The European General Data Protection Regulation (GDPR) came into effect more than two years ago. The law gives residents of the European Economic Area (EEA), power over their personal data and how it is used by organizations. This includes the right to ask for its erasure, the mandate for informed consent, and right over whom that information is shared with. The law applies not just to organizations based in (EEA), but also those based in other countries while serving European residents.
With this in mind, it is clear that there is a direct clash of intentions between the GDPR Law and Blockchain – an emerging technology that is increasingly winning the attention of many organizations across the world. At what point exactly do the two collide, you ask?
Well, by definition, Blockchain is a distributed and immutable ledger. This means that once the data is recorded on the network, it is impossible to alter it, let alone delete it. But, with respect to the GDPR Law, individuals have the right to revoke consent or ask for their personal data to be deleted. This puts organizations at crossroads, especially if they are looking to use Blockchain in the future to serve European clients. Now let’s examine the incompatibilities of these two entities:
Personal data is a broad term used to define any information that can be linked to an individual. The same definition is used in the context of GDPR, where data consist of a variety of personal details from email addresses, health details, IP addresses, to device identifiers. This extends even to pseudonymized data that can be attributed to a specific individual by the use of additional information.
In the case of Blockchain, the technology uses anonymized data to record events associated with an individual. This is made possible by the use of public cryptographic keys that link a participant to a particular transaction. Even so, the mere use of an identifier — in this case, cryptographic keys — doesn’t mean that the data on the Blockchain is outside the scope of personal data as defined by the GDPR Law. Moreover, if an organization was to use blockchain solutions to establish customers’ identity under Know Your Customer (KYC) and anti-money laundering (AML) policies, it becomes even more subject to the GDPR Privacy Law. What causes even more friction between the two entities is that Blockchain is a permanent system of records. As such, the stored data, whether anonymized or not, can’t be erased even if the cryptographic key is destroyed.
Data Controller and processor dilemma
The GDP Law was first proposed by the European Commission long before blockchain technology was a trend. It is, therefore, not surprising that the law follows a centralized logic where the focus is entirely on data collectors who also play the role of processors. Articulating this logic in the case of Blockchain — a decentralized technology — definitely, there will be discrepancies. Here’s is why, in a decentralized system, anyone who joins the peer-to-peer network becomes what is called a ‘node.’
The nodes keep a local copy of the Blockchain and connect with others on the same network to verify each entry. Simply put, nodes take over the role of a data processor as defined by the GDPR Law. Yet, the nodes don’t have control over how the entire system works. In a similar fashion, the party that designed the blockchain network can’t really fit into the data controller description, since they are merely platform providers. Without a clear definition of who’s playing the controller’s role, the parties can’t enter into a ‘controller-processor’ agreement as mandated by the law.
Additionally, the data on the network is made public for all nodes to see and verify. This goes against the principle of “data protection by default” under GDPR, which states that data shouldn’t be accessible to an indefinite number of persons without the subject’s intervention. Further, if the data is recorded in a public blockchain, it becomes even harder for data subjects (i.e., individuals) to exercise their right to revoke the consent of their data.
Compliance with the privacy law can only be maintained in a private blockchain where the network is owned by one specific party. The party assumes the role of a data controller as the nodes take their place as processors. However, a private blockchain is less secure compared to its public counterpart, which, as a result, puts users’ data at risk.
Under the principle of storage limit, GDPR law stands for the proposition that personal data cannot be stored for an unlimited time. Therefore, a data retention period must be defined according to the purpose of data processing. In contrast, one of the core characteristics of Blockchain is that once the data is recorded on the network, it cannot be altered or deleted. As such, the data will be stored for an infinite period of time, which is clearly against the GDPR Law.
One of the viable solutions to this problem is to store data in an alternative database. Consequently, Blockchain will then be used to store data that doesn’t necessarily point to an individual e.g., the hash generated from a keyed hash function. Also, organizations can use permissioned Blockchain to store the data and later incentivize all the nodes to ‘delete’ it by forking the network. Admittedly, doing so will break the hash pointers between blocks. However, it is possible to re-harsh the blocks since permissioned blockchains do not need Proof-of-work, and thus the process wouldn’t require much computational power.
Using Blockchain to ensure compliance with GDPR Law
In an ironic twist, blockchain technology can be used to maintain compliance with the GDPR Law. This can happen in two main instances:
One of the principles of GDPR Law is the emphasis on data accuracy. All organizations operating or serving clients in EEA are required to maintain an accurate record of their clients’ data. They are also required to have sound procedures to check and verify the accuracy of the data. Blockchain technology, with its virtually incorruptible trail, can be used by these organizations to guarantee the accuracy of the recorded data.
Under the principle of data protection by design and default, organizations are required to protect clients’ data from manipulation or unauthorized access. In this case, Blockchain is the perfect tool for safeguarding data from third-party party intrusion while ensuring no single node alters what is already recorded.
Clearly, there is a direct clash between the newly imposed GDPR Law and blockchain technology. But on ideological grounds, the two entities share the same goal, which is the protection of data. By virtue of sharing a common ground, Blockchain can be used to enhance compliance with the GDPR data law. This will help organizations within and outside EEA embrace this revolutionary technology while still respecting the privacy of their clients.