The centralization of control over the processing of personal data threatens the privacy of individuals due to the lack of transparency and the obstruction of easy access to their data. Individuals need the tools to effectively exercise their rights, enshrined in regulations such as the European Union General Data Protection Regulation (GDPR). Having direct control over the flow of their personal data would not only favor their privacy but also a "data altruism", as supported by the new European proposal for a Data Governance Act. In this work, we propose a multi-layered architecture for the management of personal information based on the use of distributed ledger technologies (DLTs). After an in-depth analysis of the tensions between the GDPR and DLTs, we propose the following components: (1) a personal data storage based on a (possibly decentralized) file storage (DFS) to guarantee data sovereignty to individuals, confidentiality and data portability; (2) a DLT-based authorization system to control access to data through two distributed mechanisms, i.e. secret sharing (SS) and threshold proxy re-encryption (TPRE); (3) an audit system based on a second DLT. Furthermore, we provide a prototype implementation built upon an Ethereum private blockchain, InterPlanetary File System (IPFS) and Sia and we evaluate its performance in terms of response time.
展开▼
