The Internet Computer blockchain takes a first step towards digital sovereignty in Europe
The general perception is that the inherent immutability of blockchains and the publicly available data stored on them makes GDPR and blockchain technology incompatible. The Internet Computer challenges that perception with the release of the EU subnet — a feature that enables GDPR-compliant applications.
Written by: Angela Harp
Since May 18, 2018, General Data Protection Regulation (GDPR) has been in effect, requiring organizations, regardless of their location, to protect the personal data of European citizens. The UK followed suit in the same year with equivalent data protection laws. For organizations, GDPR is one of the world’s strictest consumer privacy and data security laws. GDPR violators are subject to sanctions or harsh fines, with a maximum penalty up to 20 million euro or 4% of global revenue, whichever is higher. Complying with these laws is not that simple, however. Europe is heavily dependent on remote computing and data storage services dominated by US cloud providers. According to Synergy Research Group, Amazon Web Services (AWS), Microsoft and Google have a 65% share of the world’s cloud market between them.
Naturally, there’s a growing concern in Europe about digital sovereignty and the region’s ability to control its own data and technology. US cloud providers do allow and provide GDPR compliant web services and applications, including Bring Your Own Key (BYOK) — an encryption key management system that allows enterprises to encrypt their data and retain control and management of their encryption keys. Despite such GDPR compliant options, conflict between data protection laws could still emerge, as US laws give intelligence and law-enforcement agencies broad powers to access data. And in the case of BYOK plans, some upload the encryption keys to a cloud service provider (CSP) infrastructure, which forfeits an enterprise’s control of its keys.
Is an EU tech giant the answer?
Achieving digital sovereignty in Europe requires establishing digital infrastructure fully under the jurisdiction of European law to allow the region to control its own data and technology. Projects like Evroc, a pilot data center in Sweden, and Ionos, a cloud computing firm positioned as a European alternative to US tech giants, are on their way to building Europe’s first sovereign hyperscale cloud. But building at scale will demand a significant amount of infrastructure, including data centers, servers, storage systems, and networking equipment to catch up with US counterparts. It remains to be seen whether these budding projects will overcome potential resource limitations such as funding or access to the technology needed to deliver on scalability and the effectiveness of the cloud. Moreover, US giants like AWS are looking to get in on the EU sovereign cloud game, making plans to set up shop in the EU.
But at the end of the day, it’s still centralized cloud computing, and personal data will still be in the custodial hands of a few big CSPs. A technology like blockchain has the potential to give organizations an alternative to centralized cloud monopolies.
Blockchain — a promising alternative
The centralized solutions mentioned above all have one major weak point, namely that they are controlled by a single party and the drawbacks associated with that dependency. Blockchain technology was invented to solve single-party reliance by introducing trustlessness. And in many ways it’s proving to be a much more secure platform. Just think, the Bitcoin network has never been hacked!
However, at first glance, blockchain technology and GDPR don’t seem compatible. The general perception is that data on blockchains are immutable and distributed across computers all around the world with no centralized authority. More specifically, they conflict with privacy and GDPR in the following main areas:
- Right to correct data: Adding data on blockchains is easy, although often very costly, but the inherent immutability attribute of blockchains makes it impossible to change data.
- Right to be forgotten: Blockchains forget nothing. The same problem of blockchain immutability creates issues of being unable to delete your data from the chain, making GDPR compliance impossible.
- Preventing company usage of data: If data is wrong or unlawfully collected, GDPR lets you prevent companies from using this data.
- Unambiguous liability: Who is the data controller & processor? The law states that the data controller (storer of data) is responsible for most of the legal compliance but blockchain infrastructure implies a multitude of stakeholders where no one entity is in control or liable.
These hurdles seem too high to jump over. However, a hybrid blockchain architecture that maintains the advantages of a permissioned blockchain without sacrificing decentralization could allow blockchain and GDPR to harmoniously coexist.
The Internet Computer — a GDPR compatible blockchain
On most blockchains validators can join the network from anywhere in the world. This in itself prevents most blockchains from being considered for GDPR-compliant business applications. The Internet Computer is vastly different: it is formed by interacting subnet blockchains and node membership, and assignment to subnets is controlled by a Decentralized Autonomous Organization (DAO). Each subnet can be configured separately and novel sharding techniques enable subnet blockchains to have their own separate state and data while still seamlessly communicating with each other. With such an infrastructure, the Internet Computer DAO can form subnets with nodes that are within one geographical area. In particular, it can create EU-regional subnets that host node machines solely running on European soil.
And as for the list of hurdles above, the Internet Computer can jump high. Here’s how an EU subnet solves the pain points of blockchain and GDPR compatibility:
- Right to correct data: While state is public in traditional blockchains, the Internet Computer does not store the whole history of the blockchain, and its state is not public. Only the current state is kept, and dapps are in full control of the data stored.
- Right to be forgotten: Dapps can delete and correct data, as the smart contracts on the Internet Computer are customizable and allow for such features.
- Preventing company usage of data: Dapps are the data controllers and can customize access control via flexible smart contract software.
- Unambiguous Liability: To preserve the decentralization of the network, each node provider is verified and voted in by token holders via the Network Nervous System (NNS), the DAO that governs the Internet Computer. The NNS is a decentralized algorithmic authority that oversees the network’s operations and evolution. It is responsible for admitting new node providers to the network, as well as assigning them to subnets based on community member votes.
The trust factor
So, why trust an EU subnet and its node machines with personal data over a traditional CSP? And how can the network be trusted to maintain GDPR compliance for an EU subnet?
As mentioned above, each node provider is voted in by members of the NNS DAO that governs the Internet Computer. In addition, the Internet Computer technical roadmap includes two new features that will enable dapp developers to ensure the privacy and security of user data within the guidelines of the GDPR.
The first is Verifiably Encrypted Threshold Key Derivation (vetKeys), which will allow developers to easily add end-to-end encryption capabilities to applications, ensuring that sensitive data remains protected within the blockchain ecosystem. vetKeys enable threshold decryption, meaning decryption capabilities are distributed across multiple node machines in a subnet to enhance security and prevent single points of failure. In other words, no single entity holds the complete decryption key, which mitigates the risk of unauthorized access. A public demo of vetKeys was recently released for developers to test and build the first beta versions of privacy-preserving applications on the Internet Computer. Applications such as encrypted file-sharing and proof of personhood systems for digital documentation, including medical prescriptions, are already under exploration.
A further initiative is to introduce a feature that secures the boundary node Virtual Machine (VM) using AMD Secure Encrypted Virtualization-Secure Nested Paging (AMD SEV-SNP). This feature will isolate the VM from the hypervisor in the trust model, enabling remote or guest attestation that contains a cryptographic measure that can be used to validate the trustworthiness (good state) of the trusted execution environment on which the guest VM is executing. In layman terms, this essentially means that all data on node machines within the EU subnet will be shielded.
AMD SEV-SNP is a pending item on the Internet Computer roadmap for the near future. Its implementation is crucial for an even more secure infrastructure that is sure to make the Internet Computer an ideal choice for building for GDPR-compliant applications and services. Additional measures to assign EU-specific boundary nodes to the EU subnet could potentially offer yet another layer of security.
Enabling digital sovereignty
With vetKeys offering data encryption at an application level, and AMD SEV-SNP data protection at a protocol level, the EU subnet will be tamperproof. Not only does this open up possibilities for companies to develop applications unthinkable on other blockchains, companies and end-users alike would also benefit from both the privacy-preserving features and decentralization of the Internet Computer, all the while staying within the bounds of EU regulations. The first European subnet has been newly implemented with node machines in European countries only, including Switzerland, Germany, France, Belgium and Sweden.
This lays a strong foundation for developers and organizations to begin building and deploying decentralized GDPR-compliant services and applications today with absolute digital sovereignty in Europe. The EU subnet opens up the possibility for use cases in various industries with applications such as decentralized health or student records systems that adhere to GDPR, decentralized finance (DeFi) or e-commerce applications with heightened privacy measures to mitigate data breaches and unauthorized access, and multi-entity provenance workflows for secure document-sharing.
Nudging toward self custody
Using blockchain technology to achieve GDPR compliance is an ongoing area of exploration and research that requires close collaboration among regulators, technologists, and legal experts to strike a balance between data protection regulations and the benefits blockchain has to offer. But perhaps the real problem is the underlying fact that users are currently not in control of their data, but instead delegate control to mostly US-based cloud providers. In a world where more and more private data is being electronically stored, companies storing this data need to be trusted and held accountable for safeguarding it, no matter the location. GDPR is a great first step, as it sets strict regulations on acquiring user consent to use data. However, it keeps companies as “custodians” of user data, even if not owners.
The question is — are we as users ready for digital sovereignty? Having full control of our own personal data does come with serious responsibilities. No doubt, a nudge towards the self custody of assets and personal information will take a major mindset shift, but technologies to support adoption already exist. Zero Knowledge Proof (ZKP) technologies, for example, enable the proof of something about an individual without revealing personal data.
As for the Internet Computer, it is already equipped with Internet Identity (II), an authentication system that combines public standards such as WebAuthn and FIDO with chain-key cryptography, allowing users to prove something about themselves without revealing sensitive information. This powerful capability embodies a Web3 vision where digital sovereignty means users have full ownership of their data. Ultimately, the Internet Computer supports user control, decentralization, fine-grained dapp transparency and updatability — all integral building blocks for creating a future GDPR-compliant landscape on blockchain technology.
Further reading:
A game-changing subnet launches on the Internet Computer to help devs build GDPR-compliant dApps
Build on the new EU Subnet:
https://internetcomputer.org/docs/current/developer-docs/backend/eu-subnets
Learn more about the Internet Computer:
DevTwitter | Dev Forum | YouTube | GitHub | Developers Center | Discord