User privacy online is one of the biggest debates of modern times, and one that’s incredibly complex from any perspective. It’s now eight years since Edward Snowden blew the doors off the state of mass surveillance by big tech firms, forcing the world to wake up to the fact that our data is harvested and used far more extensively than we thought.
Although the US and British governments were privy to this fact, many European countries were not. The net result was the General Data Protection Regulation, far-reaching legislation that puts obligations onto every business handling any data for EU citizens, regardless of where they are in the world.
This year will mark three years since the GDPR became effective, and it’s hard to say whether or not it has achieved its intended goals. From the big tech perspective, there have been some wins for users.
A case in point is the recent news headlines regarding WhatsApp, which announced changes to its rules requiring that users agree to their data being shared with its owner, Facebook. The move caused an uproar on social media and resulted in the Turkish government launching an antitrust investigation. However, EU users are exempt from the changes, thanks to the protections afforded by the GDPR.
However, it seems like a relatively minor win. Privacy campaigners point out that the cookie banners that all Europeans must now navigate are doing little to help prevent users from leaving a trail of data online.
If Users Have It Bad, Do Businesses Have It Worse?
Meanwhile, the regulation has created a massive burden for businesses, many of which have incurred high compliance costs. A 2020 report found that companies have spent an average of $1.3 million to meet their GDPR obligations, but fewer than 50% had achieved full compliance.
It’s a cruel irony that many businesses are often required to keep user data by law as part of their daily operations. For instance, renting a car requires showing your license, or staying in a hotel involves handing over a passport. The GDPR governs this data for all businesses transacting with EU citizens. Even small businesses based outside the EU face a compliance burden if they’re offering services to those within the EU.
According to Lone Fønss Schrøder, CEO of Concordium, blockchain technologies could provide a much-needed answer to the conundrum between user privacy and enterprise obligations under the GDPR. In a recent interview, she told Insider Monkey that “using zero-knowledge proofs as we do in our Global Identity app, [businesses] can ease GDPR issues.” How does it work, and could it really help businesses overcome the demanding challenges of the GDPR?
A Self-Sovereign Identity Approach
Over recent years, the idea of using blockchain as a platform for self-sovereign identity has been discussed often. The same technology that we use to secure and spend Bitcoin could also be applied to personal data. Users could decrypt any data in their individual wallets using a private key, meaning they decide who gets access to their information and for what purpose it can be used.
Innovator-in-chief Elon Musk has been vocal in his support for this kind of approach. At the Axel Springer Awards in December, where he discussed the hotly anticipated Starship on Mars project, he stated his beliefs that everyone should own their data and how it is used in applications, including artificial intelligence.
Concordium has taken this self-sovereign identity approach and baked it into its platform. Users who want to transact in Concordium-based applications are required to engage with a real-life identity service provider, who verifies their ID off-chain. The provider then uploads a zero-knowledge proof to the Concordium platform, which serves as an assurance of identity to anyone transacting with that individual. An identity could also have multiple types of ID documentation or attributes associated with it.
For example, a user could have their passport and travel vaccination status verified so that that they could take an international flight to a country requiring immunity from Covid-19, yellow fever, or other transmissible diseases. The airline wouldn’t need to see their documents, but they would be able to verify they’re valid via the zero-knowledge proof on the Concordium blockchain. They could also upload documents such as a rental agreement or utility bill to act as proof of residence for opening bank accounts or applying for credit.
Assuring Compliance
The platform also operates a failsafe to help protect businesses from a compliance perspective. For instance, if the financial authorities issued a legal order to identify someone who had received banking services or credit, the company could request the services of one of Concordium’s “anonymity revokers.” Upon verifying the legal request, this party can decrypt the on-chain proof and issue an instruction to the identity provider to issue the identifying documents. Neither party can identify anyone by themselves, meaning users can transact in privacy under most normal circumstances.
For enterprises, Concordium’s self-sovereign approach offers the alluring possibility that they could operate without even needing to take custody of sensitive user data. Doing so would relieve them of many of the arduous GDPR obligations.
The question is, will enterprises be willing to adopt such technology? Lone Fønss Schrøder believes there’s a competitive edge to be gained for first movers, pointing out that “large enterprises should develop a feeling of fear that they will miss out.”
She also speaks of her own lengthy leadership career across a multitude of industry sectors, including banking, shipping, and automotive, to highlight that all of us are always on a learning curve. She talks of how “leaders have to be bold in embracing new innovations” and encouraging those in business to “never be afraid to jump into something you might not understand on the surface.”
It’s fair to say she is living her own advice, leading the launch of a platform that’s implementing an entirely new approach to the idea of digital identity and data privacy. Concordium launches on mainnet in the coming months, so it will be interesting to see which big businesses are among the first to step into this arena.
Image source: Depositphotos.com