A formal model for blockchain-based consent management in data sharing

Consent is one of six legal bases for personal data processing mentioned in the General Data Protection Regulation (GDPR). The GDPR is a privacy law giving European Union (EU) citizens authority over personal data. It enforces software systems to collect, analyze, and share only necessary information (‘data minimization’) following the specific purpose (‘consent’). The GDPR defines consent as permission of individuals (‘data subjects’) to give organizations (‘data controllers’) processing their personal data. Without a data subject's consent, the data controller processes personal data unlawfully. Therefore, consent management is an essential component of a software system to build data subjects' trust and engagement. However, sharing data can lead to a potential loss of control over personal data, as data are across boundaries between software services. One of the significant risks is caused by a lack of developers' experience in data protection practices. Hence, in this paper, we propose to use blockchain technology to manage data subjects' informed consent for data sharing to build trust, transparency, and traceability to share data across software services. We formalized the semantics of smart contracts to extend the blockchain features to validate the consent authorization and manage the request-response interaction between the services. Furthermore, we used the Event-B method to describe the dynamic behavior of the proposed model and prove its correctness. Finally, we provided a mapping from the formal model to a smart contract class diagram and a prototype called SmartDataTrust implemented with solidity and Python REST API that developers can easily utilize.