An Overview of Compatibleness of Public Blockchain and the Data Protection Law: A Deeper Look at GDPR and Mystiko’s Role
Blockchains are often praised as next-generation databases that promise to facilitate secure and efficient transactions among unknown parties. Due to its nature, blockchain has led to a new way of storing data and guaranteeing data integrity and transparency. However, tensions remain between blockchain and the current legal system, especially data protection law as blockchain technology and data privacy laws and regulations have largely been developed independently [1].
Many current blockchain technology applications appear at least ambiguous from a privacy compliance perspective. Processing personal data directly on a public blockchain network may, in the absence of clear guidance, involve significant risks for businesses in utilizing the advantages of blockchain technology [2].
This post will first take a look at a major example of data protection law that people may see as incompatible with public blockchains, mainly using the General Data Protection Regulation (GDPR) as a prototype of modern data protection law. In addition, this post will identify how public blockchain can work towards being compatible with the principles of modern data protection law despite inherent obstacles. Furthermore, Mystiko’s role in helping the compatibility of public blockchain with the data protection laws will be explored.
1. Inherent Incompatibility with GDPR
1.1 Ambiguity in applying data controller in blockchain networks
The GDPR is a regulation in EU law on data protection and privacy in the European Union (EU) and is an important component of EU privacy law. The first inherent incompatibility between public blockchains and this data protection law stems from specific definitions and concepts that do not apply to public blockchains. In the EU, the implementation of GDPR is based on the platform called the ‘data controller’ or ‘processor’. GDPR defines a data controller as: “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” Therefore, those who are subjects of data can exercise their rights through ‘data controller’ or ‘processor’ under GDPR.
However, these terms lead to two questions:
(1) in the public blockchain database, as there are a variety of nodes and actors involved, how can the data controller or processor be specifically defined?
(2) How should responsibility and accountability of (joint) controllership be allocated if data subjects want to exercise their rights?
As data controllers or processors in blockchain networks are hard to point out, it is also hard to apply these concepts given by GDPR to public blockchains. This is an inherent conflict that exists between GDPR and public blockchain networks. In the future, this conflict needs to be resolved and requires further guidance and compromises from the state actors.
1.2 ‘Right to Be Forgotten’, ‘Right to Rectification’, and the Principle of ‘Data Minimisation’
In addition, GDPR’s Article 16 and Article 17 give the data subject the right to rectification and the right to erase. However, blockchain and other distributed technologies are designed for a tamper-evident database. In other words, they were designed not to be forgotten or modified once the data is recorded on blockchain networks. Making modifications to the data can be extremely burdensome to guarantee data integrity and expand trust in the system.
1) Right to be forgotten
The right to be forgotten is one of the pivotal rights that the GDPR intends to balance between the data subject and the platform [2]. Article 17 of the GDPR stipulates some of the circumstances where rights holders can claim their rights :
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies..”
The modification and erasure of data in public blockchain systems are troublesome. This is because this kind of database is intentionally devised to make erasure and modification burdensome to create online trust, transparency, and data integrity.
2) Right to Rectification
Similar to the right to be forgotten, the right to rectification is also a vital remedy for data subjects when incomplete data or erroneous data is stored [2]. Article 16 GDPR states that:
“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”
The reason why this right is also difficult to enforce is parallel to the erasure right. Because of the public blockchains’ design characteristics, it is not easy to modify on-chain data.
3) Data Minimization
As one of the principles of modern data protection law, data minimization plays quite a crucial role in GDPR. However, the essence of data minimization is significantly inconsistent with data storage on the blockchain database. Article 5 (1)(b) of the GDPR demands that data be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Public blockchains are designed to use data replication and distributed storage to realize data transparency and integrity. If there is a new element added to the public blockchain database, it will permanently remain on the chain. Hence, the public blockchain is a growing database, which increases with each additional block and accumulates more data. In theory, every node stores the full copies of the database coordinated by a consensus algorithm. Given this analysis, there is a conflict between data minimization requirements and the public blockchain system.
2. Solution — Standardization with Encryption in Blockchain Design
According to the above discussion, it is clear that there are visible conflicts between public blockchain and data protection law, especially at conceptual levels. However, they are not inherently incompatible. From some technological, legal, and standardization perspectives, public blockchain and data protection law can both compromise to adapt to each other.
The aforementioned conflicts between public blockchains and the GDPR arise from too much transparency given in public blockchains. If blockchain users can choose to enhance privacy while using blockchain networks, these conflicts could be lessened in the future. The notion of pseudonymization and anonymization could be a part of a blockchain solution, as many blockchain technologies employ encryption to ensure privacy and this allows at least in part an attempt to enrich the privacy in public blockchain by design concept.
There are some emerging techniques that may constitute anonymous data. These technologies could attract the attention of blockchain standardization. One of them is Zero-knowledge proofs including zk-SNARKs(Zero-Knowledge Succinct Non-Interactive Argument of Knowledge). Zero-knowledge proofs can be used to provide a binary true/false answer without providing access to the underlying data. A European Parliament report indeed appears to consider zk-SNARKs as a means to comply with the data protection by design requirement [3].
3. Mystiko’s Role
Recently, Vitalik Buterin, founder of Ethereum, stated that “zk-SNARKs are a really powerful tool for combining the benefits of accountability and privacy,” mentioning potential ways of using it for privacy protection. Zero-Knowledge Succinct Non-interactive ARgument of Knowledge (zk-SNARK) is the first practical and widely used zero-knowledge protocol. Mystiko.Network currently leverages zk-SNARKs to help public blockchains to constitute anonymous data and potentially make them less vulnerable to conflicts with the GDPR.
Mystiko.Network’s zk-snarks protocol can be easily implemented to almost all major blockchain layer 1 such as Ethereum, BSC, Solana, Polkadot, Avalanche, Polygon, etc, and layer 2 like as zkSync, Arbitrium, Optimum, etc. as well as popular blockchain applications. With an easy-to-use SDK plug-in solution, Mystiko can also easily help secure privacy on blockchain wallets, DEX, or bridges.
The ability to integrate with most public blockchains and applications by Mystiko Protocol can enable the public blockchains to be more compatible with privacy protection laws such as GDPR, and alleviate risks to businesses for their blockchain adoption.
About Mystiko.Network
Mystiko.Network is the base layer of web3 with both connectivity and confidentiality. Leveraging zero knowledge proof with industry leading “zk of zk” technology, Mystiko.Network guarantees interoperability, scalability and privacy, all at once. Learn more about Mystiko.Network and follow us:
Website | Twitter | Telegram| Discord | Medium | ZK²
Citation
[1] Li, Zihao. “Standardisation of Blockchain and Distributed Ledger Technologies — A Legal Voice from the Data Protection Law Perspective.” 25th EURAS Annual Standardisation Conference–Standards for Digital Transformation: Blockchain and Innovation (The European Academy for Standardis. 2020.
[2] Shah, Pritesh, et al. “Blockchain technology: Data privacy issues and potential mitigation strategies.” Practical Law (2019). https://www.davispolk.com/sites/default/files/blockchain_technology_data_privacy_issues_and_potential_mitigation_strategies_w-021-8235.pdf
[3] 225 European Parliament (27 November 2018) Report on Blockchain: a Forward-Looking Trade Policy (AB-0407/2018) para 21.
[4] “Some Ways to Use ZK-Snarks for Privacy.” Vitalik Buterin’s Website, https://vitalik.ca/general/2022/06/15/using_snarks.html.
