Between Law and Code: Blockchain vs GPDR

by Flávio Gouvêia

Blockchain engineer at 4CADIA Foundation

It’s common, among the more skeptical critics about the governmental potential of blockchain, to emphasize the inherent limitations of this technology in face of a world in which the state or supranational institution can still impose regulations regarding the use of data from the citizens and companies of their territories.

But is it, after all, indeed believable to hope for a society where contractual relations can be founded on decentralized mechanisms, reigned by diffuse incentives? Or, in that case, would we be heading to a world government, regulated by a centralized and sovereign entity?

The passing of the General Data Protection Regulation (GDPR), which became a law in the European Union in May 25, 2008, wrote a new chapter of this story. The bill tried to institute mechanisms to protect the privacy of the data of the users, establishing, among other rights, that of data portability, the right to demand companies to edit, correct, or alter data according to the wishes of the owner, etc.

Those who defend the regulation do it as a mechanism of protection against a global and interconnected world in which the market for private information moves billions of dollars every year.

But where does blockchain enter in all this?

At the background of the debate there lie two fundamental tensions between technology and the new regulation:

— On the one hand, there is the fact that the GPRD demands the possibility to identify a central controller that might answer to the legal authorities in relation to the wishes of the legal holders of information. In blockchain, the decentralized nature of the network makes every participant of the chain subject to this responsibility. And it is not clear in what scenario would the idea of joint-controllership — foreseen by the bill — would contemplate this case.

— On the other hand, there is the fact that blockchain means immutability, the entering of data in a record that cannot be altered, being thus available to all the network. As a blockchain network record data and the history of personal transactions of its participants — a central mechanism to warrant the transparency and protection of the network against frauds, — it is framed in the dominion of the GPRD, imposing dilemmas that no one knows for sure how they will be overcome.

However, these problems can be solved depending on the “architecture” in which they will be stored and on how the new legal devices will be implemented.

Personal or public data can be stored in blockchain in diverse manners. They can either be encrypted or decrypted in the making of a transaction, in the manner of a cryptographic hash, or stored in a smart contracted (either cryptographically or not), and available to everyone or to a limited number of people. All this would depend just on the architecture of the information.

The storing of personal data in a transaction, without the use of cryptography, indeed stands against the GDPR and the LGDP, in light of the two problems we just mentioned, which really seem to be unsurmountable, since there isn’t a central controller and the possibility to alter, anonymize, and erase the data doesn’t exist.

On the other hand, the use of mechanisms that utilize smart contracts to make these demands of the bill available make it compatible with the demands to ensure data protection. What matters, in this case, is that the architecture built by the developers and controllers of the network is in agreement with the rights related to privacy and data protection.

It is important to stress that the developers and controllers make a smart contract following some rules. Among them is that:

1. the personal data must be encrypted at the time of the record and made available only when some specific function is utilized — and only by those individuals who have the authorization to access it.

2. that the access of personal data must be controlled with the use of a private key. As time goes on, this time must have functions that can alter the access permission, making it anonymous or even destroying it.

In this manner, the use of smart contracts in blockchain, with cryptography at the time of making transactions involving personal data and with functions that change the access to these data as time goes on, would prove itself compatible with the GDPR.

There are other solutions that are being developed and suggested by specialists all over the world. And what about you? Do you have any suggestion about how we can overcome the dilemmas of Law to make Code work in full force?