Creating a Culture of Data Sensitivity
The GDPR, Blockchain and Genaro: Part Two
This is the second of three short articles on the General Data Protection Regulation, or GDPR, and its import for blockchain.
In the previous piece we outlined the strong, proactive wording of the new data law, how it denotes E.U. citizens as ‘Data subjects’ and makes organizations into ‘Data processors’ and ‘Data Controllers’. We noted that these distinctions may be difficult to apply in a decentralized and encrypted system: Who is the true ‘Controller’ in a system designed to run autonomously? How could the GDPR element referring to ‘Erasure’–also known as the “right to be forgotten”–be applied in a blockchain context, where data encoded in the blockchain is nigh on impossible to remove without deleting the chain itself or forking it?
Informed commentary has focused on a cluster of topics in this complex intersection. After addressing some of these we will be in a better position to conclude whether GDPR/Blockchain has a bright or gloomy outlook, and what strategies organizations like Genaro should take for the sake of compliance, as well as preserving the ideals and technological architecture of projects. Here we will argue for a positive approach which could help shape later interactions between blockchain projects and central authorities.
First, let’s recap with a fresh look at the law.
As we explained in the first article, the framing of the legislation has clear implications for web companies dominant in areas like traditional Cloud Computing, Search Engines and Social Media, along with Internet Service Providing and other underlying elements of our online lives.
Groups that directly collect as data as well as groups processing it for other groups will have to enable users to receive complete records of what has been collected about them, and give people the right to transfer, change or erase the data being held.
What’s less clear is how to interpret the new rules in the realm of blockchain. Bitcoin, still the most impactful blockchain, was designed to continue autonomously and anonymously–the latter idea well expressed in the continued anonymity of the protocol’s creator. Moving into wider landscape, Ethereum’s second stage of evolution introduced a staggering number of new organizational types–with the overarching theme being to avoid reproducing the structures of the companies that the GDPR seems to have been specifically designed to constrain, i.e. centralized companies and databases.
‘Erasure’
This problem is foremost in commentary on contradictions between blockchain and GDPR. The problem concerns the “immutable” record keeping that makes blockchain so disruptive in the worlds of finance, logistics, authentication and more. Yet one essential misconception is at work: a blockchain is a ledger, not in itself a place for everyday data storage, and for practical purposes must interact with data that is off-chain. The elegant and relatively lightweight form of the chain itself is one of its great advantages–as of March 2018 Bitcoin’s public chain was just over 150 gigabytes, extraordinarily compact for a world-changing phenomenon. Cryptocurrencies have generally had to be made convertible to fiat currencies by exchanges in order to gain traction as units of value. In the expanding world of blockchain-supported real-world services a similar logic of trusted gateways has emerged: a company whose blockchain record wishes to guarantee the authenticity of a bottle of French wine will have to first guarantee the accuracy of real-world data before it is entered into the chain to be tracked.
If the blockchain provides a strong skeletal structure for a new kind of animal, the lifeblood letting value circulate has been provided by developers, investors and others who have created gateways in and out of the chain. Data storage, the layer of the new infrastructure that Genaro focuses on, has been a busy highway: IPFS, Maidsafe, Sia, Storj and others have all made structures allowing the DApps being made on Ethereum et al to interact with a variety of data. The smart contract operations and token transfers and queries are registered on the chain, but the deeper data accumulated is not. That is why a positive interpretation of the new law sees a ‘Dual-strata’ approach as necessary for future development: personal and intimate data should be a matter of off-chain storage and so compliance with the principles, if not the exact letters of the new law would be possible. Access to data would be anonymous and encrypted, with the gateways only opened by the holders of personal keys.
Decentralized Governance
A trickier set of questions applies to the matter of how GDPR could begin to be applied to organizations spread out across networks of nodes or involving decentralized development teams working from numerous countries. In a way this issue is easier to answer: In the case of truly decentralized structures, the law would be impossible to apply strictly as it assumes a centralized leadership and financial system that can be audited and held to account. Note how this writer ends an expert’s take with a litany of questions that imply no easy answers.
The registered “foundations” that blockchain projects rely upon to legally organize their ICOs and other activities are legal entities that the E.U. regulators might focus upon in future in seeking to ensure data compliance. Yet, as the protracted battle over the launch of the Tezos platform showed, these foundations often exist at a remove from true technological development and are fluid in structure and often opaque. The GDPR takes steps towards making data processors and connection providers more responsible, but who can truly be held responsible for the flow of data when cutting edge cryptography distributes information and activity across an untraceable network of nodes?
In fact, the difficulties of this question do lead to a wider angle of criticism that one might take on the law itself.
Following that, it will be worthwhile to see how the law actually carries out a needed intervention on behalf of us “data subjects”–one that can introduce a better ‘Culture of Data Sensitivity’.
The categories created by the law have been criticized as naïve with regard to technology–and a danger to innovation and entrepreneurship, as only rich companies will have the money to spend on compliance. Perhaps the whole instrument is merely a sweeping attempt to corral a digital world that is already beyond such control. How could it be systematically applied in today’s traditional online environment anyway, let alone in the crypto space?
However, actual application of the penalties in every instance of infringement may not be the intended outcome. In sending a message that governmental power in Europe will step in to guarantee a better mode of conduct in egregious cases, the law can make data-sensitive conduct more widespread in places regulators will not actually put their noses, or not for a long time. Blockchain may well come into this category, depending on what regulators decide.
In fact, a sharper sense of transparency and responsibility is already emerging as a side effect, with individuals as well as companies more aware of the value and vulnerability of personal data. Requiring larger groups to appoint Data Protection Officers is a bold creative move from the E.U. that offers a specific break with an irresponsible past. Now companies will have answerable spokesmen to respond to breaches, leaks and abuses. There would be nothing to stop a blockchain collective from voluntarily creating a similar role to show bona fides (good faith) with regard to GDPR, creating a firmer security profile within the space before regulators have decided what stance to take.
That it is the monopolistic software companies known for turning a profit out of freely accumulating data from their users that were targeted by GDPR was underlined both by the mollifying statements from the likes of Facebook and Google (“We already are doing everything we can to comply!) as well as the multi-billion euro lawsuit immediately filed by an Austrian privacy activist the instant the law came into effect. The background story to the Cambridge Analytica story may be summarized as: No, Facebook technically did not break any law or contradict their own policies at the time, but the attitude towards customer data showed bad faith, as did the attempts of the company hierarchy to distance themselves from the outcome of the situation they allowed to happen.
In the area of prioritizing individual data privacy, blockchain and GDPR are on the same page. Yet it must be accepted that blockchain uses tools to achieve this that are not factored into GDPR.
Responsibility
If blockchain introduces a powerful new type of record keeping, and this can only be applied practically through efficient creation of gateways, it’s the tools of encryption and decryption that permit the gateways to work. These tools can be used for good or ill, and the radical trend of blockchain has been to place much of the best instruments into the community at large for spontaneous growth and uptake. In this growing environment, attention from all actors on the network will be required to build an ecosystem where users benefit from the new technology while retaining privacy and other rights. If, as looks likely, the law continues to lag behind rather than smother or support blockchain development, the better actors in the crypto community can certainly afford to apply useful lessons from the approach instruments GDPR are taking.
In the next, final piece on GDPR and blockchain, we will examine the strategies that the Genaro Network in particular may apply to meet the needs of community as well as adhere to the regulations.
Find more about the Genaro Network’s dual-strata architecture blockchain and decentralized storage at: https://genaro.network
