How Blockchain and GDPR Could Work Together
In an era where data privacy is an increasing concern, blockchain technology is moving toward a more transparent and more verifiable security model. Blockchain is a decentralised database where any data stored is read and write and not editable. As such, any data is immutable, verifiable and traceable. That puts blockchain in direct opposition to the General Data Protection Regulation (GDPR) that went into effect on May 25, 2018. With regulations pushing for more consumer control of personal data, can blockchain technology work within this new framework? Absolutely, but not as it currently processes data.
GDPR Data Rules Explained
GDPR regulation is designed to allow individuals greater control over their personally identifiable information. Specific to the EU, new rules require data storage to enforce consumer rights like:
- Erasing personal data when the need for its storage expires, when you withdraw consent for the storage or when it is no longer legal to continue processing that data.
- Corrections for incorrect data.
- Restricted processing when data is under contention, awaiting an amendment or you withdraw permission.
Erase is the word that butts directly up against the blockchain. Under these new rules, all companies storing personally identifiable data must offer the required levels of control and must have an EU representative on staff to handle data deletion and control requests. Even if the company has no physical location within the EU, a local representative is required. Failure to follow these rules can lead to stiff fines on data controllers and processors. These fines are administered by individual countries, and the amount of the fine depends on ten criteria, including the nature of the infringement, actions taken to mitigate any damage or history of previous infringements. Whenever a firm infringes on multiple criteria, the fine will be according to the gravest infringement.
GDPR Breaks the Chain
Remember that blockchain means data is immutable and can’t be edited? That makes following new GDPR rules tricky when also using this technology. What makes blockchain so revolutionary is the ability to store information across a variety of systems for improved security. Editing any of the stored data introduces an inherent security risk. Existing data on a blockchain cannot be deleted or changed; it can only be updated by adding a new transaction to the chain. On a blockchain, all transactions are clearly visible and highly transparent for those with access to the blockchain. While the GDPR was designed to be platform agnostic, the requirements for data deletion and data editing seem to be a direct contradiction of the way the technology functions.
Regulations Remain Obsolete
While privacy protection is a laudable goal, regulatory changes continue to lag behind the realities of technology. Potential applications for blockchain continue to grow, encompassing everything from financial transactions to land registries. The ability to trust in blockchain systems comes from the knowledge that the information, once entered, is permanent. Deletion on demand is not compatible with the blockchain as it exists today.
In addition, GDPR is simply not applicable to a decentralised system. The regulation assumes that a single controlling entity can delete the stored data. The whole idea of a decentralised ecosystem, such as public blockchain systems like the Bitcoin or Ethereum networks, is that there is no central entity to take control. No company or single individual can affect the entire ledger, making it impossible to delete data on these types of networks. Even the individual, organisation or thing that added the data to the blockchain cannot delete or edit the data, if they are already known in the first place. Therefore, it becomes difficult, if not impossible, to hold accountable the entity that added the data to a public blockchain. Private blockchains offer more control and a place to point the finger, but erasing information is still a tricky beast.
Compromise for the Future
Given the nature of blockchain, it seems clear that the GDPR as written will be incompatible with existing blockchain uses. That doesn’t mean that compromises aren’t available. While you can’t delete data from the blockchain and maintain the current level of security, you can segregate the types of data stored on the chain. For example, the blockchain could retain records of contracts and changes with hashes that reference information that contains personal identification.
If you buy a song using Voise, a P2P platform for musicians that enables direct-to-consumer sales, the details of the transaction would be stored on the blockchain, but your personal information (payment details, name, address, etc.) would go through a third party. That third party would control your music access and library of songs. By separating the types of data and putting personal information on centralised systems, blockchain becomes compliant. That’s not how things work now, but segregating data is possible. Of course, with segregation, your data is suddenly much more accessible and secure, right?
Security Risks With GDPR Compliance
Well, not completely. The GDPR gives you more control over your data, but it doesn’t increase security. If blockchain platforms split data storage, suddenly your information is vulnerable to hacking, phishing and all sorts of black hat strategies. On the blockchain, information is highly encrypted, decentralised and secure. Decentralising personal data to enable erasure removes that added security.
Secure and Compliant?
One thing the GDPR does not do is define “erase”. While it might seem clear what it means to erase data, there is definitely some grey area. Even “erased” data is often recoverable, so if data is inaccessible, even to the entity providing storage, does that count as erased? If yes, blockchain technology can rapidly rise to the challenge by simply destroying the cryptographic key associated with certain information. The data will still be there, but it will be unreadable. This solution preserves the integrity of the ledger and offers a greater level of personal control over what information you share publicly. However, it should be ensured that the cryptographic keys are quantum-proof. Data that is encrypted and where the cryptographic key has been deleted may be deemed ‘erased’ now, but might become visible again in the future. Therefore, erasing data on a blockchain by deleting the cryptographic key would only work if the encryption used is quantum-computing resistant.
Until the rules go into effect, it is difficult to predict the direct impact of GDPR on blockchain technologies. However, one thing is clear — blockchain developers are planning for compliance where possible. With the growing interest in cryptocurrencies and alternative use cases for blockchain technology, the EU is not going to regulate away the existence of a highly efficient technology.
Although blockchain technology seems to be not compliant with GDPR in terms of erasing data when using none-quantum-resistant encryption, it is a worthy trade-off; blockchain offers increased provenance, transparency, privacy and security of data, offering better protection of consumers than existing centralised technologies. Therefore, it is likely that regulators and developers will come to an understanding about how to blend privacy controls with transparent transactions and bring the spirit of GDPR to the blockchain and vice versa.