Can Blockchain coexist with GDPR?

On May 25, 2018, a new privacy law came into force in Europe. The GDPR, or General Data Protection Regulation, gives EU citizens control over who controls their personal data and what happens to it. It is the reason why you are bombarded with pop-ups asking for your permission to collect and process your personal data. It’s the same reason why email newsletters ask if you’re still interested in them and why many companies are suddenly making it easy to get a copy of the data they hold about you.

Companies around the world are working quickly to make sure they are GDPR compliant because otherwise they risk hefty fines. However, Blockchain technology is changing everything, so what happens when a blockchain contains personal data? The problem with data on blockchains is that it is:

1. open
2. Transparent
3. Immutable, that is. data stored on a blockchain cannot be changed or erased.

These are properties of this technology that cannot be changed, and at the same time, it doesn’t look very good for privacy enforcement.

Understand the General Data Protection Regulation

Before we dive into GDPR compliance, let’s understand some commonly used terminology:

1. Data Controllers – Under EU law, the companies that store your data are known as data controllers. Common examples would be Facebook, Google, Apple, etc.
2. data processors – The companies that work with your data to analyze it are known as data processors. For example, Google Analytics, Moz Analytics, Socialblade, etc.

In most cases, the data controller and the data processor are the same entity; however, the burden of complying with the GDPR falls on the data controller. Let’s also make a note here, that the GDPR is only at stake when the personal data of EU citizens is involved. Any company that stores information from EU citizens must follow the regulation, including Facebook or Apple.

EU law states that personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific factors of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This is a broad definition, which essentially means that any data such as an IP address, Bitcoin wallet address, credit card or any exchange, if it can be directly or indirectly linked to you, can be defined as personal information.

The 3 GDPR articles that conflict with Blockchain properties

There are three articles in GDPR, namely articles 16, 17 and 18 that make life difficult for companies that plan to use a distributed ledger network to conduct their business.

1. Section 16: This GDPR article allows EU citizens to correct or change data that a data controller holds about you. Not only can you change the existing data they hold about you, but you can also add new data if you believe the current data is inaccurate or incomplete. The problem is that, in a distributed network, adding new data is not a problem, but changing it is.
2. Section 17: This article refers to the “right to be forgotten”. It is not possible to remove data from a blockchain and therefore this article immediately conflicts with data protection regulations.
3. Section 18: This article refers to the “right to restrict processing”. Basically, this prevents companies from using your data if the data is inaccurate or was collected illegally.

One of the main concerns of a blockchain is the fact that they are completely open, so anyone can get a copy of your data and do whatever they want with it. Therefore, you do not have any control over who is processing your data.

Possible solutions for coexistence!

encryption – A popular solution would be to encrypt personal data before storing it on a distributed network. Which means that only those with the decryption key have access to the data. The moment this key is destroyed, the data becomes useless. This is acceptable in some countries, such as the UK, however there are others who argue that strong encryption is still reversible. With advances in computing, it’s only a matter of time before encryption can be cracked at faster speeds and personal data becomes available again. The encryption debate is still going on.

Blockchain permission – In a public chain, anyone can put new data into the chain, and the data is visible for all to see. However, in a permissions blockchain, access is controlled and only granted to a few known and trusted parties. This makes the distributed permissions network compliant with Article 18. But unfortunately, it does not comply with Article 17 and the right to be forgotten. Even in a permissions chain, the data remains immutable and cannot be deleted or edited. A possible solution to this would be to store the data on a secure server with read and write access. We then store a reference to that data on our blockchain through a link using a hash function. We can store this hash on the blockchain. Hash functions are popular for verifying the integrity of files on our secure server. Also, hash functions cannot be reverse engineered to reveal data. If we delete the data on the server, the hash function becomes useless and it no longer becomes personal data.

This is not an elegant solution because blockchains are used because they are decentralized, and by using a secure server, you centralize again.

Zero Knowledge Proof – The Zero-Knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) ​​that they know a value x, without passing any information other than the fact that they know the value x. This is pretty perfect for checking things like ages, for example, without revealing birthday information to data collectors. Zero-knowledge proof may be a potential solution to the GDPR outside of blockchain.