It has now been more than four months since the European Union General Data Protection Regulation (hereafter GDPR) came into effect. This regulation aims to strengthen privacy and personal data protection in the EU, by giving private persons more control
over their personal data. But it also offer a uniform set of regulations for businesses with customers in the EU region, with the risk of hefty fines in case of non-compliance.
This event however has caused a lot of concerns in the blockchain industry. At first glance some GDPR provisions seem in direct conflict with the fundamentals of blockchain technology, and may even be intrinsically incompatible with what the new European
privacy rules seek to uphold. For blockchain the most controversial GDPR mandate is the “Right to be Forgotten”, giving individuals the right to request that their personal data be removed from a record. Because of its decentralised character with immutable
blockchains, data however cannot be deleted. Blockchains are designed to last forever. That puts blockchain in direct opposition to the GDPR.
Main question is: Are there ways to be found so that GDPR and blockchain may co-exist? Can blockchain work properly in tandem with the new GDPR regulations without harming its fundamentals? And how should regulators react?
EU General Data protection Regulation (GDPR): what does it mandate?
The General Data Protection Regulation (GDPR) is a far-reaching privacy legislation that is designed to enhance the protection of personal data and give individuals in the EU greater control over their own data. The GDPR is requiring not only transparency into
what companies will do with consumer data, but also mandating clear consent mechanisms to ensure that consumers understand what companies are sharing, with whom, and for what purpose. GDPR thereby regulates the collection, processing, transfer and retention
of every EU citizen’s personal data, requiring companies to provide visibility and control to individuals, on demand. Non-compliance with GDPR can result in heavy fines.
GDPR however has a number of key provisions that could heavily impact blockchain.
The GDPR applies to “personal data”, thereby embracing a very broad definition. In short, it means any data that can be tied back to person’s identity. Moreover, personal data explicitly includes “online identifier[s],” including IP addresses. Under the
GDPR, personal data even includes data that has undergone “pseudonymization,” meaning that the data has been processed such that it “can no longer be attributed to a specific data subject without the use of additional information”.
Under the GDPR, increased emphasis has been put on data controllers (i.e. firms), requiring them to comply with the various GDPR principles including processing data legally and fairly. The GDPR thereby applies to the processing of “personal data” by controllers
established in the European Union (EU), as well as companies outside the EU where their processing activities relate to offering goods or services to data subjects in the EU or to the monitoring of their behaviour.
It should be noted that GDPR was first proposed by the European regulators long before blockchain was a trend. It is therefore not surprising that the initial focus of the regulators was on SaaS companies and especially social networks which are, as opposed
to the decentralised blockchain ledgers, centralized platforms, where a data controller plays an important role.
Data protection by design and default
In addition to the explicit declaration of the rights of the data subject (data access, data portability, right to erasure, etc.), the GDPR also mandates that data controllers and processors abide by the principle of "data protection and privacy by design
The EU stipulates, the system must be designed in such a way that “minimizes extraneous data collection and guards that which is necessary for operations”. This means architecting solutions with privacy as a foundational consideration rather than as an “afterthought
or add-on”. It includes, wherever possible, employing techniques such as pseudonymization
(decoupling data from individual identity) and data minimization (sharing only absolutely necessary data points) to protect privacy.
The Right to be Forgotten
The “data subjects” have a right to obtain from the controller confirmation as to whether or not their personal data is being processed, including the information on recipients to whom the personal data have been or will be disclosed. They also have the
right to ask the data controller to correct his or her personal information in case it is inaccurate (the "right to rectification").
The most important and at the same time most critical provision from a blockchain point-of-view is the right to erasure or better known as “the right to be forgotten”. It enables individuals to request any organisation the deletion of their personal information
and all the data related to them from the database in which it is stored permanently. This if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed and there is no legal ground for their
maintenance. Or if the data subject withdraws consent on which the processing is based.
Blockchain versus GDPR: Conflicts versus commonalities
Question is: Could blockchain comply with the GDPR regulation? To answer that question it is needed to look at both the point of conflicts as well as the communalities between both. At first glance GDPR and blockchain are fundamentally contrary approaches.
But looking more broadly there are various points where GDPR and blockchain share common grounds.
Points of Conflicts
It is not surprising that GDPR causes many worries in the blockchain world. While the GDPR was designed to be platform agnostic, the requirements for data deletion and data editing seem to be in direct conflict with the way the blockchain technology functions.
There are a number of fundamental points where blockchain completely contradicts the GDPR mandates. Just look at the main features of this technology. Blockchain relies on a distributed ledger system that is decentralized and immutable. It is intended to
be a permanent and a tamper-proof record that sits outside the control of any one governing authority.
Information on the blockchain, including personal information of data subjects, cannot be modified or deleted. Therefore, if blockchain were to be used as a type of database to transact with personal data, it would by default go against the GDPR rules.
Blockchain and decentralised ledger
This conflict between the GDPR and blockchain-based approaches to data privacy is rooted in two fundamentally different philosophies about how best to protect data privacy. Blockchain believes that privacy rights are best protected by advanced cryptography
and distributed ledger systems of storage and protection that is decentralised and immutable. It is intended to be a permanent, tamper-proof record that sits outside the control of any one governing authority.
These characteristics of blockchain fundamentally contrast with those of centralized forms of data management, where there is a clear controller of data, that regulators had in mind when fashioning the GDPR. They view centralized, governmental authority
as essential to protecting consumers and their information against the abuses of private actors, particularly the new massive data-driven technology companies, such as Google, Facebook etc.
Data controller: nodes or nobody?
Another point of conflict is the role of data controllers. While GDPR puts a lot of accountability on data controllers in centralized organizations, which are easy to define, it is another story for blockchain. There it is very difficult to see who falls
within the GDPR defined roles and who really is in control of this data in a decentralised blockchain environment.
In a distributed ledger system, anyone who joins the peer-to-peer network and runs the software becomes a "node." Essentially, a node is a device connected to a blockchain network which supports the network by maintaining a copy of the blockchain. The nodes
process data without having full control over how the system works. There is however no authority to amend or correct a block once it is incorporated into the chain. Once their data goes through the application and onto the chain, the blockchain company that
enabled you to put that data onto the chain, is no longer in control of that data since it is decentralised.
This position then raises the question, if the blockchain company isn’t the data controller, then who is? In essence, every person who accesses the network, so every node, may be considered a data controller. They control what happens to their data and who
it’s shared with through their private key. The problem is that unlike centralized controllers, nodes and data subjects in a blockchain cannot comply with GDPR obligations considering their limited influence over the information stored on the ledger.
The biggest point of conflict between blockchain and GDPR is the right to be forgotten. GDPR mandates that it should be possible for any personal data of EU citizens stored within a business to be altered or deleted at the request of the individual to whom
that data pertains.
The immutable nature of the blockchain’s decentralised ledger, ensuring the absolute integrity of the records in the chain in terms of security and accuracy, is a core idea within blockchain technology. Due to the blockchain "immutability of records" principle,
any data contained on the blockchain transactions are virtually impossible to modify or being erased to meet GDPR requirements. They stay there forever. So, instead of the right to be forgotten, in blockchain there is the right to never forget.
Any alteration would undermine the entire system as blockchains are linkage of subsequent blocks and a single corrupt block will impact the whole equivalence. Since this would ‘break the chain’ in a sense, it would render the complete blockchain useless.
It can only be updated by adding a new transaction to the chain.
It is however a strange coincidence that while in a strict way blockchain technology is in conflict - and so not compatible - with GDPR regulations, when one looks more in a principle-based way GDPR and blockchain share many common objectives. A closer
look at blockchain’s underlying concepts and technologies reveals how the technology improves the fundamental aspects of data privacy and security specified in GDPR. EU regulators and blockchain technologists alike therefor would do well to remember that blockchain
and GDPR are both trying to do the same thing. Blockchain thereby offers increased provenance, transparency, privacy and security of data. Blockchain technology just tackles these issues differently from GDPR.
One of the common principles is individual control over personal information and data minimization. Blockchain technology, when used for digital identity solutions, offers individuals unprecedented control over the ways their personal data is shared and
Another common principle is anonymity. Blockchains have the ability to offer anonymity. Only those transacting on the network can see the information; and, in permissioned networks even those on the network can be restricted from seeing other’s participant’s
information. The private keys allow for access, while the public key is an address for inter-user transaction detached from any personally identifying elements. What this means is that even though a blockchain is public, no personal information is made public.
On a blockchain, all transactions are clearly visible and highly transparent for those with access to the blockchain. The blockchain uses encryption to remain confidential, but the ledger itself remains transparent. Blockchain’s encryption and decentralized
structure makes the network and data highly tamper-resistant and, in theory, less vulnerable to unauthorized modification than a single instance database.
Additionally, by decentralizing transaction processing, distributed ledger systems remove the vulnerabilities commonly exploited in centralized data repositories. What makes blockchain so revolutionary is the ability to store information across a variety
of systems for improved security. Rather than allowing for an identifiable single point of failure, a blockchain ledger makes single-breach failures hardly possible.
Possible blockchain solutions
There is a lot of debate going around how to solve the GDPR compliance issues for blockchain. Purely speaking, it is safe to assume that at present most blockchains as they are designed to-day are not GDPR compliant, and therefore illegal according some.
That however doesn’t mean that solutions aren’t available. There are a number of ways to mitigate the impact of GDPR on blockchain and enable blockchain companies to become (more) compliant for future coexistence with GDPR regulations. But we are not there
One potential solution is segregating the types of data stored on the chain. This by storing all personally identifiable information in separate “off-chain” databases, and only have references and other information, along with a hash of this data in the
blockchain. The corresponding hashes stored in the blockchain layer, serve as control pointers to the GDPR-sensitive data.
Protocols can be built in such a way that makes it possible to completely erase data in the off-chain database, in compliance with GRDP requirements. So, when someone exercises their “right to be forgotten,” the personal data can be deleted,
whereby the service provider erases the “linkability” of the blockchain hash pointer to the data located in distributed off-chain servers. This makes the referral information on the blockchain useless, without shattering the blockchain.
There are however a number of negatives using this solution as it would be to the detriment of some features the blockchain offers. It does negate the security and efficiency benefits of blockchain, thereby reducing the blockchain’s effectiveness and transparency.
So, once your data has been stored off-chain, who owns it?
If blockchain platforms split data storage, your information is vulnerable to hacking. By storing personal data off-chain, you have no way of knowing for sure who accessed your data, and who has access to your data. The
added complexity may not only result in less secure systems. It would also make it more difficult for the development and adoption of global standards, potentially limiting the deployment of blockchain for uses like trade finance, supply chain etc.
Deletion of encryption keys
An alternative solution, already adopted by certain blockchain companies, is to keep personal information on the blockchain while making it impossible to access if the data subject demands that it will be deleted. This could be achieved by such means as
encrypting all personal data with key or hash that allows access to an individual’s information stored on the blockchain, and that could be revoked deleted on request or after some interval. In the event that a data subject would request his blockchain data
to be erased, the key would be deleted. This would render their information unobtainable, and in effect, it would be lost in the blockchain.
Whether GDPR officials will accept this as a solution however remained to be seen. It is well-established that data that has been encrypted or hashed still qualifies as personal data under EU law as it is merely pseudonymized, not irreversibly anonymised.
Since throwing away your encryption keys is not the same as ‘erasure of data’, Existing GDPR rules prohibits from storing personal data on a blockchain level. Thereby losing the ability to enhance control of their own personal data. The challenge is that GDPR
does not define what it means to “erase” data.
Pseudonymization and anonymization
Another interesting solution for GDPR compliance is the use of pseudonymization techniques in combination with data stored off-chain. In order for data to be considered pseudonymous under GDPR, the data must “no longer be attributed to a specific data
subject without the use of additional information”. Pseudonymization with pointers to personal data stored off-chain in a manner which allows the personal data to be destroyed and thus removes the link to the data on the chain and renders it anonymized may
allow a user to remove all of their personal information from the chain, as required by the GDPR’s right to erasure.
There are however two opposite interpretations for the pseudonym linkage using blockchain relative to GDPR. The first one states that because data pseudonymization is accomplished in blockchain hashing, but not anonymization, the data linkage is no longer
considered personal when it is established, and if this linkage is deleted, it also complies with GDPR.
The second – and opposite - interpretation is that pseudonymization, even with all cryptographic hashes, can still be linked back to the original personal data. Pseudonymous data, unlike anonymous data, therefore still allows for re-identification. While
pseudonymization techniques make it more challenging for users to identify data subjects, it does not “scrub” all identifying personal information.
Self-sovereign identity (Sovrin) application
A solution for protecting personal data according to the GRDP rules, is one where individuals control their own digital identities using blockchain technology: the self-sovereign identity application. This protocol named Sovrin, suggests that individuals
control the information related to their person. The Sovrin ledger doesn’t store personal data, instead it acts like a directory of pointers to an individual’s data, stored in more traditional, centralized databases, and takes additional steps to implement
the GDPR’s “privacy by design and default” principles. Under this regime, individuals give limited access to third parties, and provide only that information that is needed to transact the business at hand, and only for that specific purpose. Because the record
of the access is recorded to the blockchain, just like the GDPR requirements, there would be an immutable record of who was accessing the information and how the information was being used.
Increased use of private or enterprise blockchains
Another way of softening the GDPR requirements is the increased use of private or enterprise blockchains, which are blockchain systems used by one company or amongst companies in a particular industry. Unlike public blockchains, which provide decentralized
utility and access to as many users as possible, private and enterprise blockchains limit the dissemination of personal information to just one company or a limited number of companies. In reducing the scale of the chain, fewer individuals have access to sensitive
information and the possibility of data breaches may significantly diminish.
Implement centralised back-end system
The most far reaching way to get around these GDPR issues would be for blockchain to modify how it operates, which would mean implementing a centralised back-end system. This would allow data to be anonymised without breaking any chains, and seemingly navigate
the problem of non-GRDP compliance. But, it would mean a significant overhaul of how the platform is implemented, thereby threatening the fundamentals of blockchain.
Blockchain and regulators: who should adjust (most)?
In general, technology development has not been at the forefront of data protection policy development in Europe for long. GDPR was first discussed by the European Commission in 2012 at a time when blockchain technology was just coming up. The legislation
however was launched right at the time when blockchain technology fundamentally changed the rules.
One could thus say that blockchain is not designed to be GDPR-compatible. Or said in another way, GDPR in its purest form is not blockchain-compatible the way the regulation was written to date. They do not take account of the newly developed decentralised
blockchain technology, designed to exist outside of central control. The biggest challenge thus is how to proceed. In other words: who should adjust (most)? It doesn't make sense to regulate the blockchain industry in a rigid way. In order for the blockchain
technology to unfold its full potential there needs to be careful consideration by regulators.
This asks from European authorities to take a practical approach to regulating blockchain technologies. A first step is to bring more clarity on how to interpret the various rules. Regulators should also be asked to bring more flexibility in the regulatory
stance. And because of the GDPR is built on the premise that there are only centralised databases to control, this asks for amendments in the present GDPR rules to take blockchain into account.
Give companies enough time: No rigid GRDP approach
The enforcement angle of GDPR compliance is still unclear. Legal enforcement of not being GDPR compliant short term would be very difficult. There are still a large number of uncertainties, un-clarities in definition and interpretation of the various GRDP
principles and rules and grey areas that first should be solved or removed before regulators will could really come into action.
Maintaining these GRDP rules in a too strict way would be non-practible. It would be almost impossible for any court to enforce any action against public blockchains, as there is no one in charge, no one to serve documents to, no one to even name on legal
papers. In practice the court would have to prosecute everyone on the network. With private blockchains, it’s a much better fit. Though there is definitely still a grey area. The European authorities will need to give blockchain companies as well regulatory
bodies time to adapt.
In the short term, the best approach could be to let the blockchain industry self-regulate and come up with its own mechanisms to protect personal data. Blockchain start-ups can start by collecting lesser data points and implementing hashes to restrict
exposure of personal data.
Create Legal certainty and clarity
Regulators should give more clarification how to interpret the various rules. But also on how the GDPR will be applied to blockchains. The GDPR provides no clear answers yet and still have to address many of these rules, such as the right to be forgotten,
and its enforcement. For instance the GDPR’s definition of personal data. That definition extends to anything that can be traced back to an identifiable person, including IP addresses, a unique public key or address on the blockchain and thus potentially
falls within a regulatory grey area.
The GDPR does not define what “erasure of data” really means, which suggests that, to comply with this requirement, actual physical and logical deletion (a literal reading of the word “erase”) is required. It is unclear if a user can truly be forgotten,
as opposed to permanently anonymous with no ability to tie the blockchain back to a specific user and data exchange event. Strong arguments can be made that the GDPR’s rights of erasure, rectification and data portability are not implicated. There is a good
case to make by saying that “erasure” does not have to imply that data is literally deleted and that making data permanently inaccessible without deletion should produce the same result and be classed as deletion of data.
And there are other unanswered questions. If there is no “private” copy to delete, why not completely exempt blockchain companies from this requirement? And why impose a fine on a controller for not deleting “his own copy”, but not hold him liable for not
deleting all “public” copies for technology and costs reasons?
And a number of other issues need to be addressed in order for blockchain-based platforms to be 100% GDPR compliant. As there are also various exceptions to the GDPR rules, but most are not yet clearly communicated.
Regulatory flexibility: Balanced approach
GDPR regulators do have to take care of new innovative developments. They should take into account that decentralised solutions like blockchain are increasingly entering the real world arena. This asks for the well-needed flexibility from the regulators
in their interoperation of the GRDP rules, taking account the specific features of blockchain, including immutability, centralised structure and lack of central data controllers. Regulators should thereby carefully balance the objectives of both sides going
forward i.e. between data protection and privacy on one side and technological innovation on the other.
This asks for some favourable interpretations by EU regulators in their approach to blockchain applications in particular in respect of the nature of the data controller, whether (public) keys are personal data, and how substantive rights should be implemented.
Future-flexible frameworks for governance are needed that allow us to realize the benefits of data and technology including blockchain while minimizing harms. It also asks from blockchain builders to build in specific privacy safeguards into the technology,
they can reveal any and all personal data stored on-chain.
Cooperative approach: Dialogue and common understanding
The blockchains of tomorrow “will be shaped by today’s (regulatory) input”, is a saying by one blockchain follower. The EU must wake up to this new reality of decentralised platforms and engage in dialogue with the industry, innovators and other stakeholders
as to how this technology can be used in a manner that benefits society, also in respect to data protection.
Regulators and developers must come to a mutual understanding about how to blend privacy controls with transparent transactions and “bring the spirit of GDPR to the blockchain and vice versa”. To get the most out of it this asks for a layered and cooperative
approach to policy making between the regulators and the blockchain industry. Regulators must thereby incentivize developers to safeguard established fundamental rights protections and provide guidance as to how compliant systems can be built. Blockchain
innovators, on the other hand, must be given freedom to develop their products while respecting regulatory principles.
Amending GRDP rules
As a result of this dialogue, somewhere down the line, regulators could consider appropriate amendments
to the existing GDPR rules to account for the unique characteristics and specifics of blockchains and other technology innovations. These adjustments should allow for a variation on the right to be forgotten that can accommodate the blockchain technology.
Regulators should not wait too long in giving clarity on their future approach of blockchain. Long-lasting legal uncertainties around GDPR could signal an early end to blockchain progress. A practical instead of a dogmatic approach by GDPR is thereby recommended.
In order for blockchain to be able to become compliant, the GDPR should change some of its conceptions, taking account of the specifics of blockchain technology.
A middle of the road compromise however should be prevented. As that could hurt the fundamentals of blockchain technology and as a consequence will hurt the immense benefits.
I think it’s now a matter of having to wait and see how this will pan out in real life. In the meantime, the blockchain world should make as much noise as possible about it towards regulators and hope to get the right attention from them.
Being two sides of the same private data coin, one should keep in mind that the combination of GDPR and the use of DLT has the potential to improve the way in which firms collect, store and process private information. With blockchain technologies emerging,
we have new ways to further strengthen data-ownership, transparency and trust between entities.