Proving GDPR, CCPA, and Privacy Compliance with Hedera Consensus Service
Jun 15, 2020
by Paul Madsen
Head of Identity, The HBAR Foundation

Regulations like the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) specify strict rules for how businesses collect, store, and share individuals’ personal data.

A key principle of the GDPR is that an organization must be transparent in communications with data subjects when providing information about the processing of their data. The GDPR requires that data controllers inform data subjects about how their data will be processed - including detailing the type of data collected, the purpose for which it is collected, and the data subject's rights with respect to any collected data, including the rights of access, of rectification, and of erasure.

Additionally, according to the GDPR, not only is an organization responsible for complying with data protection principles – it is also responsible for demonstrating that compliance. In other words, it is not enough to do right, an organization may need to be able to prove that it did right.

Hedera Consensus Service (HCS) can help with both GDPR implications, which we have explored in-depth in our new paper, Data Privacy Compliance using Hedera Consensus Service. By using HCS an organization can address the requirement of transparency in communications with a data subject and, in so doing, create an audit trail of the underlying data processes in support of demonstrating compliance.

Managing a User's Search History

As an example, consider a search engine that collects users’ search history in order to provide a customized experience. That search history may be considered personal data and must be processed in compliance with GDPR (if the search engine serves EU citizens).

The search engine will use HCS to commemorate key interactions with a user, Carol. For instance, after obtaining Carol’s consent for the collection of search history, the terms of that consent (not the search data itself) would be logged via an HCS message sent to the Hedera Hashgraph mainnet. It would likely not be the actual consent terms sent in the message but rather a hash of those terms. After being assigned a consensus timestamp, that message (and the consent details within) could be stored by the search engine (and even perhaps a separate application Carol uses to manage her consent decisions). If Carol wished to subsequently modify or remove her consent, then those changes would be recorded through additional HCS messages.

That ”consent receipt,” logically backed by the trust of the Hedera mainnet as to its integrity and provenance, would subsequently provide to Carol cryptographically secure evidence of the consent she gave to the search engine. Concretely, the search engine would be unable to later claim that Carol had given a less restrictive consent – the consent receipt records the details of the consent and the date on which it was given.

Critically, the consent receipt, and its history, also provides to the search engine a mechanism to demonstrate GDPR compliance as it is a concrete manifestation of the search engine’s practices and processes that GDPR stipulates. The search engine can point to the history of the receipt, and its cryptographic trust from the Hedera network, as evidence it has instituted the necessary policies and procedures.

Similarly, HCS can be used to enable a model of Decentralized (sometimes referred to as ‘Self-Sovereign’) Identity – a model of identity management that can give users more control over their identities and related data – this empowerment consistent with the GDPR’s fundamental principles. Hedera has recently defined specifications and released an SDK that support how Decentralized Identity model can be implemented via HCS messaging.

We explore the above, and more broadly the relationship between HCS & privacy regulation compliance, in a new paper called, Data Privacy Compliance using Hedera Consensus Service.