Digital Credentials: legal proof and data privacy

Aurélie Bayle is legal consultant and PhD CIFRE student at the University of Montpellier. She has been supporting the blockchain start-up BCdiploma since its creation.

  • Digital Credentials are digital certificates issued by an institution. Diplomas, skills or transcripts for the educational world are micro credentials examples… and whose blockchain makes it possible to secure and store data and proofs of authenticity.
  • Why the blockchain? This new tool have all the assets required in terms of transparency, security and decentralization.
  • What legal value for a digital credentials blockchain? There is no “legal loophole” in current positive law preventing the admissibility of any evidence recorded in a distributed register.
  • Are personal data protected? While the regulation does not apply to the technology as such and the protocol itself, it does apply to third parties interfaced with the blockchain. BCdiploma provides the set of tools that allow processing operators to implement the GDPR.

BCdiploma team thanks Aurélie Bayle for the research note presented below.

From time immemorial, Mankind has always shown a willingness to put down in writing, to save and record certain information relating to his daily life or even his exchanges. Since the clay tablets and after the invention of paper, printing, reprography and computers, the time has come for the registers so dear to Mankind to experience a new era.

Why the blockchain?

Blockchain technology is sometimes unclear to many: this is the subject of much discussion, but few grasp the technological complexity behind this new tool.

The Blockchain is often compared to a secure, public, unalterable ledger, held by all the users of the network (therefore decentralized) and containing all the transactions or actions carried out since its creation. This new tool thus seems to have all the assets required in terms of transparency, security and decentralization.

The latter, although initially covered in the media from a financial and transactional point of view, deserves special attention as it allows for various uses in many sectors. The blockchain is not just about Bitcoin fluctuations. Some States or institutions even use it for sovereign activities, while the private sector is taming it at the same time, offering new opportunities and the emergence of new economic models. Startups have a key role to play here in democratizing the use of this technology with ever more innovative use cases at the service of individuals.

BCdiploma has indeed followed the same logic by granting credentials a prominent place in the Ethereum public blockchain, and, more recently, in Binance Smart Chain. BCdiploma’s smart contract is currently the blockchain ecosystem with the largest number of academic institutions. The certification service applies directly to a variety of use cases: diplomas, micro credentials and Open Badges, continuing education, ISO certifications, notarial certificates, etc.

The blockchain responds to issues of traceability and timestamping: the digital fingerprint contained in a transaction is stored indefinitely in order to ensure the immutability of this data, as well as the integrity of the document. The debates on the admissibility of the blockchain as a legal proof mode quickly aroused the interest of jurists. Drawing a parallel with electronic writing (enshrined by the law of 13 March 2000 as “written proof”), recordings with the blockchain as a support deserve reflection.

For the time being, ordinary law does not prevent such authentication from being admissible as evidence, and there is nothing to suggest that the legislature is taking an opposite position. Indeed, it has increasingly acknowledged the potential of the blockchain for a few years now (Ordinance on mini cash vouchers of 28 April 2016, Vocabulaire Informatique of 26 May 2017, PACTE bill, ministerial response of 10 December 2019, etc.). There is no “legal loophole” in current positive law preventing the admissibility of any evidence recorded in a distributed register.

For now, French law enshrines the principle of freedom of proof for legal facts or private acts for which the amount is less than €1500, and the Civil Code sets out 5 modes of proof: literal proof, oath, confession, presumptions and testimony. While this list seems restrictive, it is important to note that the judge has considerable latitude to admit new forms of evidence, which some jurists describe as admission by “assimilation or capillarity [V. Magnier, Enjeux de la blockchain en matière de propriété intellectuelle et articulation avec les principes généraux de la preuve, Dalloz IP/IT 2019 p76 ]”. In the absence of legal consecration of the blockchain as a fully-fledged and autonomous proof mode, as Italy has been able to do in particular for time stamping, electronic recordings on the blockchain are nevertheless considered to be beginnings of proof or “elements of proof participating in a bundle of converging clues”, and contrary elements of proof may be opposed to it and submitted to the judge on the same basis. The era of Judges 3.0 must then begin, or involve the use of designated experts to “translate” lines of code as needed.

In addition, beyond the intimate conviction of the judge to admit the admissibility and value of evidence based on the blockchain, the parties can also influence the admission of this technology as evidence. Indeed, the order of February 2016 reforming the law of contracts, the general regime and the proof of obligations has opened the way to conventions of proof long disputed within the doctrine. Thus, for provisions which are not a matter of public policy, the parties may freely provide for the admissibility and probative value of a writing recorded on the blockchain in the same way as an electronic writing. In particular, this is the proposal integrated by BCdiploma in its General Terms and Conditions of Use for the user institutions of its service.

What about personal data and blockchain credentials?

The GDPR, which entered into force in May 2018, is now the new reference text for the protection of personal data, and has inspired the international level to initiate regulations for the protection of the privacy of individuals.

At the heart of the regulation: personal data. These are defined by the GDPR as “any information relating to an identified or identifiable natural person”, and it should be noted that the diploma or the public key (pseudonym) of the users fits easily into this qualification, however broad it may be. While the regulation does not apply to the technology as such and the protocol itself, it does apply to third parties interfaced with the blockchain, in this case BCdiploma.

As subcontractors concerned about the conformity of the processing of personal data, they are the ones who guarantee and implement the technical security measures for the processing of graduates’ encrypted data. On this point, the standard encryption techniques (AES-256) and cryptography (key tryptic) used by the solution secure user data by design. They have no access to graduate data and the persistent key to exercising a graduate’s right to be forgotten remains stored within the institution. The institutions issuing the diplomas remain, moreover, responsible for processing the issue of the diploma. Finally, the provision of the decentralized technical solution by BCdiploma is accompanied by a reminder to the institutions of their obligations in terms of personal data protection (information of graduates, accountability, etc.).

From the point of view of graduate students, if the term “blockchain” can be puzzling or disturbing with its complexity, everything has been thought of to set up a simple, free and practical access, allowing them to promote their authenticated skills, without losing control over this personal data which they freely dispose of and for which the GDPR and the French Data Protection Act give them exclusive rights.

Can we concretely expect the exercise of a “right to be forgotten” on the blockchain and comply with the principles set out in the GDPR?

At first glance, blockchain and right to be forgotten do not seem compatible. Inalterability and decentralization not only imply that the registry is indelible, but above all that it is shared among all users who have historically recorded copies. In the event of exercising the right to be forgotten, one would therefore expect to have to go against the very principle of blockchain’s inalterability, but above all to interfere with the set of registers of each user individually in order to delete the desired encrypted data.

With its triple cryptographic key process (graduate key/persistence key/institution key), BCdiploma has found the right balance to comply with the European Regulation: the graduate just needs to ask the institution to delete the persistence key, and it will remain impossible for anyone to decrypt or even trace the encrypted data in the blockchain. The permanent and definitive illegibility of the encrypted data is interpreted in a similar way to the erasure expected in Article 17 of the GDPR.

Obviously, the right to be forgotten is not the only modality of the GDPR that is intended to apply, but it is instinctively one of the first questions that arise when it comes to blockchain. This compliance demonstrated by BCdiploma is a guarantee of credibility and responsibility towards its clients and partners.

Aurélie Bayle
Legal consultant for the be-studys R&D business unit within the be-ys group. PhD CIFRE student at the University of Montpellier, preparing a thesis on the compatibility of distributed registers with respect to the European General Data Protection Regulation (GDPR) under the supervision of Professor Mainguy.

[title[Digital Credentials: Definition and Legal Issues with Blockchain]] [description[Debates on blockchain’s legal proof for digital credentials intrigue jurists. BCdiploma and legal consultant Aurélie Bayle assess the situation.]]