Can GDPR and Blockchain co-exist?

GLOSSARY

• GDPR (General Data Protection Regulation): It is a Regulation in EU Law on data protection and privacy for all the individuals within the European Union and Economic Area. It came into force on May 25th 2018. It boosts the Rights of Individuals and gives them more control over Their own Information.
• Data Controllers: Companies who store Individual’s data. Data controllers are responsible for the Data processed by the third parties.
• Data Processors: Companies who analyzes and processes the stored data
• Personal Data: Any information that relates to an Identified or Identifiable person or information that can lead to a particular person. Example: IP Address, Phone number etc.
• Private Blockchain: Blockchains which allow the organizations to employ distributed ledger technology without making the data public. therefore, does away with decentralization.
• Public/ non-permissioned Blockchain: Networks that promote anonymity and transparency. Public blockchains, as the name suggests are public and decentralized and can be accessed by anyone. data cannot be tampered with, once entered.
• Permissioned/ Consortium Blockchain: Networks, which have an access-control layer, built into the blockchain nodes they are different from private blockchains, which allow only known nodes to participate in the network. There is some level of centralization.
• CNIL: The Commission Nationale de l’informatique et des libertés or National Commission on Informatics and Liberty it is a French regulatory body who AIMS to ensure that the Data Privacy law is applied to the collection, storage and use of personal data.

TENSION BETWEEN GDPR AND BLOCKCHAIN:

The General Data Protection Regulation aims at the protection of Data of all the EU residents and gives them the control of their personnel from the companies. It was adopted on April 27th, 2016 and came into force on May 25th, 2018. Hefty penalties have been for non-compliances: €20 million or up to 4% of annual global turnover, whichever is greater.

In contrast to this, Blockchain has been designed to distribute the storage and information processing which presents as a challenge when it comes to the regulations and working of the GDPR (such as Data processing, Distributed Framework etc.)

Hence, the workings of Blockchain conflicts with some Articles and regulations of GDPR

CONFLICTS

The working of Blockchain conflicts with The Articles of GDPR:

• ARTICLE 5: PROCESSING OF PERSONAL DATA

States that the personal data collected should be accurate and kept up-to-date. It also ensures that inaccurate data is erased and rectified without delay.

• ARTICLE 16: RIGHT TO RECTIFICATION

It is the right given to the consumers to correct the data that someone/ some party has on them. Provided that either the given data is insufficient or inaccurate.

• ARTICLE 17: RIGHT TO ERASURE/ BE FORGOTTEN

Refers to the right that one’s personal data must be deleted as soon as the purpose for which it was processed is either fulfilled or the consent to process is withdrawn.

• ARTICLE 18: RIGHT TO RESTRICT PROCESSING

It restricts the companies from process someone’s data given that the data is Incorrect or unlawfully corrected.

Along with articles 15, 20 and 25 which AIM at “Right of access by the data subject”, “Right of Data Portability” and “Right of Access by the data subject”. respectively.

HOWEVER, BLOCKCHAIN IS A DECENTRALIZED TECHNOLOGY WITH CERTAIN FEATURES LIKE DATA CANNOT BE DELETED OR EDITED ONCE CREATED, IMMUTABILITY, CANNOT BE HACKED INTO ETC.

BLOCKCHAIN HAS RAISED CERTAIN CHALLENGES IN TERMS OF COMPLIANCE WITH HUMAN RIGHTS AND FREEDOM ( especially at the European level)

CNIL HAS BEEN WORKING WITH ITS EUROPEAN COUNTERPARTS TO SUGGEST A HARMONISED APPROACH AND ESTABLISH A FOUNDATION FOR THE INTER-REGULATION.

THEREFORE, IT CANNOT STORE DATA OF THE EU CITIZENS BECAUSE IT DIRECTLY CONTRADICTS THE ARTICLES STATED ABOVE.

SOLUTION

• Personal Data can be encrypted before being stored in the Blockchain. Destroying the Key of the encrypted data makes it useless. The process of hashing can do this.
• The data can be stored in an external database and the hash can be stored in the Blockchain.
• Data removal and modification can be done by removing the data from the external database. The hash changes its number and has no correspondence anymore. Thus making the information of the blockchain unreachable.
• To store the data in a permissioned/ private Blockchain instead of a Public blockchain. In a permission blockchain, the access is controlled and limited to a few people.
• 0 knowledge Proof/ Protocol can be adopted. The essence of this proof is that one party can prove a fact without providing proof or minimal information to the other party.

Therefore the authenticity of transactions can be found out without knowing about the actual data.

CONCLUSION

GDPR and Blockchain can work hand in hand Only if both come to a common consensus. As GDPR is not data friendly or Data neutral. Therefore, we need to changes such as the majority of computers in a blockchain have the say of deletion of data. We can come to better solutions over time, as the Technology evolves.

REFERENCES

• https://thenextweb.com/syndication/2018/07/26/gdpr-blockchain-cryptocurrency/
• https://www.youtube.com/watch?v=5I3wYAwbKMM
• https://blogs.sap.com/2018/06/20/the-right-to-be-forgotten-gdpr-article-17/
• https://www.slideshare.net/Parsons_Behle_Latimer/gdpr-ramifications-of-blockchain-technologies-97517651
• Commission nationale de l’informatique et des libertés — Wikipediahttps://en.wikipedia.org/.../Commission_nationale_de_l%27informatique_et_des_libertés