GDPR vs Blockchain
Posted on Jul 18, 2018
It is believed that conflicts of interests may arise between blockchain and the GDPR. After all, blockchain technology was created to ensure reliable data storage, and the GDPR guarantees the right to be forgotten.
Will blockchain be used when applying the GDPR? Does the GDPR contradict the principles of blockchain? Is it necessary to refine the GDPR in order to allow blockchain technologies to work and develop? Today’s experts, software developers, and business representatives around the world ask these questions.
The regulation against technology?
To say that the GDPR (General Data Protection Regulation) directly affects blockchain is not correct since blockchain is a technology for distributed data storage (data is arranged as a continuous consecutive chain of blocks according to certain rules). In blockchain, it is impossible to change or delete any data without disrupting the entire chain. As a rule (but not necessarily), the information registry based on the blockchain technology is public and decentralized, and the data in blockchain is encrypted.
Blockchain technology itself is not related to personal data and is not regulated by the provisions of the GDPR. Risks associated with the application of GDPR requirements arise only when personal data is stored in blockchain.
Assessing the risks of applying the GDPR, several important factors need to be considered.
First, according to Article 3 of the GDPR, this regulation applies to personal data processing only if such processing is carried out:
- By a person registered on the territory of the European Union (hereinafter – the EU);
- By a person not registered on the territory of the EU, but who carries out activities related to offering goods, works, and services to data subjects located on the territory of the EU or monitoring the behavior of such data subjects
Most well-known blockchain projects don’t have a centralized place for personal data processing and do not carry out activities aimed at the data subjects located in EU territory. Thus, the provisions of the GDPR will not apply to such projects.
Secondly, Paragraph 1, Article 4 of the GDPR defines the concept of personal data as information related to a specific or identifiable individual. Therefore, information that doesn’t allow defining an individual will not be considered personal data. For example, if blockchain that was built to create and use cryptocurrencies stores only the number of the digital wallet and the sum of accrued cryptocurrencies, then such information will not be related to personal data because it doesn’t allow identifying an individual who is the owner of the digital wallet.
In addition, impersonal, hash or encrypted information will not be covered by the concept of personal data if it cannot be decrypted. The GDPR provisions will not apply to projects that don’t process personal data. Thus, the GDPR will not apply to projects that don’t fall under the criteria of Article 3 of the GDPR and don’t process personal data, as they are understood in Paragraph 1, Article 4 of the GDPR. Most likely the number of such projects among all blockchain projects is quite large.
The right to be forgotten
However, blockchain technology can conflict with new European legislation if it operates personal data. As it is known, GDPR describes the right to be forgotten.
If a project based on blockchain processes personal data and falls under the above criteria, then the main requirement of the GDPR, which may be in conflict with the technology used, is the right of data subjects to modify and erase their personal data provided for in Articles 16 and 17 of the GDPR.
In case personal data is stored in blockchain, then it will be difficult to implement such right of the subject since it is impossible to delete any data from blockchain without breaking the entire data chain. Nevertheless, within blockchain, there are still ways to fulfill such requirement – for example, by deleting encryption keys, if the data is stored only in the encrypted form. In this case, encrypted data that cannot be accessed will not be personal data (as it does not correspond to the definition of personal data). Accordingly, the requirement of the GDPR will be fulfilled.
If blockchain is built as a distributed registry (i.e., information is stored and duplicated on multiple devices at the same time), and it is so in majority cases, then storage of personal data in such blockchain can get into conflict with the requirements of Articles 44-46 of the GDPR that describe the possibility to transfer personal data outside the territory of the EU. However, in this case, personal data should be stored separately from blockchain keeping with blockchain links required for its operation (the Off-chain storage technology). In this case, personal data will be stored on the territory of the EU.
The use of smart contract technology should be mentioned separately, because in this case the personal data of its participants can be stored in the registry, which will require, in particular, compliance with the requirements of the GDPR on data changes and erasure as well as on the territory of data processing.
To implement the GDPR requirements, the aforementioned technologies can be used (storage of personal data separately from the off-chain storage technology, deletion of encryption keys). Moreover, it is possible to foresee a corresponding automatic mechanism with the use of such technologies.
It should be also taken into account that any project, in which the initial collection and temporary storage of personal data are expected (even if subsequently deleted or encrypted), need to comply with the requirements of the legislation (including the GDPR, if applicable) for such processing.
Besides, consent to process personal data is required and responsible persons should be appointed to publish documents concerning personal data processing. In this case, these requirements must be met, even if the data itself is subsequently stored in an impersonal (encrypted, hashed) form, since personal data processing starts from the moment of such data is collected. It is possible such requirements will complicate the use of blockchain as a decentralized system, but such requirements are not impracticable.
To summarize, firstly, not all projects that use blockchain are subject to the GDPR, and secondly, taking into account the existing technologies, blockchain can be used to store personal data in accordance with the requirements of the GDPR. At the same time, most likely, both the legislation (in particular the GDPR) and blockchain will be developed and finalized to fit each other.
Contradictions to be overcome
Experts believe that contradictions between blockchain technology and GDPR can be avoided by arranging a project correctly. However, the European legislation will be finalized and, certainly, the need for technological concessions when building projects based on blockchain will soon disappear. Besides, there is the opinion that only anonymous blockchain technologies will be affected by the GDPR, whereas non-anonymous solutions will win.
“GDPR regulates the processes of operating with personal data. Of course, anonymous blockchain technologies based on BTC / ETH cryptocurrencies will not benefit from this because these technologies completely lack any kind of personalization. This the main obstacle to their development and acceptance by various countries. However, there are also non-anonymous blockchain technologies. For example, a solution from IBM. In this solution, on the contrary, when building a blockchain network, a required condition is the authentication and special certification of each member of the network. Thus, the GDPR requirements create beneficial conditions for the development of the IBM platform. After all, they have the same goals to ensure transparency in the relationship between participants in a business process built on the basis of blockchain,” say the experts.
For this reason, blockchain with complete authorization of each participant is probably one of the breakthrough technologies for business solutions in future. Bitcoins and ethers were only a warm-up of real stars.
“Blockchain technology companies and startups share the same burdens as any other when it comes to the GDPR. Limiting automated data collection and processing, implementing data protection measures, notifying users of data breaches, providing data reports and deletions upon request, etc. Blockchains themselves are either GDPR-compliant or GDPR-non-compliant, depending on the data being recorded on them. If you were to submit personally-identifiable data on to a blockchain and permanently record it there, it would be challenging to have it removed later. But you're likely to find few instances where this is the case.
In my experience, the greater impact of GDPR will be on marketing teams that work inside of blockchain technology startups, like ours at Blockmason. For example, we have a mobile decentralized app called Lndr, which is a peer-to-peer expense sharing and bill splitting app for iOS and Android. Although we store very little user data - just an email address - we're still required to be responsible stewards of that data. So like any company, we've taken steps to make our policies compliant, have appointed a data manager and have recorded, auditable processes for the GDPR deletion requests we have received.
Can the GDPR kill the blockchain? In short, no. If anything, legislation like the GDPR proves the need for decentralized, anonymous and/or privacy-focused blockchain technologies. Although legislation rarely proves effective in curtailing hacks and data theft.
It seems like every day there's another example of a large company with big data doing very little to responsibly secure and protect it. Just today I read that Ticketmaster suffered a hack and 40,000 people had their data stolen. It's crazy.
A significant first step for many companies would be to decentralize their critical user data so that it's not all stored in a single, hackable database. By leveraging existing blockchain technologies, a company like Ticketmaster could have avoided disaster”, -says Erik MacKinnon, Director of Growth, Blockmason.
Blockchain + GDPR
Some specialists don't only see contradictions between the GDPR and blockchain, but also believe that distributed data storage can help ensure the additional security of personal data.
“There is a natural conflict of interests between the blockchain technology and the GDPR adopted in the European Union in May 2017. If blockchain is not managed in any way and is a preprogrammed system in which all data is stored, how will the provisions of the GDPR be implemented? After all, the document provides users with the access to data collected on them, to the erasure or correction of such information. Besides, the regulation will affect the companies using technologies that deal with people’s behavior – potential clients. Of course, deletion or correction of data doesn’t refer to blockchain. It’s simply impossible. Now specialists see the only solution to the problem, which is to encrypt data about users with secret private keys. On the other hand, it is possible that additional amendments to the regulation will be adopted taking into account the wide spread of the blockchain technology in business,” admits the expert of the blockchain laboratory of the financial university Venera Shaidullina.
Another expert believes that the genie has already broken out of the bottle and it is necessary to change the law, not the technology.
For blockchain practitioners, the implications are very clear, don't store personal data in the blockchain. The 'forever' nature of blockchain data is incompatible with the requirement that personal data must be erasable - so the best strategy is to keep it out of the blockchain in the first place.
However, it's virtually certain that someone, somewhere, is going to put personal data into the blockchain. Regulators will not want to hear that the blockchain is exempt or that data can't be deleted. So when it happens, it's going to create a problem. Even if one can punish the party responsible for it, it may not be possible to correct by removing the data. The genie is really already out of the bottle, so I think it's unlikely that the GDPR will 'kill' the blockchain - anymore than we could shut down the entire internet. Ensuring that blockchain practitioners have adequate data management and privacy practices in place will go a long way to preventing these types of issues.
At this early stage, it's hard to say whether the GDPR will create more harm than good - maybe someday nations will want to keep personal identities and certifications in the blockchain itself because of their permanence and resistance to forgery. While approaches to personal data certainly warrant caution, we also need to ensure that premature regulation doesn't cut ourselves off from innovative possibilities later”, - says Alan Majer CEO, Good Robot.
The founder of TradingView Konstantin Ivanov believes that blockchain and the GDPR don’t have any contradictions and can operate together. “If we take blockchain in a general sense, then there are no contradictions with the GDPR, rather the opposite. The essence of the GDPR is the transparent and secure logic of handling user personal data. We have the right to understand how our personal data is handled, where it is stored, how and why it is transferred to third parties as well as the ability to influence such processes. Blockchain can just be a useful tool to implement the GDPR practices, having a high level of security and transparency. However, eventually, everything depends on its specific implementation.”