In this series of articles, we will be discussing the General Data Protection Regulation commonly known as GDPR, and explain its relation with Distributed Ledger Technologies such as blockchain. According to Article 8 of the EU Charter of Fundamental Rights on Protection of Personal Data, “Everyone has the right to the protection of personal data concerning him or her”, thus establishing data protection as one of the most important rights for EU citizens. Based on this assumption, in April 2016 the European Parliament adopted the General Data Protection Regulation (GDPR), urging that businesses protect the personal data and privacy of EU citizens for transactions that occur within EU member states, or even outside EU borders if transactions involve EU citizens.
The measure was considered a necessary step after a report by the RSA on privacy and security called attention to some alarming data. It emerged that out of 7,500 consumers across the UK, USA, France, Germany, and Italy, 80% said that lost banking and financial information was a top concern, while 76% stated that lost security and identity information was their major worry.
GDPR and blockchain
With the rise of blockchain technology and its cryptographic approach to personal data, which conceals information like names and addresses under a code, the need for some thorough analysis and some relevant regulation became apparent. Data protection regulation principles were designed and developed in a world that only knew a centralized data management type, while blockchain raises questions on how to apply these principles in a decentralized environment. It’s understood and accepted that the issues around the overlapping of GDPR and blockchain are not about the technology itself but how the technology is used when processing personal data. Although we developed the idea that blockchains are private and anonymous, in reality, some user information can lead back to the individual’s identity even if cryptographically secured. Therefore, since this is possible, personal data processed through a blockchain is to be considered subject to the GDPR.
Personal data includes any information relating to an identified or identifiable natural person (the data subject). In the context of blockchain technology an individual’s public key would be considered their personal data and would therefore need GDPR compliance obligations. While the validity and relevance of blockchain technology in relation to GDPR are not questioned, there still exist many points of tension between the two.
What issues arise under GDPR?
We’ve seen that processing personal data in a blockchain still triggers GDPR compliance.
The two major issues involving GDPR and blockchain are:
The definition of Data Controllers and Data Processors when blockchain is involved;
The issues arising with the Right of Rectification and Right to Erasure.
What are a data controller and a data processor when a blockchain is involved?
GDPR identifies a Data Controlleras“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data within the EU state members or when it involves an EU citizen, even if the data processing is carried out by a non-member state entity.” (Art. 4 sec 7)
In the case of blockchain involvement, a natural person who buys or sells bitcoin on their own behalf, for instance, is not a data controller. By contrast,a natural person who trades bitcoin on behalf of professional or commercial activity, or of other natural persons, is a data controller. If a lawyer records a client’s transaction of any sort on a blockchain, the notary is a data controller. If a bank processes a client’s financial data on a blockchain, the bank is a data controller.
The data controller is the one instigating the purposes or means of data processing. He/she/they have to be identifiable so that data subjects can enforce their legal rights under EU data protection law. Blockchain’s decentralized nature replaces a central entity with a network of nodes whose consensus makes it difficult to attribute responsibility and accountability. This is where blockchain technology clashes with GDPR.
Data Processors activate personal data on behalf of the controller (Art 4 sec 8 of GDPR) where data processing essentially involves any handling of personal data. Processing includes the collection, adaptation, alteration, and recording of personal data but also its simple storage.
According to the French Data Privacy Authority (CNIL), a data processorin a blockchain can be either miners or smart contract developers. For instance, a smart contract developer who processes personal data on behalf of a data controller may be a data processor. Similarly, a miner who follows the data controllers’ instructions when validating a transaction is also a data processor. CNIL mainly draws some guidelines as it has been emphasized that a case-by-case basis should be considered in the connection between the technology and GDPR, rather than the relationship being determined in a broad and general manner.
For instance, with regard to the rights of information, access, and portability it advises that they are not problematic on blockchain technology and that a transaction submitted to the blockchain contains sufficiently transparent and visible information. CNIL also views the “right of access and the right to portability as entirely compatible with blockchains’ technical properties.”
Issues arising with the Right of Rectification and Right to Erasure
The matter becomes more complicated as the EU Charter of Fundamental Rights on Protection of Personal Data provides that everyone has a right to access personal data relating to them, including a right to have such data rectified or erased.
That’s why the GDPR includes the“Right of Rectification”,which grants data subjects the right to have their data amended in case of inaccurate information; and the “Right of Erasure” (or “Right to be forgotten”)which adds the right of data subjects to obtain from a data controller and the data processor an obligation to erase their personal data.
How can something be deleted or rectified from an immutable blockchain then?
The immutability of the blockchain and the fact that it is a permanent and transparent ledger give rise to GDPR compliance issues. As GDPR requires that personal data must not be kept longer than it is necessary for the purpose for which it is processed, this may be an issue with blockchains where the data cannot be deleted.
Not all blockchains are immutable though or subject to a predefined and permanent consensus. Permissioned (or private) blockchains, for example, allow participants to establish a governance structure where roles can be clearly defined, contractual terms satisfying GDPR requirements can be embedded, and technological solutions granting individual rights can be built into the blockchain.
With permissionless (open and public) blockchains,the most-compliant approach to these issues is to avoid storing personal data on the blockchain altogether, using for example an off-chain (append-only) data storage approach. If the data is stored off-chain, then it would be easier to process the erasure of the information. On the other hand, if the data is stored on-chain in an encrypted way, then the deletion of the encryption key could be a fair compromise. Because of the immutable nature of blockchains, the data would not be erased as such, however, it would be made inaccessible.
In essence, unless there is a blockchain rollback resorting to a hard fork, as happened with the DAO hack in 2016, open blockchain’s data cannot be deleted. The best practice would be to store all personal data “off-chain” which can then be linked back to the ledger by a hash. Through the erasure of hash functions’ private keys, editing and verifying the hashed information would no longer be possible and confidentiality would no longer be compromised.
Rather than posing a risk for individuals’ fundamental privacy rights and freedoms, blockchain technology represents a tool that grants data subjects exclusive possession and control over their personal information.
Without question, the EU consideration of the blockchain approach to GDPR is a further legitimization of the technology. Even though the blockchain itself may be immutable or can only be updated under specific circumstances, the requirements of GDPR may indeed still be fulfilled. It will soon become obvious that rather than posing a risk for individuals’ fundamental privacy rights and freedoms, blockchain technology represents a tool that grants data subjects exclusive possession and control over their personal information.
Furthermore, as the technology evolves, the digital ecosystem will offer a variety of peer-to-peer networks; from public distributed ledgers developed that grant unrestricted access and equal roles to everybody, to private networks developed with proprietary software that will grant access to selected participants only. Mixed private and public blockchains will provide an additional structure that could range from some nodes running a piece of the protocol to other nodes that could act as block validators.
Stay tuned for the next article with more insights about blockchain technology, its use, and implications by following us on our social media channels.