Right to Subject Access Request (Article 15): a user can ask for a report anywhere their data is held. In the Velocity Network, users own their data and have complete access to it.
Right to Rectification (Article 16): a user can ask to update data that is inaccurate. This is a more challenging issue due to the immutable nature of the Blockchain. Based on our experience working closely with a diverse set of Credential Issuers such as employers and education vendors, we anticipate cases where data on individuals would have inaccuracies, resulting in inaccuracies in credentials offered. The Velocity Network protocol will allow corrections to career records. The process would require filing a claim with the Velocity Network ombudsman office that will execute an investigation aiming to rectify inaccurate data.
Right to Erasure (Article17): Also known as the “right to be forgotten,” this provision refers to when a user can request to delete all data held on them. GDPR does not precisely define what the term “erasure of data” means; does it mean the complete destruction of data or would encryption of the data rendering it incomprehensible be sufficient? To begin with, as the users themselves privately store the private key and the credentials themselves, and no one can access their data without it, there is the question of why users would ask to erase it. Also, theoretically, it would be possible for a user to destroy their private key and erase the credentials thereby leaving only proofs on a chain that cannot be linked back to the Individual.
Right to Restriction of Processing (Article 18): a user can request that their data will not be “processed” because it is incorrect, there is no reason for it to be held, or they have raised a request to object. The fundamental architecture of the Velocity Network assures the user self-sovereignty of their data and how it is processed, hence complying with the regulations in that sense.
Right to Receive Personal Data (Article 20): a user can request that their data be provided to them in a “structured, commonly used and machine-readable format” so that they can pass it to another company. A key objective furthered by Velocity Network is interoperability, and data transfer is built into the protocol.
Right to Object (Article 21): a user can object to your holding their data because you have no reason to and hence it should be deleted. Same as with previous clauses, the fundamental architecture of the Velocity Network assures the user’s self-sovereignty of their data and how it is processed. To delete the data, it would be possible for a user to destroy their private key and credentials, thereby leaving no trace of their personal data.
Data Transfers out of the EEA: GDPR restricts the transfer of EU citizens’ personal data to countries outside the EEA or international organizations. These restrictions apply to all transfers, no matter the size of transfer or how often you carry them out. A central theme of Blockchain is the distributed ledger, where every node in the Consensus Network can access, store and add to the ledger, and since many of these nodes would be located outside the EEA, we can see the challenge in compliance. First and foremost, the Velocity Network Blockchain does not contain any personal data. What is stored on chains are parts of the proof needed to verify the credential authenticity. Second, GDPR does permit personal data transfers to a third country or international organization, subject to compliance with set conditions, and only to countries whose legal regime is deemed by the European Commission to provide for an adequate level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by the use of standard contractual clauses or binding corporate rules (BCRs). By using an access-restricted, permissioned Blockchain network, the Velocity Network Foundation can assure that network access is granted in compliance with privacy regulations.