More and more businesses tend to blockchain. This relatively new technological opportunity finds either advocates or arch enemies. As technology develops, it has to be in line with the existing legal framework for it to be compliant. Let’s dive into the tensions created between the blockchain technology and data protection regulations, more precisely the EU General Data Protection Regulation (GDPR).
What is the blockchain?
Blockchain has revolutionized our existing ways of storing information in ledgers. The defining way this technology organises data is in decentralized ledgers, meaning every participant of the blockchain has a copy of the ledger. If one of the participants of the blockchain wishes to make a transaction, he is not allowed to write this transaction information into the ledger. Rather, it is up to the other participants to ensure the entry. Therefore, the transaction will be hashed.
As a major pillar of the blockchain, the beginning of every hash is defined by default. The mathematical task that has to be solved now, is to find the right number that has to be added to the transaction hash, resulting in a hash that meets the defined hash beginning.
The participant whose machine finishes computing first, has the obligation to record the transaction by recording the hash in a new ledger. Afterwards every participant will copy the new ledger. Simply speaking, this mechanism ensures the creation of a chain wherein blocks are being added after having been validated via a process termed consensus, containing encrypted records of data and transactions.
At this point, we need to proceed into a certain categorisation: Existing blockchain mechanisms can be subdivided into public and private, with regard to who is in possession of the so-called reading rights of the system; namely how many individuals may access the content or data: the visibility effect.
On the one hand, public blockchains, like the ones from the digital currencies Bitcoin or Ethereum, follow a philosophy of broad accessibility, transparency and full decentralisation. Therefore, public and permissionless blockchain ecosystems are operating at a peer-to-peer level.
On the other hand, private blockchains are more centralized as access to the system can only be granted by some designated nodes, most of the time, the founders, i.e. developers, of the system. This type of blockchain may simulate quite well the structure of a corporate database, or function as a normal Internet Service Provider (ISP), a common trait referred to as centralised control.
For these digital, centralized systems, compliance with the GDPR should be at the very top of the to-do list, as users can be identified and the hashed data (i.e. pseudonymised data) is exposed to the danger of reverse engineering. From a GDPR perspective, these digital systems should be treated like normal undertakings, and should therefore follow certain GDPR compliance prerequisites. Essentially, this would likely result in the implementation of a form of privacy policy into the white paper of the private blockchain.
Who participates in the chain for GDPR purposes?
Private (and permissioned) blockchains have a greater compliance burden than public blockchains because they are controlled or operated by a central entity, which normally involves to some extent the processing of user data. However, validators and full nodes are not in total control of the system – they may be characterized as data processors according to the GDPR. The users of the blockchain, even if they only conclude transactions on-chain by simply making information available through their public key, are considered the data subjects. Role assignment in terms of the GDPR becomes important in regard to the attribution of liability for data breaches. For private (permissioned) blockchains, where control is established through a central authority, liability can be attributed and enforced against the central authority easily.
The problem becomes more evident in the case of public (permissionless) blockchains. The GDPR is designed for application in centralized ecosystems, where control established through centralised operations (solely or jointly). Public (permissionless) blockchains create a problem for compliance with the GDPR through their lack of centralised control.
The GDPR´s notion of control (and even joint control) is challenged by permissionless public distributed ledger technology (DLT) systems. In the case of public blockchain one could easily reach extreme conclusions that would result into the widening, or elimination of, liability of all participants, either by establishing that no participant(s) control any part of the blockchain in the GDPR sense, or by considering each individual full node a data controller of the chain simultaneously and thus holding them all accountable.
Both these options could be a solution, however neither is a fair solution or an efficient one.
Both private and public blockchain essentially process data which can be termed personal data in the GDPR sense, such as, transaction data, hashed (pseudonymised) data and potentially, the personal data contained in smart contracts. The difference lies in the private blockchain´s accountability and vulnerability to enforcement. In public blockchain, which as mentioned above, is peer-to-peer and decentralised it would be difficult to hold any individual or organisation accountable, and thus enforce GDPR compliance.
The tension between the GDPR requirements and the inherent traits of the blockchains is nothing new however, and the important rights for individuals provided by the GDPR cannot be jeopardised by these revolutionary systems. Public blockchain must come up with fair solutions and enforce the law accordingly.
We use the right to be forgotten in this article as an example to highlight the possible legal issues to solve.
Can the right to be forgotten under the GDPR be exercised in blockchain?
The challenges posed to GDPR compliance by blockchain ecosystems are widely discussed in practise nowadays. One major challenge is the technical incapability of erasing or modifying the hashed data added on the chain (immutability by design). This inherent characteristic of the technology makes it incredibly secure against fraud and tampering.
However, this inherent characteristic of security threatens the satisfaction of data subject rights pursuant to Art. 17 GDPR. The right to erasure granted to data subjects stands in conflict with blockchain´s immutability by design.
For this reason, it is important to take care and never store unencrypted personal data on the chain. While data subjects may not be able to easily enforce the rights to have their data erased (or even rectified), it would be even worse if their personal data was legible to all. At the least encrypted data has some technical protection.
Generally speaking, there is a big discussion whether the immutability poses a danger to privacy rights. As a partial solution off-chain or side-chain governance methods for the managing of personal data have been widely suggested in studies leading to a hybrid blockchain. Therein, mechanisms will – again – be controlled by the core developers of the system. Thus, a centralised authority will be instated.
Following this path, you are encouraged to simply maintain any form of personal data at an off-chain level with only a hash leading to the data recorded on the ledger. Should any individual make a data subject request, the data can simply be altered or deleted and the hash key would not be needed anymore. While this strategy requires a form of centralisation which is threatening the nature of the technology itself, it does allow for GDPR compliance – at least until newer, more sophisticated ideas are developed and realized.
How can Blockchain be useful for data processing?
Another consideration is the potential usefulness of blockchain for data processing. After all, as already stressed, blockchain is an institutional infrastructure for decentralised, encrypted storage of information, with many applications in many layers of industry. In particular, for the second layers and the often-cited smart contracts: These may facilitate transactions by self-executing certain terms of the agreements of the parties written into running pure code. These contracts could potentially revolutionise data processing by pre-determining the revocation, or the deletion, of the data content used in transactions after a fixed, reasonable timeframe. In the future, this would naturally reduce similar requests by individuals and limit, or even eliminate, the role of data processors; resulting in major cost reduction for companies and ensuring absolute compliance – at least for some of the rights granted by the GDPR.
Conclusion
Considering the numerous open questions surrounding privacy and blockchain and the inherent clashes between them, it is advisable to contact your data protection officer if you plan to use an existing blockchain, or you plan to implement such a network into your business.
It is always a good idea to be in touch with your data protection officer when considering new technologies. While new technologies are being invented to make our lives easier, they should not be used for the purposes of circumventing privacy regulation and unlawful practices.
