GDPR, Blockchain, and the U.S. Dept. of Education’s Summit on Blockchain

Guest Post by Melissa Layne, AVP of Research and Innovation and Editor-in-Chief, International Journal of Open Educational Resources

Melissa Layne GDPR

Last year was undoubtedly a whirlwind in the world of technology—both good and bad. Taking effect a little over a year ago, the General Data Protection Regulation (GDPR) changed the way tech giants such as Google, Facebook, AWS, Apple, and others collect and use their consumers’ personal data. To date, 89,271 data breaches have been reported by the GDPR Data Protection Authorities. Although GDPR appears to be an important move to increase security around personal data, there have been a growing number of tech companies, where data are key components to core functionality of their technology offerings/products, who have been negatively affected.

Let’s take a look at Artificial Intelligence (AI) systems, for example. In circumstances where AI is used by a financial institution as an automated decision-making system — say, in offering a home loan — a GDPR data privacy policy does not adequately address a subject’s “right to an explanation” to the “how” or “why” the subject was accepted or rejected for the loan. Because AI works through continually changing algorithmic logic and models, it will be difficult for these institutions to develop clear-cut language for compliance. Companies that use other trending technologies such as machine learning, data & analytics, virtual reality (VR) & augmented reality (AR), and cloud computing may also have similar issues regarding the accuracy of their explanations for GDPR compliance.

Despite the GDPR disclosures about how their personal information is being used, people are fascinated by these technologies. Many of us already use them via interactions with smartphone/computer/tablet screens, wearables, appliances, cars, thermostats, baby monitors, smart speakers, censor-embedded clothing, and wearable health monitors. Although not available to be used yet by the masses, our “face” data continues to be collected by facial recognition-enabled surveillance cameras mounted on street corner. I wonder how the first company to utilize that data will provide its GDPR disclosure to those whose images have been collected.

For the most part, people are not aware of the personal data that is collected by these purchases. I’m pretty certain that most people who bought Amazon’s Echo are not aware that conversational data are being collected right inside their own home. In short, the data collected from these items are never-ending.

As mentioned above, GDPR has not adequately addressed these deficiencies in language around emerging technologies. Not only have several tech companies voiced these concerns, but a growing number in higher education have voiced their skepticism reflecting direct frustration for the regulation’s shortcomings around emerging technology as well. 

On May 15th, Professor of Anthology and Information Science at the University of Colorado Boulder Alison Cool wrote an opinion piece to The New York Times entitled “Europe’s Data Protection Law Is a Big, Confusing Mess,” representing attitudes at many higher education institutions calling the regulations “staggeringly complex,” “intentionally ambiguous,” and “based on already outdated assumptions about technology.” Even worse than ambiguous regulations, however, are those that are too explicit. In her article, a law professor shared his thoughts about the GDPR approach to data mobility: “I think it’s very clear that they imagined some company that has your data physically stored somewhere, and you have the right to take it out.” However, in a world with big data and cloud infrastructures, data are not stored in one place.

While it may be some time before there are some possible solutions to these data privacy issues and emerging technology, there is one technology quickly gaining the attention of several industries, organizations, and governments–including the EU, in a good way. For many companies, this disruptive technology is already positively impacting personal data privacy, mobility, security, verifiability, accountability, and consent. By design, we are only just discovering that this technology serves as a “friend” to GDPR by addressing not only its shortcomings but actually being a viable solution to the data issues that GDPR was meant to prevent. The technology, and remaining focus of this article, is Blockchain.

Here are some of the ways GDPR and blockchain work together:

  • Self-Control of Data. The main aim of GDPR is to provide individuals with the right to: control their personal data, have easier data access, rectification, be forgotten, data portability, consent, and be informed. With blockchain, any digital asset — including data — cannot be changed, nor controlled. The only “controller” of an individual’s personal data is the person himself. In terms of data portability, blockchain allows individuals to retrieve and reuse their own data. This portability also allows users to always keep with them their own digital identity verification where they can share their data securely.
  • Secure Data Processing. GDPR states that controllers and processors of data must take appropriate measures to ensure a level of security appropriate to the risk. The built-in functions of blockchain support security with cryptography, consensus mechanisms, decentralization, and traceability.
  • Consent. Processing of data under GDPR terms is subject to the subject’s consent to do so. Blockchain records, manages, and tracks consent between those involved in consensual data exchange.
  • Data Compliance Accountability. Although the GDPR website provides a wealth of resources on ensuring compliance, it’s ultimately up to each enterprise to demonstrate and document GDPR compliance with items such as a governance model, risk assessments, a system of record-keeping that incorporates data protection measures and audits, etc.

A blockchain application used alongside these items, provides additional verifiability and keeps track of the current status of the data as well as all of the changes that have been made since it was initially recorded to the blockchain. For example, in the International Journal of Open Educational Resources, the academic journal for which I serve as Editor-in-Chief, I have implemented blockchain to record authors’ research articles. Each time an edit is made to an article, it is “stamped” with a hash and displayed in the Merkle Tree. Any edits made after that initial “stamp” are also recorded, given a different hash, and displayed on another branch of the Merkle Tree.

Fortunately, the European Union Parliament has recognized the affordances that blockchain provides (by design) within the GDPR construct, and it is currently in the process of adopting a resolution for blockchain’s co-existence with GDPR. This friendship of regulation and technology opens many opportunities for all kinds of industries.

In addition to the tech industry, higher education will also greatly benefit from this partnership. As campuses gradually discover ways in which blockchain can enhance applications and efficiencies of students’ learning data, we are also exploring ways in which blockchain can be used within the entire higher education ecosystem (as blockchain is meant to be used across multiple entities). My EvoLLLution article series lays out such an ecosystem.

Not only has blockchain piqued the EU’s attention, but it has also been a strong topic of interest to the U.S. Department of Education. Last month, I was invited to participate in the Summit on Blockchain in Education, hosted by Sharon Leu, of the U.S. Department of Education’s Office of Educational Technology in Washington, D.C. As the Office of Educational Technology’s mission is to promote achievement and increase opportunities through the use of technology in education, they see potential for education blockchains to help empower learners to display and exchange their learning achievements in a marketplace of skills. Toward this goal, as a community, we were tasked to investigate three questions:

  1. What are the policies that will impact or be impacted by a student-owned, blockchain-based learning records infrastructure? For example, how will this allow us to refine our approach to student privacy, data security, and digital identity?
  2. In the rapidly evolving technology environment, can education stakeholders develop consensus on a set of open standards and practices that will ensure the flexibility and interoperability of blockchains used for digital credentialing?
  3. What principles should we apply to the design and implementation of blockchain-based credentialing systems to ensure social mobility and individual protections, especially for currently disadvantaged populations?

You will notice that these questions include GDPR-related language “student-owned” “privacy,” “data security,” “digital identity,” “social mobility,” and “individual protections.” Therefore, ongoing conversions around blockchain design, infrastructure, implementation, principles, standards, etc. will also be coupled with GDPR discussions.

In addition to the great honor of being invited to this summit, I was extremely excited to see the DoE modeling such an innovative and strategic vision. Invitees included several industry representatives. These are only a few examples: University Leaders (ASU, UT, California State University, Harvard, Georgetown); CEOs, CIOs, CLOs for large tech enterprises (IBM, Salesforce, AWS); Senior Directors from higher education-related organizations (Educause, WCET, IMS Global Learning Consortium, National Student Clearinghouse, ETS, ACE, CAEL, AACRAO, Burning Glass, Lumina); and of course Blockchain Education companies (Bitdegree, Credly, Credential Engine).

As representatives from a diverse group of organizations, we were able to begin answering the above questions and start mapping out the development of future research and resources to inform policies and practices for education stakeholders. The Summit allowed for the initiation of collaborative activity among industries and the generation of ideas on how to move forward. I had the chance to chat with attendee Mark Leuba, Vice President of IMS Global Learning Consortium and former APUS CIO, who I believe will be instrumental in providing answers and solutions to aspects of the questions above:

“It’s very encouraging to see the education community rally around learner empowerment and employability by leveraging technology innovation and a commitment to scalable, open standards. IMS Global’s over 500 members (including APUS) have laid the groundwork for innovative employer/institution partnerships through development of verifiable and interoperable digital credentials and pathways. APUS’ mission, serving those who serve, is perfectly aligned with the goals of this movement and that of IMS Global. IMS’s evolution of the highly successful open badges standard has revolutionized the potential value of digital credentials as the foundation for a new educational currency, and we believe blockchain holds the potential to play a meaningful role in that ecosystem. We are excited to contribute and participate in this revolution.”

The future of technology, data, and education, at times, may seem uncertain. Last year generated much uncertainty. Participating in the DoE Blockchain Education Summit was an eye-opening experience for me in this regard. Discovering how swiftly regulations, policies, standards, guidelines, best practices, etc. need to be considered and developed in response to certain aspects, functions, and associated complexities that technological innovations present, is not trivial. In this particular instance the eventual outcome, I believe, will be significant. I believe that blockchain will serve as a possible solution to prevent the misuse of some of its emerging technology counterparts. At least, it may provide a near term solution, as progress is relative. Earlier in this post, I discussed the impact that AI has on the way data are collected, analyzed, and applied. However, we are in the early stages of AI development, what some refer to as Artificial Narrow AI’s. These are but pale reflections of what is to come when Artificial General Intelligence or, subsequently, Artificial Super Intelligence is achieved.

When looking at this at a high level, technological advances are getting more and more complex, difficult to understand (let alone explain), and happening more and more quickly. I often wonder how policies like GDPR stand any chance of surviving. In other words, by the time GDPR irons out its current issues around emerging technologies, these technologies will be replaced by newer ones. Therefore, the current requirement to explain the “how” and “why” data are collected to a subject becomes useless. This phenomenon is called “technological singularity” and is the point in time at which technological growth has reached such an extreme pace that it becomes so uncontrollable and irreversible that normal rules no longer apply.

Similarly, if GDPR eventually loses its relevance, how will this affect innovative efforts such as the DoE’s Education Blockchain? Looking too far into the future could cause needless worry, but asking these questions — especially given how quickly our world is changing — at least sparks curiosity and conversations.

For now, we need to concentrate on how realistic solutions can be applied to a rapidly changing world, lest this generation is the one that is tilted against windmills in the same fashion that the last calligraphers raged against the printing press.

Subjects of Interest


Higher Education

Independent Schools


Student Persistence