At Blockbird we have been conceptualizing a Universal Consent Platform using blockchain technology to facilitate the flow of Data between Organisations but guaranteeing that users maintain clear control over their personal data being shared
Due to the GDPR, organizations which hold user related personal data, cannot share that data with a third party unless given proper consent by the owner (user). Very often, entities are sharing users’ data without adequate consent or even without consent at all. When these consents are gathered, they are usually stored using technologies that are easy to tamper with (and some Organisations are still using paper), which makes it very hard to audit when disputes arise. The systems in place also leave users in the dark regarding their personal data sharing preferences and which entities are effectively holding their personal data, making it harder to exercise their right to be forgotten, conceived in the GDPR.
The Universal Consent Platform is an essential piece of the Data Portability puzzle. Its main objective is to give Organisations a tool to comply with the data protection guidelines and the conditions specified by the user for the use of the data while, at the same time, giving data owners the assurance that their data is being shared legally and only according to their preferences and consent. In order to fulfil its goals, the UCP must respect the following characteristics:
- Simplicity. Organisations should use the Platform for gathering users’ consent in situations where personal data will be (or is being) shared with third parties rather than every time they collect personal data.
- Transparency. The consent requests must clearly specify the personal data attributes being shared, the third party receiving the data and the purpose of use.
- Flexibility. The user must be able to edit the consent requests, eventually choosing to share certain attributes and omitting others, as well as choosing certain third parties while denying others.
- Immutability. The gesture of consent by users must be stored in a database that is immutable for auditing purposes in case of disputes.
- Verifiability. The platform must allow Organisations to verify their users’ consent preferences at any point in time in order to avoid repetitive user consent request interactions.
This system will be using a public blockchain to store the record of consents and will be composed of a user interface (for users and Organisations), a directory service and the blockchain participants – data owners, data holders and data consumers. Users (data owners) will be identified on the blockchain exclusively by their account address. On the other hand, Organisations (data holders) may identify these users on their own servers and databases by their citizen ID. The directory service of our proposed system will store a mapping between each user’s account address and citizen ID.
Each user shall be able to interact with the blockchain through a simple interface in order to manage their sharing preferences. After deciding their sharing preferences, the information will be written on the blockchain, providing the desired tamper proof resistance requirement. Organisations should check the blockchain for the user’s consent when third parties (data consumers) request access to any of their user’s personal information and act accordingly – check whether or not it has been granted consent by the data owner to send the requested data. If no prior consent has been granted, data holders should use our platform to retrieve a consent request from their customers.
Developing a Universal Consent Platform that makes use of a public blockchain to store the record of users’ consent comes with a high degree of complexity. It is essential to guarantee that a Universal Consent Platform is simple to use, has a high level of transparency (while respecting users’ privacy), gives users flexibility in managing their consent preferences as well as in exercising their right to be forgotten, is immutable for auditing purposes, and is verifiable for Organisations to be able to interact with – all at the same time. Below are the main difficulties that need to be overcome:
- differentiating the several organizations interacting with the blockchain
- authenticating the participating parties (users and organizations)
- referencing personal data within the blockchain
- writing consents with varying sizes on the blockchain
- checking user’s consent without disclosing their real identity
- making the users responsible for safekeeping their blockchain keys
Our proposed solution makes use of technology to deliver on the core value of privacy. We believe the next generation internet needs a Universal Consent Platform that puts humans in control of their data. By using blockchain technology as the backbone of our project we are proposing the progressive adoption of advanced concepts and methodologies.
By deploying and integrating our platform with several companies and organizations we expect to provide users with an essential tool to better exercise their right to personal data privacy. Additionally, we also expect our platform to become a reliable auditability source that can be used by regulators in the data privacy field.
Our conceptualized idea of a Universal Consent Platform is of especial importance in the healthcare sector where our solution can play a key role regarding public health and well-being – one of the United Nations’ sustainable development goals. By helping remove a barrier between medical organisations and research and technology institutions, we can facilitate the process of sharing personal medical data thus resulting in both research and technology institutions having access to a much greater amount of data, therefore speeding up the development of new vaccines, treatments and technologies.