GDPR and Distributed Ledger Technologies: An Introduction for Regulatory Compliance

What is data protection and why do we care?

I believe if I say “Cambridge Analytica”, or “Facebook user data breach scandal” a lamp will light up in your head. In a nutshell, and particularly as a consequence of the data theft scandal undergone by Facebook in early 2018, the topic of the role of privacy in online contexts has been getting hotter and hotter. Users all over the Internet have increasingly become more sensitive to the concept and are therefore becoming reluctant to share their data with websites or companies. But for how much it is true that not sharing our data prevents leakage and theft, this may also have some downfalls, and I am referring to something deeply beyond marketing practices. Imagine how crucial it is to retain patients’ data in healthcare, for example. But I am also sure you agree with me when I say I would not want my medical chart to get stolen, tampered with, or even distributed with unknown third parties.

At least once, in the recent period you may have received an email from some website asking you to update your privacy settings, when you probably didn’t even remember filling in the information space with your email. In theory, no company shall be able to retain your data outside your consent. Yes. In theory. The practice is quite different. The truth is that many companies are still collecting and utilizing the data we put online, more often than we expect even for illegal practices. Many companies we believe keep our privacy intact actually do not. Think of Bitcoin, for example. When Bitcoin first saw the light, the amazing “privacy” properties of its protocol led Ross Ulbricht to create the shady Tor-based platform for e-commerce of illegal goods going under the name of Silk Road. Well, as Bitcoin’s privacy was not very private, Mr. Ulbricht is today being held in jail with a life-long sentence.

In order to help consumers protect their personal information against abuses of the mentioned kind, on May 25, 2018 GDPR regulations became binding across all countries in the European Union.

This article is meant to provide an introductory guide to the said body of law and shed some light on its compliance methods with respect to DLT technologies.

Introduction to GDPR

Let’s start by providing an introductory definition of GDPR. The General Data Protection Regulation, GDPR for short, was introduced in the European Union in 2016. After two years, and more specifically on May 25, 2018, the regulation became binding across all European Union countries.

More in detail, the newly established GDPR regulation gives data subjects the following rights:

• Right to be informed;
• Right of access;
• Right of erasure, also referred to as right to be forgotten;
• Right of rectification;
• Right of restrict processing;
• Right of data portability;
• Right to object;
• Rights related to automated decision making and profiling.

What is important to underline here is the territorial scope of the mentioned body of laws. Even though the GDPR is per se a regulation set belonging to countries being part of the European Union, its application is substantially broader. The below paragraphs will try to provide a short overview on the areas of application.

Article 3 GDPR relates to the territorial scope of the regulation. First of all, it is stated there that GDPR regulation is binding for an entity when such entity performs activities that would establish either a data controller or a data processor (or both) in the European Union. However, the article successively states that the law applies also when data subjects are based in the EU, even in the case that neither the data controller nor the data processor are.

It can easily be stated therefore that the regulation holds a very broad scope of application. It appears in fact that most companies operating internationally, or dealing with processing or control of international data, are subject to the binding guidelines of the GDPR law. The question that naturally arises here is then the following: what happens when guidelines are not met?

The European Union regulatory bodies provide that the fines for lack of compliance shall be proportional to the size of the breach, and sanctions shall therefore be discussed on a case-by-case basis. However, sanctions for breach of the regulation can be massive, i.e. up to 20 million euros, or 4% of the overall company turnover of the previous fiscal year, whichever is higher. Imagine now being a multi billionaire company, for example say Google, or Facebook, and think of how much money a fine for 4% of a whole year’s turnover is!

GDPR and Distributed Ledger Technologies

One of the most debated questions in relation to the newborn GDPR regulation revolves around its role with respect to distributed ledger technologies: can the two coexist? And if so, how? Before proceeding in the article, it is important to mention that no final answer to the above questions has been formulated as of today. The topic is at the core of the discussions around GDPR going on in the European Union for the year 2019–2020, and therefore the first final solutions will be available not earlier than one year from the time of writing. Nevertheless, it is true that some guidance for compliance can be provided.

In order to shed some light on the practices for regulatory compliance with GDPR of distributed ledger technologies, it is of utmost importance to underline two of the main characteristics that differentiate blockchains from other technologies. I am referring to decentralization and immutability of the ledger.

1. Decentralization

Decentralization is the first of some of the core characteristics that define a distributed ledger technology. In short, it states that there is no owner of the ledger, but more likely the whole network as a collectivity could be referred to as the owner of the platform. Therefore, there is no single responsible entity for decisions, or controlling the events and behavior of nodes on the chain. On the other hand, the GDPR body of law was written keeping the underlying assumption that at least one legal or natural person, which is referred to in the regulation as the data controller (note that data controllers may be multiple), shall take responsibility for compliance, and to whom data subjects can address against a European court shall this not be achieved.

2. Immutability

The second “issue”, if we may call it by this name, is the feature of immutability of the ledger in a blockchain technology application. In fact, while blockchain was built exactly to make deletion or modification of previous historical data on the ledger extremely burdensome, and make therefore the records close to immutable, the GDPR body of law was constructed on the assumption that data being recorded shall be modified or erased whenever necessary and without suffering any meaningful delays.

It shall be quite clear now why the compliance with GDPR of any entity making use of whichever kind of distributed ledger technology is fairly complex: the GDPR was designed to be technology neutral, and as such no blockchain was taken into consideration at the time of drafting. Once again, although the European Union regulatory bodies are working on (at least partial) solutions, some guidance can nevertheless be provided.

First things first, why bother relying on a blockchain for data protection when compliance with legal requirements is so burdensome? Fair question, indeed. Exactly in virtue of the characteristics of distributed ledger solutions briefly described above, the potential for such platforms to provide higher quality protection of personal data with respect to legacy systems is evident. In other words, if no one owns or can directly access your data but you, as it is protected by a series of cryptographic solutions, and if no one can tamper with the history of data because it is immutable, as everyone (or everyone in a shard) in the network holds a copy of the data and is able to view any (attempted) modification or erasure made to the latter, it is quite clear that security and transparency are substantially enhanced, and your ownership on your own data becomes absolute.

Issues on compliance and possible solutions

It was mentioned multiple times throughout the first paragraphs of the article that some notable issues are currently being found when striving to reach legal compliance with GDPR of distributed ledger technologies. It was also stated that such obstacles arise primarily from two of the core characteristics of blockchain and distributed ledger technologies, i.e. decentralization and immutability of the ledger. The following paragraphs of this paper aim to introduce the concrete nature of such legal problems and provide some (possible) solutions that are currently being analyzed for achieving compliance with the GDPR body of law, and in particular with Articles 16 and 17 belonging to it.

Once again, it must be underlined that at the time of writing no final solution exists, and each application on distributed ledger technologies shall be verified for legal compliance on a case-by-case basis.

1. Data controller and data processor

A widely debated topic in GDPR relates to who shall be indicated as the data controller and who shall be defined as the data processor.

Article 4(7) GDPR defines the data controller as “the natural or legal person […] which, alone or jointly with others, determines the purposes and means of the processing of personal data […]”. In turn, personal data shall be defined as “data that directly or indirectly relates to an identified or identifiable natural person” (Article 4(1) GDPR).

A data processor, on the other hand, shall be defined as any entity that processes collected personal data on behalf of the controller. As such, while the data controller is the liable party for compliance with the regulation, the data processor is endowed with limited liability and responsibilities.

It is therefore straightforward to see why it is extremely important to define which entity holds which role, especially when keeping in mind the size of the sanctions that may apply in case of breach. However, as distributed ledger technologies are, by definition, decentralized, and therefore do not have one single data controller or responsible entity, it becomes really burdensome to ensure compliance with the regulation when such platform is put into place.

It shall be finally remarked, however, that it seems like the new general guidelines of the regulation would indicate distributed ledger technologies as data processors, therefore lowering its liabilities and barriers to implementation.

2. Right to be forgotten

The second and probably biggest challenge in the strive of distributed ledger technologies to achieve compliance with GDPR relates to the so-called right to be forgotten, defined in Articles 16 and 17 of the regulatory statement.

As mentioned in the above paragraphs, blockchain technology is created specifically with the purpose of being both immutable and immortal. In other words, blockchain makes it by definition extremely burdensome to modify or erase data previously registered on the chain. This is clearly in contrast with the European regulation, which mandates under Article 16 that the data subject shall obtain immediate ratification or erasure of incorrect or incomplete data by the data controller.

3. Data anonymity

Data anonymity is another huge issue, strongly interconnected with the previous one, that stems directly from the definition of personal data, which distributed ledger technologies are trying to solve in order to comply with legal requirements imposed by the GDPR.

GDPR poses that anonymous content can be exempted from GDPR regulation, but what does anonymous mean? Most, if not all, readers will probably be familiar with the concept of anonymity in blockchain, i.e. the entities of the sender(s) and recipient(s) of a transaction happening on a distributed ledger are hidden. Although DLT platforms identify users via public keys and not via names or document identity numbers, the said data nevertheless categorizes as personal data, as it has the potential of indirectly referring to physical individuals. This is why (most) blockchains define themselves as pseudonymous, not anonymous. However, although no final solution has been formulated to the problem yet, some tradeoff solutions are being considered, which may allow distributed ledger technologies to achieve anonymity and therefore obtain exemption from GDPR legal requirements. In this article, I will only mention a list of such methods, which will be described in further detail in the next articles.

• Zero Knowledge Proofs, like ZK-Snarks, ZK-Starks, and Bulletproofs
• Stealth addresses
• Homomorphic encryption
• State channels and ring signatures
• Addition of noise
• Chameleon hashes and editable blockchain
• Storage limitations
• Pruning
• Secure multi party computation
• Third party indirection service

Although the first option currently seems to be the closest possibility for distributed ledger technologies to legally achieve anonymity status and be granted exemption from GDPR legal requirements, it is most likely that the outcome of the 2019–2020 discussion will output a solution based on a multitude of different factors.

Despite the fact that anonymity may seem an appealing solution for distributed ledger technologies, it shall be reminded that the same topic gives rise to a different set of compliance issues, especially in relation to tax evasion laws or anti-terrorism legislation.

Conclusion

In conclusion, privacy, control and ownership over personal data are being increasingly recognized as underlying rights of individuals. Data subjects own their data and no legal or natural entity shall have the right to (ab)use them without explicit consent of the former entity. From this issue, regulatory prescriptions such as the GDPR in the European Union, active as of May 2018, or the SOX in the United States are arising.

On the other hand, during the past few years, blockchain has been increasingly studied and applied as a solution for obtaining the same goal as the above legal prescriptions, i.e. to ensure data protection and privacy of users.

However, such regulations are normally built to be technology neutral and do not consider the application of distributed ledger technologies from part of the data controllers to achieve data protection. This gives birth to a substantial regulation gap, which is at the time of writing at the core of the discussions in governments worldwide. What will happen is far from clear yet. However, the European Parliament foresees blockchain as a possible way to achieve GDPR compliance in the future, and this is first and foremost this due to the fact that blockchain users have control over their own data.

Your data is no longer about you. Your data is you.