Surveying the GDPR and Blockchains to Enable Ethical & Legal Data Privacy
In May 2018, the European Union (EU) devised the General Data Protection Regulation (GDPR) laws to direct companies of all shapes and sizes to follow the legal and ethical treatment of customer data privacy. In the blockchain space, there has been a general view on blockchains being incompatible with the GDPR. However, it isn’t that simple because of the diversity of use cases that exist in the realm of blockchain technology.
In this article, we will explore what the GDPR is and what developers and entrepreneurs pursuing blockchain tech in this space can keep in mind while they are building businesses. As the first order of business, let’s take a closer look at the GDPR and its specifications for dealing with consumer data.
The GDPR and why we need it
To simplify the GDPR, businesses are expected to treat consumer data they gather in meaningful ways to create positive customer experiences. Depending on the kind of business (startup, small business, large corporation, etc.), the GDPR compliances vary. However, some of the most common ones happen to be written to direct business to ensure that (personal) customer data is not lost, stolen, destroyed, or changed (these situations would qualify as data breaches).
In today’s data-centric society, there are antagonising elements that cause harm by misusing personal data, therefore breaching trust. Political consulting firm Cambridge Analytica unscrupulously breached data privacy guidelines when they used 50 million Facebook profiles to falsely influence elections in the USA, illicitly sharing this data to benefit the 2016 Trump campaign. This highlights how consumers lose all control over what happens to their data after they share it with large corporations and that’s why the GDPR plays a pivotal role in enabling an ethical data sharing environment.
In order to avoid these circumstances, businesses need to make sure that they have the following bases covered.
1. Filling out Data Protection Impact Assessments (DPIAs) — this is for companies that are collecting customer data that could negatively affect individual freedoms. This includes:
a. Leveraging emerging technologies (blockchains, for example)
b. Processing genetic or biometric data like DNA testing
c. Tracking customer location data
d. Marketing to children.
2. All businesses should make sure that they have a privacy policy that comprehensively explains what happens to user data. This should include contact details of the companies, explain why and how data is being collected, how long the information will be saved on a company’s database, rights of the users, details of the recipients of customer data, contact details of the EU representative and the Data Protection Officer (DPO).
3. Businesses also need to prepare for data breaches and report the circumstances to supervisory authorities and customers within 72 hours.
The GDPR and blockchains
With that said, we can establish that GDPR guidelines are set to help businesses build a healthy data management practice. However, with blockchain companies, GDPR guidelines and blockchain technology face several areas of conflict due to two main reasons.
Firstly, as per the GDPR, there needs to be an identifiable data controller (any entity that gathers and stores data like a business) against whom data subjects (customers) can enforce their legal rights. With blockchains, we face a conflict of interest as they are decentralized ledgers with several operating nodes, as opposed to a single entity like a company. Moreover, there needs to be consensus within operating blockchains on joint-controllership, but it could be onerous to assign responsibilities among nodes and maintain them.
Secondly, the immutability of blockchains is an admirable feature that is vital for creating a trustless environment that preserves data integrity. However, in the realm of GDPR compliances, this causes some friction. The GDPR guidelines decree that the data collected by companies should have the option to be modified or erased where necessary to comply with legal requirements.
Exploring solutions & the way forward
It has been well-established that the GDPR specifications do have significant qualms with blockchains. Nevertheless, this situation is still navigable. The European Parliament conducted a study titled “Blockchain and the General Data Protection Regulation — Can distributed ledgers be squared with European data protection law?” in July 2019. In this study, they observe that efficiently assigning a joint-controller to a blockchain network will be key to preserving privacy guidelines. The role of the controller will mainly involve determining the purposes and means for the processing of personal data, with the added responsibility of complying with the GDPR guidelines.
Additionally, because storing personal data on blockchains is a questionable practice with respect to GDPR compliances, storing data off-chain is a viable option. The data stored off-chain can be linked back to the blockchain with a hash to encrypt the personal data.
With the above-said options being explored, with the onus on providing regulations within the blockchain space, businesses are still directed to follow the principles of data minimisation and purpose limitation. These might not qualify as all-encompassing solutions to existing discrepancies. No matter, these efforts can lead us to the right solutions. Regulators like the European Data Protection Board (EDPB) are providing funds for research into blockchain technology. Rest assured that, in time, there will be guidelines that enable ironclad data protection in the blockchain space.
Originally published at blog.streamr.network on November 17, 2020.