Can the GDPR and Blockchain exist harmoniously?

With growing sophistication of technology, consumers are losing their control of tech and are instead becoming more subservient to it. The moment when the user of an application has to acquiesce in their geolocation in exchange for a ‘free’ service, they are surrendering personal data without understanding the full consequences of doing so.

The subservient nature of the users is what tech companies are capitalising upon, and, in return, they are enjoying the prosperity generated by their revenue model. Most users do not even realise the worth of data they generate online, nor the value of their offline personal data that they give away unconsciously. Companies gather user’s data and process it without their consent. Most users have no idea what is going on behind the scenes of their internet browsing and transactions; all they see is advertisements tailored to their recent likes, dislikes, searches.

User digital footprints are left at each click, but are the users getting anything in return for the valuable data they are generating? Moreover, the question lies within who does this data essentially belong to? Some would say that since companies are collecting this data in return for giving away their services so a fair trade takes place. Others state that the platform users generate the data, so ultimate ownership should rest with users. There lies the crux of the argument.

More than а great amount of effort, thought, and imagination is required to restore internet user privacy.

EU General Data Protection Regulation (GDPR)

The GDPR is an enhanced form of the 1995 Data Protection Directive which was a legal harmonising force across the EU for processing data up until May 2018. The Regulation aims to empower individuals by restoring ownership of their data. Ultimately, users should find themselves having more control of their data than before. They would be able to erase their information from the company’s database forever if they want to, they can ask for a report from the company on how their data is being used, and they can easily get their data transferred from one company to another (portability) if they want to. Furthermore, if any company is found to be in contravention of the GDPR, the EU is able to levy a hefty fine of €20m or 4% of the company’s global turnover. A sizeable sanction indeed.

Wondering why all of these “updating privacy policy” emails all of a sudden?

The Regulation came into effect on 25th May 2018, which is why users are getting inundated with messages from organisations (public and private) saying that, to continue using the service provided, users need to accept the new terms. Whether they opt to read them is another issue entirely.

The act of passing GDPR by the EU had an effect on other countries as well.

Globally, GDPR has been extolled by advocates of online privacy. Meanwhile, companies based outside of EU with data subjects within EU also have to comply with GDPR to stay in the game. Therefore, non-EU-based companies are also revising their strategy of engaging with their customer base in the EU. This is going to be taxing because most of the companies which offered free products based their revenue model on data given away freely by the user. Now these companies have to be very chary of the laws they have to abide by while harvesting data.

Personal data according to the GDPR

While drafting the regulations, a clear and concise definition has been provided by EU legislators about what is personal data. According to the GDPR, personal data is any information relating to an identified or identifiable natural person . For instance, basic identity such as name, address, contact number, email, ID numbers, personal preferences are personal data, whilst information like geolocation, IP address and cookie data fall into the category of identifiable personal data. Apart from these, health and genetic data are private to an individual. Biometric data, racial or ethnic data, political opinion, sexual orientation are also considered to be personal data by the EU under the GDPR. Any kind of misuse with this kind of data may bring large fines in addition to reputational damage to infringers.

Parlance en vogue: GDPR and blockchain

When the GDPR was first conceived in 2012, blockchain was not known to many people. Back then, only centrally run services were ruling the market. It would not be wrong to believe that the GDPR was drafted without taking blockchain into account. Hence it is only natural to wonder if something that is built upon blockchain would be GDPR compliant.

To understand the nuances, one would have to have understand the articles of GDPR as well as know the functioning of blockchain from the core. This gives rise to another debate: blockchain is for immutability and transparency through data visibility, both of which GDPR is completely against.

Here are some features of blockchain that are at odds with the GDPR:

Immutability
Once written on the blockchain, data is as good as inscribed on a stone; it cannot be erased. Even though blockchain considers this to be one of its innate strengths, it stands in direct contrast to the GDPR’s Right to be Forgotten and Data Erasure as under Article 17. Given the nature of blockchain, if blockchain had a “delete” option, then it would be reduced to a simple distributed database. The essence of blockchain would be lost if one could delete data from the chain. On the other hand, one would be breaching the law if one is unable to delete data from the chain.

Transparency
Data can be seen by anyone and everyone participating in the blockchain in public blockchains and data subjects would never know where information on them is stored since the data is distributed all over the world. This collides with Article 15 of GDPR which requires companies to record and explain what personal data is being used and how upon request. On most blockchains, the nodes are anonymous and there is no possible way to figure out who is viewing what data or where it is stored.

Blockchain architects, security, data managers and risk experts therefore have a issue to solve: how to have the best of both worlds — not violate any law and still continue to use blockchain?

The strategy has to change.

The current DApp model has to be revised to incorporate GDPR compliance. Even though conforming and being compliant sounds tough, the GDPR and blockchain together would form a powerful intersection of emerging rights of citizens and towards a better governance of technology. Both aim at dissolving centralised data control amongst powerful organisations to temper power inequality between centralised service providers and consumers.

EU based companies have put their best minds to work to bring about a solution. Here is the solution proposed by Apla to use blockchain while remaining GDPR compliant:

1. The solutions designed at Apla are under the umbrella of Apla’s Data Protection Policy which stipulates that personal data of any individual won’t be stored on the blockchain if they are not secured with the use of anonymising technology.
2. When the Apla designed application has to process personal data, the Apla source code generates a Virtual Dedicated Ecosystem (VDE). VDE is essentially an environment which has all processing capabilities, but works outside of the blockchain. For instance: VDE can be used for the creation of registration forms and sending verification information to user emails or phones and storing personal data out of public access.
3. When Apla collects and uses personal data from its users, such users are legally bound by the rules and standards set forth in the Apla Data Protection Policy, which is GDPR compliant. If any user would like their data to be erased from Apla’s system, that will be done upon request.

By keeping an attitude that solves every problem and every paradox, one can attain a solution.

Only under an environment of constraint, true creativity flourishes. The aim is to incorporate privacy to the very core of the system architecture. Blockchain has come too far to die now and the game-changing stipulations of the GDPR will clamp down where data is being abused. The path chosen in the middle is very intelligently engineered to score a win-win situation. Blockchain technology will advance with time and a number of new solutions will surface to address the issue of blockchain/GDPR compatibility.

Ultimately, the aim is to bolster trust between stakeholders, give the end-user ownership of their data, and to bring about more transparency within the inner-functioning of organisations, so that users know exactly how is their data being used. This moment is an opportunity to exploit the disruptive technology blockchain has to offer whilst respecting data ownership.

Author: Niharika Singh

I’m a curious IT engineer in the making who is fond of technology, poetry, and cakes. It’s my passion to learn and present my own views about various upcoming technology, especially FinTech. I’ve been into blockchain for 3 years now, reading and researching about DLTs.

Blockchain Business Review from Apla provides high-quality educational material from the world of blockchain to inform the business community of the competitive advantage that can be gained by integrating distributed ledger data storage within organizations. Our mission is to promote knowledge about blockchain and its uses in both the private and public sector and demonstrate the value of blockchain integration.