The rapid rate of technological change and commercialization in using personal data is undermining end-user confidence and trust. Tensions are rising. Concerns about the misuse of personal data continue to grow. Also, a general public unease is mounting on what “they” know about us. Considering this European Union (EU) felt the need to introduce the General Data Protection Regulations (GDPR). This regulation aims to strengthen privacy and personal data protection in the EU, by giving private persons more control over their personal data. Also, it introduces a uniform set of regulations for businesses with customers in the EU region, with the risk of hefty fines in case of non-compliance. However, it seems that the lawmakers did not consider the technological advancements which although having similar objectives of data protection, work in a manner that may not be compliant with the regulations. The GDPR aims to harmonize data protection regulation for the EU member states and is stated to be technology-neutral to cover all digital processing of personal data. However, the regulation is based on the notion that data is stored and processed in a centralized system. This causes an issue when it comes to distributed networks, and in particular with the Distributed Ledger Technology (DLT), the underlying technology of blockchain.
The intersection of Blockchain and GDPR
The European Union’s General Data Protection Regulation (GDPR) became binding in May 2018. It is based on the 1995 Data Protection Directive. The GDPR’s objective is essentially two-fold. On the one hand, it seeks to facilitate the free movement of personal data between the EU’s various Member States. On the other hand, it establishes a framework of fundamental rights protection, based on the right to data protection in Article 8 of the Charter of Fundamental Rights. The legal framework creates a number of obligations resting on data controllers, which are the entities determining the means and purposes of data processing. It also allocates a number of rights to data subjects – the natural persons to whom personal data relates – that can be enforced, vis-à-vis data controllers. The GDPR is requiring not only transparency into what companies will do with consumer data, but also mandating clear consent mechanisms to ensure that consumers understand what companies are sharing, with whom, and for what purpose. GDPR thereby regulates the collection, processing, transfer, and retention of every EU citizen’s personal data, requiring companies to provide visibility and control to individuals, on-demand. Non-compliance with GDPR can result in heavy fines.
On the other hand, a blockchain is a shared and synchronized digital database that is maintained by a consensus algorithm and stored on multiple nodes (computers that store a local version of the database). Blockchains are designed to achieve resilience through replication, meaning that there are often many parties involved in the maintenance of these databases. Each node stores an integral copy of the database and can independently update the database. In such systems, data is collected, stored, and processed in a decentralized manner. Furthermore, blockchains are append-only ledgers to which data can be added but removed only in extraordinary circumstances. Blockchain is more than a simple financial platform that enables Bitcoin and cryptocurrency transactions; it is becoming the underlying layer of the future of the Internet, which creates a new wave of Decentralized Applications, called DApps, which will replace most of today’s centralized cloud Internet application. With Blockchain, businesses will experience a complete transformation of their current models by removing intermediaries, reducing costs, and improving the reliability of the Internet, and therefore enabling a new wave of decentralized services.
The implementation of GDPR was done at a time when the internet revolved around a web-centric centralized cloud-based interest. All GDPR data collection and processing for companies and individuals were considered based solely on this centralized cloud service model world. With the full introduction of P2P decentralized Internet technologies concepts around July 2017, which is the foundation of DLT/Blockchain, the GDPR model as it has been conceived is already outdated. This causes hindrances in the compliance of blockchain technology in a GDPR world.
At first glance, some GDPR provisions seem in direct conflict with the fundamentals of blockchain technology, and may even be intrinsically incompatible with what the new European privacy rules seek to uphold. For blockchain the most controversial GDPR mandate is the “Right to be forgotten”, giving individuals the right to request that their personal data be removed from a record. Because of its decentralized character with immutable blockchains, data, however, cannot be deleted. Blockchains are designed to last forever. That puts blockchain in direct opposition to the GDPR.
The tension between GDPR and Blockchain
The core functionality of blockchain technology is a nuanced system of data protection where everything is decentralized. There are multiple systems where an account is stored and this creates a decentralized ledger. This type of technology is implemented to store data in blocks, the information would be open to all and it would effectively allow people to view their data. Unique IDs are provided for each block created and any information once stored in that block would not be subject to customization. It is a known fact that in today’s day and age storing data is a cumbersome task. It eats a large chunk of any corporation’s revenues only for implementing an effective data storage mechanism. However, blockchain solves this problem. It is a secure mode to store data of all transactions made, as the data once stored cannot be deleted; it makes it a reliable means of data storage.
Keeping all this in mind, in a GDPR compliant world the co-existence of blockchain technology leads to a few issues. The first compliance issue which can be identified is how the GDPR has been initiated based on the idea that the storage of personal data has one dedicated data controller. Blockchain, on the other hand, is a distributed database, contributing to the decentralization of responsibility to all parties involved in the network. The second, according to Finck, is how the GDPR assumes data to be modifiable or erasable. Blockchain technology, on the other hand, depends on the ledger to be immutable. Furthermore, the distribution of data on a shared ledger opposes the purpose limitation, data minimization, and storage limitation principles stated in the GDPR. All of these divergences need to be considered when constructing a blockchain solution. Hence, the design process executed by blockchain architects becomes very important.
Solutions for a GDPR compliant Blockchain
Although the ideology behind GDPR and blockchain are very similar its co-existence is counterproductive. However, there are possible solutions for the two to work in tandem. There are a number of ways to mitigate the impact of GDPR on blockchain and enable blockchain companies to become (more) compliant for future coexistence with GDPR regulations.
Firstly, one potential solution is segregating the types of data stored on the chain. This is by storing all personally identifiable information in separate “off-chain” databases, and only has references and other information, along with a hash of this data in the blockchain. The corresponding hashes stored in the blockchain layer, serve as control pointers to the GDPR-sensitive data. Protocols can be built in such a way that makes it possible to completely erase data in the off-chain database, in compliance with GDPR requirements. So, when someone exercises their “right to be forgotten,” the personal data can be deleted, whereby the service provider erases the “linkability” of the blockchain hash pointer to the data located in distributed off-chain servers. This makes the referral information on the blockchain useless, without shattering the blockchain.
An alternative solution, already adopted by certain blockchain companies, is to keep personal information on the blockchain while making it impossible to access if the data subject demands that it will be deleted. This could be achieved by such means as encrypting all personal data with a key or hash that allows access to an individual’s information stored on the blockchain, and that could be revoked deleted on request or after some interval. In the event that a data subject would request his blockchain data to be erased, the key would be deleted. This would render their information unobtainable, and in effect, it would be lost in the blockchain.
It is well-established that data that has been encrypted or hashed still qualifies as personal data under EU law as it is merely pseudonymized, not irreversibly anonymized. Since throwing away your encryption keys is not the same as ‘erasure of data’, Existing GDPR rules prohibit from storing personal data on a blockchain level. Thereby losing the ability to enhance control of their own personal data. The challenge is that GDPR does not define what it means to “erase” data.
Another interesting solution for GDPR compliance is the use of pseudonymization techniques in combination with data stored off-chain. In order for data to be considered pseudonymous under GDPR, the data must “no longer be attributed to a specific data subject without the use of additional information”. Pseudonymization with pointers to personal data stored off-chain in a manner which allows the personal data to be destroyed and thus removes the link to the data on the chain and renders it anonymized may allow a user to remove all of their personal information from the chain, as required by the GDPR’s right to erasure.
There are however two opposite interpretations for the pseudonym linkage using blockchain relative to GDPR. The first one states that because data pseudonymization is accomplished in blockchain hashing, but not anonymization, the data linkage is no longer considered personal when it is established, and if this linkage is deleted, it also complies with GDPR.
The second – and opposite – interpretation is that pseudonymization, even with all cryptographic hashes, can still be linked back to the original personal data. Pseudonymous data, unlike anonymous data, therefore still allows for re-identification. While pseudonymization techniques make it more challenging for users to identify data subjects, it does not “scrub” all identifying personal information.
A key point in the borderland of the GDPR and blockchain technology is the permissioned blockchains. A permissioned blockchain is the one that allows certain actions to be performed by only certain identifiable participants. It is advised that permissioned blockchains should be favoured to resolve the issues of transparency, immutability, and roles that come with the GDPR. Such a permissioned blockchain proposes a management system based on the roles of user, controller, and processor, all separate nodes in a private network. The controller divides the data from the user and hashes the data which could be classified as personal data and put it into the blockchain as a hash. The actual data is stored on local databases connected to each node. Rectification and removal of data are then enabled by creating an updated hash on the chain in a consensus mechanism among the nodes participating. The hash kept on the chain is then not viable for the GDPR. The changes can be verified by cross-checking the hashes by each node, most importantly by the user node. This causes the system to be transparent in how data is used among the nodes and a user can also easily file a claim for compensation through a smart contract if data is not handled correctly.
There lies no uncertainty in the fact that blockchains are the future. It has the potential to bring an overhaul in the working of corporations and large scale industries. The investments these large corporations have to make on a daily basis for a data storage mechanism is immense. This can be brought down gradually by shifting towards the nuanced system of blockchain technology. However, its implementation causes regulatory issues as there are complex compliance measures that have to be tackled. Some of the intrinsic features of blockchain do not go well with the regulatory requirements imposed by GDPR. These issues are complex to deal with but not impossible. Keeping a structural system in place by tweaking the technology as per the factors such as the nature of blockchain or, the information processed on it. These issues can be complied with in a coherent manner. The permissioned blockchain is the most viable option for complying with the GDPR requirements. This model allows the organizing entities to establish a governance framework for the participants on the permissioned blockchains. Roles can be clearly defined, contractual provisions satisfying the requirements of GDPR can be put in place, and international data transfer can be implemented. This keeps the best interests of individual rights into consideration.
This article can be cited as:
Bluebook, 20th edn.: “Tushar Sinha, Sustainability of Blockchain Model with GDPR compliance, Metacept – InfoTech and IPR, accessible at https://metacept.com/sustainability-of-blockchain-model-with-gdpr-compliance/ ”
- Professor Xavier Sala-i-Martin, The Global Competitiveness Report 2011-2012, 2011 World Economic Forum, ISBN-13: 978-92-95044-74-6.
- Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms
- Carlo R.W De Meijer, Blockchain versus GDPR and who should adjust most, Finextra, accessible at https://www.finextra.com/blogposting/16102/blockchain-versus-gdpr-and-who-should-adjust-most
- Finck, M. (2019), Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law? Panel for the Future of Science and Technology, European Parliamentary Research Service. Brussels: Scientific Foresight Unit. accessible at https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf (2019-07-01).
- Claudio Lima, Ph.D., How Decentralized Blockchain Internet will Comply with GDPR Data Privacy, Blockchain-GDPR Privacy by Design. (Jun. 2018). accessible at https://blockchain.ieee.org/images/files/pdf/blockchain-gdpr-privacy-by-design.pdf
- Karin Melin, The GDPR Compliance of Blockchain, A qualitative study on regulating innovative technology, Uppsala Universitet. Oct. 2019. ISSN: 1650-8319, UPTEC STS 19046. accessible at http://uu.diva-portal.org/smash/record.jsf?pid=diva2%3A1370599&dswid=318
- Onik, M., Kim, C., Lee, N., Yang, J. (2019), Privacy-aware blockchain for personal data sharing and tracking, Open Computer Science, 9(1), pp. 80-91. accessible at https://doi.org/10.1515/comp-2019-0005 (2019-07-03).