Blockchains and GDPR: Are they incompatible?
Can decentralized applications or blockchain solutions be used and be in compliance with data protection laws?
By Tatiana Revoredo and Rodrigo Borges
Introduction
GDPR (General Data Privacy Regulation), the new European legislation for protection of personal or sensitive data[1], was approved in 2016, and came into force on May 25, 2018.
Created to harmonize data protection in the European Union and return data property to individuals, GDPR comes amid social outcry for better data control, fueled by Facebook’s leakage scandal, which has resulted in the largest devaluation of its history since the opening of its capital[2].
Thus, the new law seeks to bring transparency and more detailed information on how organizations and companies should handle collected data. Also establishing the “right to be forgotten”, rules on portability and conditions to be observed in eventual assignment of data to third parties.
Given the impact GDPR has caused worldwide, including Brazil, to elaborate their own General Data Protection Law, this article intends to analyze how blockchain structures, with their distributed and immutable character, will be affected by this legislative movement for privacy protection.
Can decentralized application or blockchain solution be used and be in compliance with data protection laws? Is coexistence possible between blockchains and the right to be forgotten?
The rearview mirror issues
At start, it is important to notice that GDPR was designed to protect the privacy and personal data of individuals who had long suffered from abuses and failures related to “centralized” data transmission and storage systems.
How, then, to blame an ill-intentioned actor who provides, for example, a link that points to a PDF file of his ex-wife’s income tax return in an immutable Blockchain?[3] How will GDPR perform its function if it is impossible to delete data that has been inserted, stored and transmitted in a fully distributed way?
This is an example of how regulation sometimes seeks to solve a problem by looking at the rear view mirror, instead of looking at the road ahead [4]. When European policymakers were debating and finalizing GDPR aspects, blockchains structures were not on the radar of most people.
In order to achieve our objective (clarify whether it is possible to reconcile distributed and immutable character of blockchains with the new European data protection law), we need to be able to identify blockchain structures (whose DNA has peer-to-peer networks, encryption, and distributed consensus), and knowing how to process data in a blockchain.
Data storage and transmission in blockchain
Blockchain stores information in containers, called blocks, which are chronologically linked to form a continuous line, a chain of blocks.
To change information already registered in a particular block, previous information is not deleted to include the new one. Instead, every data change is stored in a new block showing that X has changed to Y at a specific date and time. Thus, previous information is not deleted
How can we reconcile immutability and distributed character of a blockchain with values (personal and sensitive data, for example) that need to be kept confidential?
Different blockchains
There is not onlyone open platform, or a single blockchain where anyone can check or modify information or change the system as a whole.
What exists are various types of blockchains, classified as either public or private, open or closed, depending on how they approach the security model and threats. It may also be either permissioned or not, with various structures and governance rules that may be implemented in various existing platforms, which allow the use of this technology for a wide range of purposes, applied to a wide variety of audiences [5].
While public or open blockchains are those in which anyone can join the network, private or closed blockchains are those in which only pre-selected participants can join the network.
In permissioned blockchains, pre-selected entities lead consensus process. In permissionless blockchains, anyone can take part in a consensus process.
Blockchain’s projects can also be grouped into three categories:
a) Specialized blockchain systems designed to process essentially non-personal data, such as bills of lading, letters of credit or diamond certificates;
b) Specialized blockchain systems designed to process personal data, such as proof of identification, or even sensitive personal data, such as medical records;
c) Non-specialized blockchain systems that can be used to process any form of data.
Ways to reconcile personal or sensitive data with blockchains
We are in the initial stage of blockchain structures development, which is similar to what happened in the early days of Internet.
At the beginning of world-wide web, the vast majority of people saw it just as a chat room, without even imagining the business models that would come later because of it (Amazon, Netflix, Uber).
Keeping this in mind, let’s look at the paths being built to preserve personal rights and privacy in data processing in blockchains.
The first of said paths is processing personal and sensitive data “off chain” (information or transactions allocated outside the blockchain network).
Off-chain transactions occur between parties that trust each other (due to contractual relationship, for example) and generally require intermediaries (trustworthy validators).
Yet, sensitive or personal off-chain data storage is a great alternative to reconcile Blockchains and GDPR. This has become increasingly popular due to its advantages[6]: greater privacy (transfers are not visible in public blockchain), low cost (usually for free, since there is no need for intermediaries to validate transactions) and speed (transactions are immediately recorded, without need for network confirmations).
For those who wish to delve into an off-chain storage, it is recommended to watch Quick X’s “On Chain X Off Chain Transactions” video [7].
Another possible way would be to use side chains (parallel networks). Unlike off-chains (whose storage of sensitive information occurs in a traditional network, outside blockchain), a side chain is a parallel blockchain. It is next to the primary or main blockchain, serving multiple users. The degree of confidentiality and privacy in transactions occurring in side chains depends on which technology the side chain uses.
These side networks are independent, so if they fail or are hacked, they will not damage other networks. That is, the damage is restricted to that parallel network.
Well, that’s why the use of side chains enabled experimental versions of blockchain pre-release.
Another alternative we can mention to preserve personal rights and freedoms is the choice between blockchains that have been either permissioned and permissionless, since the choice between one or another type of blockchain has direct influence on who is responsible for complying with privacy requirements. Hence, it is always advisable to make a prior analysis of processing means and purposes before electing which blockchain should be used, in order to ensure that the privacy rules are considered.
Right to be forgotten vs. the Blockchains immutable character
Initially, it is noteworthy that the right to be forgotten (or the right to delete) does not grant an absolute right to be forgotten.
Individuals have the right to delete personal or sensitive data and prevent their processing in specific circumstances [8]:
a) When personal data are no longer necessary for the purpose for which they were originally collected / processed.
b) When the individual withdraws his/her consent.
c) When the individual opposes processing of their data and there is no legitimate interest to continue processing.
d) Personal data was illegally processed (i.e. violating GDPR).
e) Personal data must be deleted in order to comply with a legal obligation.
f) Personal data processed relates to a child.
Another point to consider is: does the right to be forgotten actually mean delete, erase?
What the term “forget” comprises is still open to debate. Some data protection authorities have considered that irreversible cryptography is deletion.
Of course, given the characteristic of immutability, “deleting data” in a blockchain environment is technically impossible because the system is designed to prevent it.
Smart contracts, however, may contain mechanisms that regulate rights of access. Hence, smart contracts can be used to revoke all access rights, making content invisible to third parties, even though it has not been deleted.
Conclusion
It is perfectly natural that questions do not cease being asked. Who would, for example, be the data controller in a blockchain, if these can be stored in several places, inside and outside the European Union?
Humankind goes through a time of transition and significant changes in the way the world is today.
Challenging old patterns and ideas that have populated our minds for centuries, blockchain is challenging governance and centralized and controlled ways of transacting, and it is unfair to define it as mere distributed record. This represents only one of its many dimensions whose breadth and impact, regulators and companies have still not been able to qualify and quantify [9].
In this context, a dialogue between regulators, society, developers and major players of this new industry is essential, in order to better harmonize citizen protection with the technological advance that will inevitably come.
Have the vigorous reactions of candle, kerosene and gas lighting industries (which described the “new technology” as “hazardous to health and with highly explosive potential”) prevented electricity evolution and adoption?
[1] From people living and located in the European Union at the moment their data and information are transferred.
[2] Frier, Sarah. In: Facebook Takes Historic Plunge as Scandals Finally Take a Toll, Bloomberg, 2018.
[3] To learn more about which files can or cannot be stored in Blockchain, go to: https://www.reddit.com/r/Bitcoin/comments/85wys5/eli5_how_one_could_store_images_on_the_blockchain/
[4] Toth, Anne. In: Industry Strategy Meeting: Will GDPR block blockchain?, World Economic Forum, 2018.
[5] Revoredo, Tatiana; Borges, Rodrigo Caldas de Carvalho. In: Can Blockchain be used to allow citizens to control their own identities? Blockchain Academy, 2018.
[6] Block basis. In: What is the difference between on-chain and off-chain transactions?, Block basis, 2018.
[7] QuickX. In: OnChain X Off Chain Transactions. Video available here: https://youtu.be/cJWECt6t-hI
[8] Maxwell, Winston; Salmon, John. In: A guide to blockchain and data protection, Hogan Lovells, 2017, page. 15.
[9] Revoredo, Tatiana. In: Blockchains vs DLTs: Brief comparative analysis of its underlying resources. Global Blockchain Strategy. 19/7/2018.
