By now, nearly everyone has heard of “blockchains” and “NFTs,” and some universities are even using them to issue and validate transcripts and diplomas. Being able to clearly define them—or define them at all!—is another matter, yet one that is critical for understanding the data privacy implications of using blockchains and NFTs.
So let’s start with definitions:
A blockchain is a decentralized record keeping system. Blockchains can be private or public. A private blockchain is managed by a private entity that decides the purposes of the blockchain, the users of the blockchain, and the processors who validate data before it is recorded on the blockchain. A public blockchain is not managed by any entity. Any person with internet access can use a public blockchain for any purpose, and user data is validated by anyone who chooses to use their computer to validate user data on the public blockchain.
Non-fungible tokens— NFTs—are tradable assets that people exchange with each other, and the exchanges are recorded on a blockchain.
How does a university turn a transcript or diploma into an NFT?
The process of turning a transcript or diploma into an NFT usually looks like this: First, the university uses a third-party software application, or it creates its own software application, to assign itself a unique blockchain ID consisting of a series of randomly generated characters and to enable itself to record on a public blockchain de-identified data from a transcript or diploma. Next, the university invites a student to receive their transcript or diploma in the form of an NFT, often referred to as a “digital transcript” or “digital diploma,” and the student follows simple instructions to automatically generate their own unique blockchain ID. The university then uses a cryptographic mechanism such as a commitment scheme, hash function with a key, or encryption to de-identify the transcript or diploma data; assigns ownership of the de-identified data to the student’s unique blockchain ID; and submits the record of ownership to be recorded on a public blockchain after it is validated by the blockchain’s processors, often referred to as “miners.”.
The end result is a record stored on a public blockchain, essentially consisting of the university’s unique blockchain ID, the student’s unique blockchain ID, the de-identified transcript or diploma data, and the date and time that the university assigned ownership to the student. Whenever the student needs to show their transcript or diploma to a credential checker, such as a potential employer, the student can cause the transcript or diploma data to be re-identified, and the employer can reference the public blockchain record to verify that the transcript or diploma was truly issued by the university to the student and was not fraudulently produced.
Why would a university issue a transcript or diploma as an NFT?
Issuing a transcript or diploma as an NFT enables credential checkers, such as employers, universities, or government agencies to quickly, easily, and certainly ascertain the validity of a transcript or diploma. Traditional degree verification processes can be extremely long, complicated, and expensive, but degree verification is often required by law or policy for employers or academic institutions to accept education credentials, particularly foreign education credentials. For example, the U.S. Department of State warns that its foreign degree verification process for job applicants may take weeks to months and usually involves multiple third parties, such as translators and credential evaluation services, all hired at the cost of the applicant.
On the other hand, recording on a blockchain ensures the highest degree of data integrity, as data recorded on a blockchain can never be edited or deleted. Thus, reference checkers need only to click a link to check the blockchain record, eliminating the need for third-party translators and credential verifiers. Furthermore, a blockchain’s decentralized nature ensures that blockchain records are highly secure, Because a blockchain record keeping system is distributed across peer-to-peer computer networks throughout the world, it is impossible for a hacker to gain control of a blockchain through a single compromised computer, and there is virtually no way for a hacker to gain control of a blockchain at all if the blockchain is as large as most public blockchains tend to be.
As NFT diplomas and transcripts become more commonplace (e.g., the Vietnamese government recently started requiring all Vietnamese schools to record all diplomas and certificates on a blockchain), more credential checkers will likely start accepting NFT diplomas and transcripts as verified credentials. And, as NFT diplomas and transcripts become more widely accepted by credential checkers, colleges and universities that offer NFT diplomas and transcripts will have a growing competitive edge over institutions that do not provide their graduates with credentials in a format that is so easily verified.
Is transcript or diploma data recorded on a blockchain subject to GDPR or China’s Personal Information Protection Law (PIPL)?
There has not been any official guidance under GDPR or PIPL on whether de-identified blockchain data is subject to the laws, but the French Data Protection Agency (CNIL) has published informal guidance taking the position that a user’s unique blockchain ID and any additional personal data recorded on a blockchain in association with a user’s blockchain ID are potentially subject to the GDPR. While Chinese regulatory authorities have not published any similar informal guidance, it is conceivable that they may adopt a similar position, given the similarities between the scopes of the GDPR and the PIPL. Therefore, universities that have establishments in China or the EEA or that offer their services to people located in China or the EEA (especially in France) should carefully consider potential PIPL and GDPR compliance risks before issuing transcripts or diplomas as NFTs.
What GDPR and PIPL compliance risks exist in relation to issuing transcripts or diplomas as NFTs?
Issuing transcripts or diplomas as NFTs potentially gives rise to compliance risks under three areas of GDPR and PIPL: data processing agreements, cross-border transfers, and data subject demands.
When a university records a transcript or diploma on a blockchain, CNIL takes the position that the university is a “personal data controller” under the GDPR because the university defines the purposes (e.g., to ensure data security, to provide students with easily verifiable transcripts or diplomas, etc.) and means (e.g., data format, use of blockchain technology, etc.) of processing. CNIL further contemplates that miners, who validate the university’s issuances of transcripts or diplomas before they are recorded on the blockchain, may be considered data processors processing personal data on behalf of the university.
When recording transcripts or diplomas on a public blockchain, this relationship with miners gives rise to two potential risks under the GDPR, which should be analyzed similarly under the PIPL. First, if the miners are in fact processing personal data on behalf of the university when they validate the issuances of transcripts or diplomas, the GDPR and the PIPL require the university to include certain terms in contracts with the miners. However, as described above, literally anyone in the world with internet access can potentially be a miner on a public blockchain, making it impossible to execute contracts with them all.
Second, because miners could potentially be located anywhere in the world with internet access, it is likely that some or all of them may be located in countries outside the EEA and China. In such cases, the GDPR and the PIPL usually require a cross-border transfer mechanism, such as standard contractual clauses, to be in place prior to allowing the miners to validate the issuances of transcripts or diplomas, which again would likely be impossible to execute between the university and all miners. In addition to a cross-border transfer mechanism, the PIPL also requires the university to obtain informed consent from each student whose transcript or diploma issuance will be validated by miners located outside China. Such informed consent must include the names and contact information of each miner, which would likely be impossible for the university to obtain.
Lastly, CNIL cautions that it is “technically impossible” to fully comply with a data subject’s right to delete data, a right which also exists under the PIPL, after a transcript or diploma is recorded on a blockchain, as data recorded on a blockchain is impossible to erase. CNIL’s informal guidance falls short of giving the green light to disregard this technical impossibility, but it does offer advice on how to de-identify transcript or diploma data at the time it is recorded on a blockchain so that the university can later make the data “practically inaccessible” in response to a deletion demand.
What can universities do to mitigate GDPR and PIPL compliance risks in relation to issuing transcripts or diplomas as NFTs?
For universities that are subject to the GDPR and are considering issuing transcripts or diplomas as NFTs, CNIL offers the following advice to mitigate GDPR compliance risks, which can be applied equally to mitigate PIPL compliance risks:
Perform and document a data protection impact assessment evaluating the benefits and risks of issuing transcripts or diplomas as NFTs.
Consider how you might meet your objectives without using blockchain technology (e.g., if your objective is to create highly secure records of transcripts and diplomas, consider other ways to secure data, such as implementing highly sophisticated cryptographic mechanisms).
Record transcripts and diplomas on a private blockchain rather than on a public blockchain so that data miners are identifiable parties with whom the university can execute necessary contractual terms; however, using a private blockchain requires more careful assessment of security risks, such as the minimum number of computers that would need to be compromised for a hacker to gain control of the private blockchain.
De-identify transcript and diploma data as much as possible before recording it on a blockchain; in order of preference, CNIL recommends the following cryptographic mechanisms: commitment scheme, hash function with a key, or encryption.
Ensure the security of any cryptographic keys needed to re-identify the transcript or diploma data.