GDPR became 2 years old — Time to assess the future of Blockchain based Digital Identities
GDPR just became 2 years old — a huge milestone.
Moving past the celebrations however, it is necessary for us to recalibrate. As our acceleration towards digitalization increases due to the normalization of remote working and digital payments during the Corona crisis, it is imperative to refocus on ensuring confident data management for the entire EU region. As the European Commission points out “Citizens are more empowered and aware of their (digital) rights.” But when it comes to the application of Blockchain and Digital Identity in data management, what are the challenges and how can they be solved?
One of the major concerns regarding Blockchain and GDPR is the question whether a public key or any other identifier is already considered personal data. The contradiction is within the transaction of metadata (which doesn’t outright include any personal data) that may potentially be considered personal data due to the possibility of profiling and back tracing.
This scenario can be understood more clearly by looking at the interaction of communication systems: the abstraction layer on the Internet and the additional layer in between TCP and DLT. By comparing the data that is processed with TCP with the data on the ledgers, we get closer to data interaction that already happens in a similar manner.
Let’s look at a short comparison between these technologies. Every IP address has enough data on the TCP stack to be considered personal data. It contains the traceability through a timestamp, geo-information, counter parties information and an open access to these data through public/private infrastructure.
Similarly, DLT technology as a public, permissioned ledger (beside the additional advantages of additional encryption, hashes and tamperproof technologies) has more or less the same structure.
If we apply the current argumentation that IP addresses of the TCP-stack are considered personal data and therefore non-GDPR compliant, the logical conclusion would be to shut down the internet. It would be unlikely that an ISP would take that risk of being the responsible controller under the GDPR when looking at the high fines for non-compliance.
Taking this example into consideration, if the EU Commission wishes to protect both the EU digital economy and its users’ digital rights, the recalibration of GDPR will need to have modifications that defines critical infrastructure and base infrastructure with certain measures to overcome these discussed contradictions in relation to personal and pseudonymous data. It is an important step to laying down the foundation of welfare for European citizens online.
Furthermore, it must be decided to what extent traceability and defacement is allowed (Art. 23 GDPR Restrictions) in relation to crime and other areas of prosecution. In this light, any kind of ZKP (Zero Knowledge Proof) would lead to an unwanted state of anonymity that violates GDPR as well. On a technical and legal level, there is no distinction between a legal claim of citizen profiling against a law enforcement or another against a company that violated GDPR. This lack of clarity creates a difficulty in preventing future misuse of governments as they may abuse the wide exceptions found in the GDPR in an undemocratic manner.
As business models move towards a triangle of identities between people, companies, and things, there must be a shift towards the use of pseudonymous ID for the 1:1 transaction between parties. In doing this, any kind of profiling over various interaction partners becomes impossible. It would give European citizens more control over their personal data as they have better access to their data subject rights enshrined in chapter 3 of the GDPR. Lastly, this sets a clear sign to the digital over-the-top platforms such as Facebook, Google, Amazon and Apple that the times of excessively collecting and profiling the personal data of their users are coming to an end.
Let’s be courageous, resolute and positive towards a new period of data sovereignty.
References
https://ec.europa.eu/commission/presscorner/detail/en/qanda_20_1166
If you want to get to know more about self-sovereign identities, then you can follow me on Twitter and this blog. Here you’ll find weekly articles on digital identity, the team at Blockchain HELIX and the digital identity solution, helix id.
