GDPR or HIPPA compliance

Is Storj GDPR or HIPPA compliant yet? If no, What are the factors responsible for the same?

No.

You should read this post. If you still have more questions then do update this post. :slight_smile:

1 Like

@nerdatwork which part of the article answers the question about GDPR? I can’t see anything related

Is there an update on GDPR?

Apparently the list has been truncated. The original Q&A had, if I remember correctly, 22 entries but only 12 are shown.

Here’s what is missing from it

Also note this reply from @jtolio (CTO @ Storj)

1 Like

thank you for that.

I guess the answer is still no then judging from that and other responses in the forum

1 Like

Yes, you are right. Mostly because of world-wide spread of your data across 93 countries and requirements to conclude agreements with the service providers, i.e. - with SNOs.

2 Likes

These regulations unfortunately aren’t really ready for decentralized storage. They assume that physical access means access to underlying data. Even though it’s completely impossible to gain that access for node operators. It would be awesome if they could be updated to allow for the kind of cryptographic no trust needed scenarios that are deployed here. But we’re likely not going to see that any time soon.

4 Likes

That’s true. But that’s not what enterprise grade customers would do. At least for those Storj has or should have good knowledge of how they are going to use the service.

As the EU satellite has so many accounts it could be that there a many many non enterprise grade customers using Storj DC for backups. EU could be reluctant in adopting new services. I am from Germany, so I know especially Germans and German companies are very reluctant and careful when it comes to cloud data storage. Maybe even the more restrictive data protection requirements could be a reason for general slower adoption here as Storj DCS has still no GDPR compliance certification.
But if you as a company know all such reasons you can tailor your product or market approach accordingly to cater for that. Generally speaking, knowing your customer is a key to success because then you know as a company what you should do and what you should not do.

Ok I get what your saying. I thought you meant it as if something might be wrong etc. As for GDPR compliance, although I believe the Storj network probably meets or even excedes the criteria, who knows if / when it will happen. I would think it would be on their radar, but often times regulators have a hard time catching up to emerging technologies so it could still be a while. Hell, I’d even speculate that this type of data storage might even render GDPR obselete in the future.

No no, it’s just about to understand why there is such a discrepancy and then to use that maybe to adjust product or strategy. Maybe it is as simple as a language barrier sometimes.

True, but this is a real obstacle as as a larger business you cannot really risk to put your data on a non GDPR compliant storage. Speaking for Germany GDPR compliance together with geofencing would be really really important to attract customers from public sectors as well as enterprise grade customers.

I don’t see that. GDPR is much much more than only about data storage. But I agree that regulators did not have this kind of encrypted, zero-knowledge and decentralized storage on their radar when the GDPR was created.

I’m not familiar enough with GDPR to speculate beyond the data storage part. The only other parts I know about it is in regards to how data is used / process etc, however since the data is encrypted on the client side that doesn’t really apply to this technology either. Again, I’m sure there’s probably still more to it, but maybe that just means this sort of tech will be relatively easy to get certified once regulators understand it.

No speculation needed. Here is the full text: Regulation - 2016/679 - EN - gdpr - EUR-Lex

The GDPR has several objectives. It is not just about data storage. It harmonizes the view on personal data by providing definitions. It assures rights to the individual and commits providers to certain obligations, like what data to store at all, obligations to provide stored data upon request, data transfer and data deletion and much more.

Yes for the certification of the data storage part but this

once regulators understand it

could be a real problem. :smile:

1 Like

So I skimmed through that quick and it mainly just seems to be referring to personal data and how it’s used / proccessed so I guess I knew more than I thought. So like I suspected, since Storj in this case doesn’t even have access to your personal data other than your account info (which I suppose qualifies but isn’t really substantial) used to sign up, there’s no way for them to do literally anything with any of your personal data even if they wanted to. Other than the absolutely necessary processing of the encrypted data in order to distribute to and retrieve from the network there’s nothing else that can be done with it. So unless I’m missing something else her, and please point it out if I am, it would appear that GDPR in terms of this technology is kind of a moot point.

Yes, regarding Storj and the technical way data gets stored, meeting the corresponding GDPR criteria should be no question. But there are other things to overcome. For example when I remember correctly it was mentioned that GDPR in its current version might require written and legally binding contract between Storj and every single SNO and more to document the compliance with the GDPR standards.

But when I wrote that the GDPR is not just about data storage, I had not just Storj or the SNOs in mind. That’s why did not agree to your statement that the GDPR might become obsolete. Because it is also about how the data can be used and about the rights of the data subject etc. This of course is more geared towards the customers who are using Storj DCS for data storage.

Yeah I get what you mean there. That’s kinda partly what I was thinking about in regards to regulation catching up to the tech. Meaning there’s probably a bunch of standards to meet and boxes to check that are completely understandable for the current tech but might either be redundant, irrelevant, impractical or maybe even impossible to meet simply due to the differences in both the tech as well as procedures involved despite the fact that it’s far superior regarding data and privacy protections.

Of course. Customers want to be reasured that their data and privacy are protected. But again, as this tech becomes more and more mainstream and people understand it better, that might be all the reasurance they need for regulations to change and adapt… or dissapear altogether in some circumstances.

Trust me, if I didn’t know how this tech worked and you told me my data is being stored on Raspberry Pi’s in a bunch of nerds basements I’d be like yeah no thanks! But because I understand it, I have no issue with it. I run into this all the time when explaining Storj to people, but once they get it and think about all the data breaches everywhere and the datamining by the big tech companies, they all eventually come to the same conclusion that it sounds much better.

So the next obvious question then is why don’t they use it yet. Simple… how do they? How does your everyday average Joe start using Storj? If you want mass adoption you have to cater to the masses, and no disrespect intended here but lets face it… the simple fact is the masses are largely burnt out lazy idiots. And even those who aren’t, STILL don’t want to put in the extra effort to figure something out when they can just keep using Google, Apple or Amazon that pretty much work seamlessly with all their devices. You can’t just have better tech, it needs to be simple and convenient to use. Now I’m obviously referring to the general consumer market here and not commercial as that’s a different game which I think Storj is handling very well from what I’ve seen. And if that’s all Storj cares about then that’s ok to, but honestly unless they target the consumer market somehow they will never compete with the big tech giants and will always remain a not so well known (except for within the tech industry maybe) storage provider. I mean how many average people have even the slightest understanding of how cloud storage works in the first place? Many of them actually think the cloud literally exists in the sky with satellites. Just imagine their confusion when they hear about Storj satellites, lol. Point is, if Storj only ever caters to other developers and the only face people see is their’s, Storj will never develope the name we all hope they will, and will only ever exist in the shadows of other companies.

I know this isn’t something in the works so don’t everyone attack me at once, but I would love to see Storj develop a front end feature rich cloud storage platform with apps for all the devices. I would like to have the standard features, drag and drop uploads, PC / phone / tablet backup and sync features. I want all my photos I take to immediately get synced to my Storj account so I can share them on unsocial media (purely theoretical, I don’t really use them). You get the idea. Do THAT with maybe a 5-10 GB free tier and cheap storage that’s privacy focused, backed up all over the world and that the big datamining tech companies as well as Storj itself don’t have access to and you’ll start becoming the next best thing since sliced bread. Storj needs to make some money right? Target the average Joe! Wow I get off topic quick!

I think GDPR is not a big issue for storj. They are a storage provider, they don’t target private users but companies and therefore don’t have to deal with private information directly. The GDPR applies someone who offers a public service and uses storj to store data. This service provider has to comply GDPR regulations. The provider has to have, at least in Germany, a data processing agreement (Auftragsdatenverarbeitungsvertrag, AAV; horray german words :smiley: ) with storj. Where is stated how and where the data is stored and if it’s protected against physical and digital access and such.

Maybe this topic can be split @Alexey since we are continuing on the offtopic train.

But Storj needs to be able to execute the corresponding GDPR requirements, otherwise the service provider would not be able store his data in GDPR compliant way.
Just take the storage location as an example. The storage provider cannot promise GDPR compliant EU-only data location, if Storj stores the data all over the world even in 3rd party locations.

If the data is encrypted, the EU-only Rule doesn’t apply. As well as when the data is only stored and not processed.

That was just an example. Same goes for encryption. What I am saying is that the storage must meet the GDPR requirements if the service provider wants to use it in a GDPR compliant way.
And there are other use cases. We had the user from France who had even tougher restrictions on data processing and placement. But your information was very interesting and indeed it seems that if you use state of the art encryption and can make sure that nobody else has the encryption keys you can store and even process data (unless clear data is required for processing) anywhere even outside the EU without violating the GDPR.
At least I have found some source that claims so:

https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf#page=32
https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf#page=34

Using the Storj gateway with server side encryption might be a problem though. But for the native tools it should be fine. Very interesting!

Edit: I have just noted that on the bottom of page 33 the paper from the European Data Protection Board even mentions the case

Use Case 5: Split or multi-party processing

as

the EDPB considers that the split processing performed provides an effective supplementary measure.

Wow. The way I understand it this looks great for Storj.

5 Likes

Does anyone else have access to the data stored on the STORJ network? IE Storj employees or the company?? Or just myself??

Would it be a safe space to save my filed tax returns for example?