The Conflict — GDPR vs. Blockchain
While the GDPR empowering individuals to control their personal data in the EU and EEA, the emerging blockchain technology seems to face a critical challenge to comply with the new regulation.
What is GDPR?
The General Data Protection Regulation (GDPR)was adopted by the European Union(EU) in April 2016 and built on existing data protection principles. It is considered the strictest privacy and security law in the world. GDPR imposes obligations onto organizations anywhere in the world, as long as they collect data related to people in the EU. The regulation started to accomplish on May 25, 2018. GDPR imposes harsh fines against those who violate its privacy and security standards. The penalties can reach tens of millions of euros. The purpose of this Regulation is to empower individuals to control their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. According to GDPR, the “personal data” means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This new regulation is an extended effort to ensure consistent and enforceable legal requirements across all member states to protect the right of any EU citizen to privacy and security of their data.
The conflict between Blockchain and GDPR :
When an enforceable right meets an immutable ledger, it looks like a textbook clash of law and technology. GDPR aims to empower people to know how their data is being used and the right to correct or delete their data. On the other hand, blockchain technology, whose one of the fundamentals is “immutability”. By merging cryptography and decentralization, blockchain makes it difficult to alter or delete any data stored on the chain.
All in all, GDPR requires data adjustability, while the blockchain offers consistency. We might say GDPR and blockchain are fundamentally incompatible. So here comes the questions. What should the companies do with the data already stored on blockchains? Will Europe cut itself from this modern innovation, blockchain? Or should companies using blockchain to process personal data in Europe discontinue their services?
Blockchain’s solutions to comply with GDPR :
The most important question is, “how can blockchain comply with GDPR?”. GDPR requires the companies to be cautious about the architecture of their blockchain systems to ensure that the data they store on their blockchain is not considered as “personal data”. Notably, businesses should pay keen attention to how public keys might be treated and classified under the GDPR’s system. It is because the GDPR’s definition of “personal data” involves anything that can be reverted to an identifiable person, including IP addresses, a unique public key, or address on the blockchain.
Public keys are not explicitly considered while creating GDPR laws, and their status is likely to be a subject of evolving interpretation with high-stakes consequences for companies working with blockchain solutions.
If any personal data are stored on a blockchain, then it certainly violates the GDPR leaving the company to expose to GDPR’s penalities. Therefore, if a blockchain’s architecture is carefully designed considering GDPR, with only public keys stored on a blockchain and with any off-chain personal data encrypted and unavailable to the blockchain developers or miners, then GDPR’s rights of erasure, rectification, and data portability are not implicated.
Hyperledger Besu
ConsenSys is the world’s largest Ethereum development company that submitted its first public blockchain project to Hyperledger named “Pantheon Hyperledger”. The proposal was approved very soon, and it became the 15th Hyperledger Greenhouse Project, which is later renamed Hyperledger Besu.
Hyperledger Besu is just as committed to modular design as Fabric. Thus, most of the functions can be removed and altered according to the needs of the application. Besu also conforms to the specifications of the Ethereum Enterprise Alliance (EEA), which ensures that the data exchange between public and private chains complies with corporate standards.
The invention of Besu provides a hybrid chain architecture, which is easy to use and compatible with GDPR. For example, consider Sovrin Network, which is a distributed ledger technology(DLT) platform that allows users to control their data. If a self-sovereign identity (SSI) project fulfills its promise of protecting personal data, then this could have a positive impact on data protection. The code used in Sovrin is open-sourced as Hyperledger Indy, which is part of the Linux Foundation.
With Sovrin, personal data is not stored on the blockchain. People and companies have “Decentralized Identifiers”(DiDs). Companies store the public DiDs on the public ledger. In this way, you can verify the company’s details before connecting with it. However, both individuals and companies won’t have just one DiD. Instead, you will have one for every connection you establish, and they are not saved on a blockchain. For instance, if you want to exchange data securely peer-to-peer with your bank, then each one will have a DiD for that connection, which you store privately.”
Flowchain’s Approach
Flowchain utilizes Hybrid Blockchain Architecture to develop a blockchain suitable for Internet Of Things. Flowchain’s hybrid blockchain stores only the hash value of the data on the public chain. The personal data is stored on the private chain, which can be altered by the users who are authorized. Flowchain is working on their projects by making sure to be compatible with GDPR. Flowchain’s approach is similar to Besu. But Besu uses Java programming language, and the threshold of computing power required for operation is higher. Whereas, Flowchain uses JavaScript, which is more suitable for IoT nodes. The similarity is both of them can adapt to Hybrid Blockchain’s architecture, making it easier to achieve GDPR-compliance.
Edited by Angelina H. Huang, PR & Marketing Lead, Flowchain.
References :
- https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
- https://gdpr-info.eu/art-4-gdpr/
- https://biglawbusiness.com/blockchain-and-the-gdpr-threading-the-needle/
- https://thenextweb.com/syndication/2018/07/26/gdpr-blockchain-cryptocurrency/
- https://www.siliconrepublic.com/enterprise/blockchain-gdpr-eu
- https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data
- https://www.coindesk.com/hyperledger-adds-consensys-enterprise-project-to-consortium
- https://www.ledgerinsights.com/sovrin-hyperledger-indy-blockchain-identity-equifax/
- https://flowchain.co/publication.html
