The General Data Protection Regulation (GDPR), a stringent legal framework which standardizes data protection laws and bolsters personal data privacy in the EU, became effective on May 25, 2018. This regulation is going to affect the business of most digital ventures.
This would have a significant impact on blockchain as GDPR is contradictory to the usage of blockchain in many ways.
GDPR revolves around the personally identifiable information (PII) of citizens, ensuring transparency around its use and providing people with the right to restrict its use or request it to be deleted completely.
What followed the implementation of GDPR can be summarized as:
- Establishment of a harmonized European data protection law regime for PII
- Right to be forgotten (Art. 17)
- Consent (Art. 6)
- Data minimization (Art. 5)
- Data protection by design (Art. 25)
- 72-hour data breach notification
Blockchain has also brought about a significant change in the way data is processed and stored. It is a distributed ledger technology (DLT) that can create an immutable record of transactions; therefore, if blockchain were to be used as a type of database to transact with PII, it would by default run against GDPR rules. Blockchain ledgers can be appended, but information on the network cannot be modified or deleted.
GDPR versus Blockchain
GDPR is based on the assumption that the personal data collected would be controlled and processed by an identifiable data controller or by a finite number of identifiable data processors and sub-processors. The regulation gives EU residents enforceable rights with respect to their personal data, which includes:
- The right to erase personal data when it has already served the purpose for which it was collected, when consent is withdrawn, or when continued processing of the data is unlawful;
- The right to request for correction of incorrect data; and
- The right to restrict processing when the data accuracy is contested, when processing is no longer necessary, or when the individual objects to processing of the data.
These rights are understandable in the context of a centralized database controlled by a single data controller with a finite set of processors. But there are several doubts on how well do they mesh with DLT.
Blockchains are of two types – public blockchain (such as Bitcoin) and permissioned (limited to a specific set of participants like a banking consortium blockchain). In case of the latter, the organization that sets up the blockchain plays the role of the data controller and is responsible for GDPR compliance. In public blockchain, every individual and organization that adds personal data to the blockchain may be a data controller and is also be responsible for GDPR compliance.
Similarly, every node on either public or permissioned blockchain is, at a minimum, a data processor and may also be a data controller depending on the blockchain governance arrangement. Blocks typically include a header and encrypted content (the payload). Public blockchain allows anyone to view the header. Permissioned blockchain may have options to control who can view different parts of the transaction. The blockchain is a trusted record source because the data within each block cannot be changed and blocks cannot be removed.
Storing personal data on a blockchain is not an option anymore, according to GDPR. Nevertheless, blockchain technology and GDPR share the same goals. Both aim at decentralizing data control and tempering the power inequality between centralized service providers.
While the public blockchain does not guarantee anonymity, many technological innovations, ranging from elementary tumblers to zk-SNARK applications, may be the possible solutions. These solutions suggested by blockchain could be areas regulators could consider. However, the data control seems impossible in a public blockchain.
In case of permissioned blockchain where we use current available technology and EU data protection interpretations, the two biggest hurdles are control and data removal.
The data controller is liable for controlling access, dissemination, processing, and sub-processing of personal information. This is of significant attention and diligence for permissioned blockchain and can be addressed by consent management frameworks and other content governance applications.
With respect to data removal, two possible solutions are:
- Off-chain data storage
- Making personal data permanently inaccessible
Data Storage Off-chain
One option is to store personal data outside of the blockchain and store only a reference (link) to the data and a hash of the data on the blockchain (which eliminates the need to replicate data on each node). Hash is a long number which can uniquely identify a piece of data. This enables the removal (erasure) of the personal data without disrupting the blockchain. However, this approach defeats many of the benefits of distributed DLT, such as security and resilience through redundancy.
Making personal data permanently inaccessible
GDPR does not define “erasure of data.” Greg McMullen of the Interplanetary Database Foundation suggests that destroying the cryptographic key that allows access to encrypted personal data should be considered equivalent to erasure if the destruction is done in accordance with best practices and in an auditable way. Now, because there is no definition of “erasure of data” at this point, you probably need to interpret this as strict, which means that throwing away your encryption keys which encrypts personal data in a blockchain technology is not acceptable as “erasure of data,” according to GDPR rules. Therefore, we’ll have to wait for some rulings by data protection authorities to see whether this view will be accepted.
The final words
Blockchain technology promises to strengthen data-ownership, transparency, and trust between entities. With GDPR formulations, we cannot store personal data directly on the blockchain since in GDPR terms “it is not erasable," and this seems insolvable. However, besides this, the possible workaround would be to build a permissioned blockchain with GDPR in mind. But before that, we need to address the following questions:
- How to control the data, ensure it complies with requirements to control processors and ascertain who will have access to specific personal data
- How to respond to requests from individuals to view, correct, erase, and restrict their personal information.