Blockchain can be reconciled with GDPR requirements
The European Union GDPR-directive has clear consequences for public blockchain based databases famous for their immutability and public access. With some thought put towards the issue, a Nordic Blockchain Association analysis shows it is possible to reconsile blockchain-development and GDPR.
The primary conflict between Blockchain and GDPR resides in the fault-line between the GDPR-stated right to be forgotten and the central principle data-immutability on the blockchain. These are foundational struggles between basic qualities of legislation favoring personal freedom and basic principles of blockchain integrity.
However, concepts like off-chain data storage and automatic on-chain sharing-requests are already in development to meet these immediate challenges. Blockchain is still in its infancy and as the technology matures so too will its full potential come to fruition with distributed ledger technologies and smart contracts forming a version of data-sharing where individual citizens become the masters of their own data, with the authority to give or withhold permission to use their personal data.
Eventualy growth in quantum computing will challenge the cryptographic integrity of the systems and it will be essential to scale the technology in accordance. No matter what, data-protection and ownership are going to be important subjects in future debate on blockchain, but perhaps less urgent than the recent round compliance updates suggested – evident in Denmark by a relatively relaxed stance on compliance-testing by authorities at the moment.
No matter what, the data-protection and ownership are going to be important subjects in future debate on blockchain, but perhaps less urgent than the recent round compliance updates suggested – this is evident in Denmark by a relatively relaxed stance on compliance-testing by authorities at the moment.
Below you can find the Nordic Blockchain Associations internal analysis of possibilities for reconsiling GDPR and Blockchain, as well as future development perspectives. This Analysis is authored by Tony Song.
The hot topic of today is data protection, led at the helm by the EU General Data Protection Regulation (“GDPR”) or regulation (EU) 2016/679 entering into force on 25 May 2018. In combination with the wider trend of greater emphasis on data protection standards worldwide, individuals are now more than ever acutely aware of the importance of their data. Data by nature is borderless, and has evolved into a valuable asset with a key role in the global digital economy and companies have leveraged this to their advantage. In response, the GDPR has emerged to enact stricter regulation on data processing in an attempt to return control of personal data back to the individual.
”[…] the GDPR has emerged to enact stricter regulation on data processing in an attempt to return control of personal data back to the individual.”
The impact of the legislation and dialogue in the mainstream media today has largely revolved around large corporations with substantive data processing activities such as Google, Facebook, Amazon whilst discussion of blockchain technology has largely been glossed over with shallow or vague analysis. This is understandable to an extent, as the legislation’s focus was always on centralised data storage systems such as cloud services and social networks rather than decentralised immutable public blockchains. First proposed in 2012, it is doubtful few of the regulators, if any, had blockchain on their minds or even knew of the technology during the drafting process. This gap of consideration is at the core of the issues between the GDPR and blockchain, as whilst data processor’s central management is able to be regulated, the public blockchain as a decentralised protocol raises some substantial challenges that have largely been left unanswered. In the wake, mainstream media has prophesied the demise of blockchain and innovation under the GDPR from incompatibility. This article seeks to dispel much of this fear, uncertainty and doubt that the GDPR spells the end of blockchain technology by attempting a deeper examination of the specifics of the regulation and the potential practical outcomes that may arise in interpretation, enforcement and eventual direction of their coexistence. Before we dive in, first some context on what the GDPR is helpful to.
What is the GDPR?
The GDPR generally aims to protect privacy rights and give greater control over personal data of natural persons residing in the EU. It does so with procedural and organisational obligations for ‘data processors’ to protect the rights of ‘data subjects’ requiring that companies divulge the reason and purpose for data processing and storage; act on a legal basis, and inform customers/employees of their rights.
However, contrary to popular understanding, the legislation’s substantive content is nothing new and most of the rules have been applied for the better part of 30 years; the GDPR is merely the latest iteration that harmonises previous regulation. The brunt of today’s attention has been on the GDPR’s addition of fines, being up to €20 million or up to 4% of the annual worldwide turnover of the company to signify a stick over carrot approach. These fines significantly broaden the legislation’s transnational scope for compliance, as multinational companies located outside the EU will need to adhere to the legislation if they want to operate or conduct business with EU data subjects. Now as legislation with real teeth, it has been posited non-compliance spells difficulties for blockchain because the technology may inherently clash with the privacy-protecting principles of the GDPR.
Blockchain and the GDPR
Blockchain is an ‘append only’ system, meaning it is only possible to add new data to the ledger – giving it its core function of immutability. However, several concerns have emerged that the technology itself might inherently clash with the new rules.
”[…] for many corporations, the GDPR does not present any substantively new issues. It is only public open blockchains that require redress and specific analysis.”
The first issue relates to lawful data processing and the right to erasure. Whilst personal data processing may be lawful when consent is given, a challenge arises when that consent is withdrawn and the right to data erasure is invoked. As a ledger, blockchain stores the history and validity of transactions in an unalterable and undeletable state.
Further, the GDPR champions the principle of accuracy, and the right to rectification, requiring that every reasonable step be taken to ensure that personal data be as accurate, up to date. Thus there must exist a way to modify or alter the stored information.
Third, personal data must be kept in its identifiable form for data subjects for ‘no longer than is necessary for the purposes for which the personal data are processed. The challenge, like the first issue is the need for a method of future removal when the purpose of collection has expired.
Finally, privacy and confidentiality standards require personal data be processed with appropriate security, including protection against unauthorised or unlawful access. The challenge is all node participants in a blockchain network have access to the data stored therein, regardless of the consent of the data subject.
While on the face of it, these hurdles are enough to dissuade businesses from pursuing blockchain projects, upon closer inspection it is more than entirely possible to reconcile the GDPR with blockchain systems. First, it should be noted that the above issues are related to public, decentralised blockchains whilst private permissioned blockchains are effectively the same as private database systems. Businesses are mainly interested in private blockchains, when information is confined to internal databases and thus for many corporations, the GDPR does not present any substantively new issues. It is only public open blockchains that require redress and specific analysis.
Public Blockchains and Off-chain storage
In the case of public blockchains, various solutions have been discussed, but what was emerged as the industry standard solution is to simply avoid having personal data stored on the blockchain at all, and instead to have it on an ‘off-chain’ data store with only its evidence (its cryptographic hash) on the chain.
“[…] no identifiable data lies on the actual blockchain and only references to that data lie on the chain. ”
Through using trusted hardware and blockchains to store data off-chain, no identifiable data lies on the actual blockchain and only references to that data lie on the chain. This would be the ‘hash’ – an encrypted digest of data which is only accessible with a hash key, but can be used confirm that the data in the database has not been tampered with. The blockchain then determines who can access the data, and deletion and alteration is possible. The trade-off is the loss of the utility and functionality of the network, but this may be necessary for certain businesses who prefer regulatory certainty and peace of mind over convenience.
This solution has already been adopted by a number of blockchain companies, most recently by iExec, blockchain based cloud computing company, that just announced a partnership with Intel to start collaboration on privacy-preserving off-chain computing. Using iExec’s decentralised cloud and Intel SGX technology (the only current technology that can protect data in use through hardware based server security) it will be possible to allow users to run the application in a fully decentralised way while preserving the privacy of the processed data.
Similarly, Enigma is also a decentralised cloud platform that allows individuals to verify transactions while private/proprietary data is conducted through Enigma’s nodes offchain, leveraging the public blockchain’s trust whilst guaranteeing privacy by not revealing data to other parties. This multiparty computation also has the dual benefit of insulating against hackers which have traditionally been a key weakness for distributed cloud technology (Dropbox Hack 2016).
These two examples demonstrate a clear way for blockchain technology to be GDPR complaint, resolving the purported issues of the regulation.
The next issue is the deletion of data that exists on the blockchain. What it means to delete data is not defined in the Act. Where a definition is absent, legal convention generally looks to a literal interpretation and reading of the word. This would suggest that the data would need to be physically destroyed or erased in such a way that it is completely irretrievable. For greater clarity however, it is possible to look to the context of the regulation, including surrounding definitions.
“[…] So long as personal data is encrypted before it is written onto the blockchain, it is possible that destroying the key renders the data unreadable. ”
Personal data is defined as any information relating to an identified or identifiable natural person. In order for data to fall outside the scope of the legislation, the personal data must be converted into non-personal data, which means that they are anonymised such that it is impossible to identify the holder of the data. It is arguable that a hash meets this requirement, as through the process of hashing, data is transferred one way so that it cannot be reverse-engineered into its original state. Preliminary research suggests that a hash is an acceptable form of personal data, as it is generally admissible that personal data can be sent online in encrypted form; but official legal confirmation is still necessary.
So long as personal data is encrypted before it is written onto the blockchain, it is possible that destroying the key renders the data unreadable. Deleting the hash key is known as cryptographic data deletion because while the data may still exist across offline databases, it cannot be accessed without the correct key. Whilst this would remove any access to the data, because the data may still technically exist on the blockchain, this is not by definition permanently deleted. The legal question is yet to be worked out whether destruction of the key meets the legal requisite for the GDPR. Experts have suggested that this should ‘probably suffice so long as the destruction is done in accordance with best practices and in an auditable way’ (Bambara & Allen, 2018: 81). Courts will likely recognise these regulations are new, and much will depend on their interpretation and in the absence of a clear guidance and a consistent standard for best practice, it is likely some leniency would be exercised. At the very least though, companies should simply ensure they have plausible deniability, documenting the process and showing that the company has done their best reasonable efforts to follow the regulation is likely adequate to fashion a defence for any contention of breach of the Act.
What about in Denmark?
In a similar stream to what was outlined above, in Denmark, it is speculated that the Danish Data Protection Agency will look at the rules already in place, consider whether you as a firm have tried, put thought into and documented the assessment to form an arguable basis that you’ve endeavoured to comply and make a decision accordingly. It is generally accepted that the Agency will not jump straight to issuing the fines (at least not the maximum amount) unless there is blatant disregard for the Regulation.
Leveraging Blockchain for the GDPR
Despite the supposed clash in theory of technology and concept, blockchain and GDPR actually share many goals – decentralising data control to temper the power inequality between centralised service providers and end users. Blockchains are secure by design and through their distributed nature are a system of high byzantine fault tolerance. In fact, an IBM whitepaper argues that blockchain itself can be used a solution to the GDPR under their shared principles of self-sovereign data.
”[…] data rights can be managed exclusively via the blockchain and trusted hardware, and by users themselves, returning control and privacy.”
It first does so through the ability to automate compliance checks, assisting in keeping records of accordance with the GDPR through automation and smart contracts. Analogous to how the use of Everledger Ltd. uses blockchain to track the provenance of high-value goods such as diamonds, a similar concept could be used to manage controller agreements with a documented chain of contract terms that trigger workflows upon a non-compliance event. Through smart contracts, individuals no longer having to trust centralised services; data rights can be managed exclusively via the blockchain and trusted hardware, and by users themselves, returning control and privacy. Further, a way to reverse the smart contract can be coded in to ensure compliance with the right to erasure or for when alteration is needed.
What issues remain?
The above analysis seeks to reassure the compatibility between blockchain and the GDPR, however some issues do remain that require further discussion and work.
Quantum Computing & Scalability
Blockchain will need to be kept up to standard in terms of its scalability, as it is important to consider the potential state of encryption in 20 years; when quantum computers may be able to be crack into these key-less data caches through brute strength and computing power that does not exist currently. This data will still be available as all transactions are stored on the blockchain. Blockchain will need to apply its updates to its security retrospectively, or alternatively should turn to off-chain storage as the safest solution.
Responsibility of Storage
There is also an unresolved issue of the assignment of legal liability on the blockchain. Data protection legislation assumes this idea that we allocate responsibility to the people who are using the data and the controller or processor of the data must decide the means and purposes of using such data. In a blockchain setting, since most will potentially use public blockchain data, they correspondingly will be controllers of data. In the event of fraud, is it the protocol that is running the blockchain/DAO or is it the miner who processes from that specific entity that invigilators will summon. In the case of a decentralised app (Dapp) for example, being launched on a public blockchain such as Ethereum would see shared information gathering on citizens, and automated decisions being made based on that data. However, behind the Dapp there is no clear data controller – being decentralised means no CEO or board of directors to hold accountable, no bank account to freeze and no clear authority to take action against. Simply banning the blockchain is unlikely to be effective as public blockchains are borderless, unless there is absolute global regulation (which is practically impossible too). More time is needed to clarify and find a workable solution to these issues, and the answer will not be clear until it reaches the courts.
“[…]Despite the lack of education, the overall atmosphere is one of hopeful potential and the EU has already invested more than EUR 80 million in projects supporting the use of blockchain.”
It is a common trend for wide-ranging, impactful legislation of the like of the GDPR to follow a pendulum pattern of adoption, understanding and administrative review. As time progresses, clarity will follow and the legislation will become more and more workable, answering with certainty the many questions that currently proliferate the landscape. Right now, much of the potential answers rely on speculation and whilst this ambiguity may be daunting, when you take a step back and examine the bigger picture what you actually see is actually quite encouraging. Despite the GDPR, overall the EU has chosen to adopt a ‘smart regulatory hands-off approach’ to blockchain (Yeoh, 2017) with the EU Parliament in 2017 first instigating two initiatives – 1) the Virtual Currency Task Force and 2) the inclusion of virtual currency exchanges within the ambit of the European Anti-Money Laundering Directive. Neither of these imply the creation of a new regulator, and thus reflect an approach of precautionary monitoring over pre-emptive and panicked regulation. This year of 2018 has been even more notable, with the establishment of the EU Blockchain Observatory and Forum in February 2018 and a 23-member pan-European Blockchain Partnership. Eva Kaili, Member of the European Parliament has opined in the ‘next few years we’ll have harmonisation, sandboxes and regulation’ but right now the most pressing matter for EU lawmakers’ is the lack of knowledge on blockchain (Coindesk, 2018). It is up to innovative individuals and communities such as ours to push forth and advocate wide adoption so that this society changing technology can be utilised to its fullest potential. Despite the lack of education, the overall atmosphere is one of hopeful potential and the EU has already invested more than EUR 80 million in projects supporting the use of blockchain in technical and societal areas with a further EUR 300 million allocated by 2020 (European Commission, 2018). On this macro-analysis, it is unlikely that the GDPR will live up to its representation in the mainstream media as the fearful spectre overshadowing blockchain innovation; on the contrary, the future looks very promising for peaceful co-existence.
1. The term used for corporate and public entities who store, process and use personal data.
2. The term used for individuals.
3. The GDPR replaces data protection regulation directive 95/46 CE.
4. GDPR Rec. 39; Art. 5(1)(e).
5. Medium. (2018). Intel and iExec Collaboration: Privacy-Preserving Offchain Computing. [online] Available at: https://medium.com/iex-ec/intel-and-iexec-collaboration-privacy-preserving-offchain-computing-198bd6799c36 [Accessed 4 Jun. 2018].
6. Bambara, Joseph J.; Allen, Paul R. (2018) ‘Blockchain. A practical guide to developing business, law, and technology solutions.’ New York: McGraw-Hill Education.
7. Peter Yeoh, (2017) ‘Regulatory issues in blockchain technology’, Journal of Financial Regulation and Compliance, Vol. 25 Issue: 2, pp.196-208.
8. European Parliament (2018). European countries join Blockchain Partnership. [online] Available at:https://ec.europa.eu/digital-single-market/en/news/european-countries-join-blockchain-partnership [Accessed 30 May 2018].
9. CoinDesk. (2018). EU, US Lawmakers Tout ‘Sandbox’ Approach for Blockchain Development – CoinDesk.14 May 2018 [online] Available at: https://www.coindesk.com/us-eu-lawmakers-tout-sandbox-approach-for-blockchain-development/ [Accessed 30 May 2018].
10. European Commission (2018). European countries join Blockchain Partnership. 10 April 2018 [online] Available at: https://ec.europa.eu/digital-single-market/en/news/european-countries-join-blockchain-partnership [Accessed 30 May 2018].