Can Blockchain Coexist With GDPR?

On May 25, 2018, a new privacy law came into force in Europe. The GDPR or the General Data Protection Regulation, and gives EU citizens control over who controls their personal data and what happens to it. It is the reason why you are bombarded with pop-ups asking your permission to collect and process your personal data. It’s the same reason email newsletters ask if you’re still interested in them, and why many companies are suddenly making it easy to get a copy of the data they have on you.

Companies around the world are working quickly to make sure they are GDPR compliant because otherwise they risk paying hefty fines. However, Blockchain technology is changing everything, so what happens when a blockchain contains personal data? The problem with data in blockchains is that it is:

1. Opened
2. Transparent
3. That is, immutable. data stored on a blockchain cannot be changed or erased.

These are properties of this technology that cannot be changed and at the same time, they do not look very good to enforce privacy.

Understanding of the General Data Protection Regulation

Before we dive into GDPR compliance, let’s understand some commonly used terminologies:

1. Data controllers – According to EU law, the companies that store your data are known as data controllers. Common examples would be Facebook, Google, Apple, etc.
2. Data processors – Companies that work with your data to analyze it are known as data processors. For example, Google Analytics, Moz Analytics, Socialblade, etc.

In most cases, the data controller and the data processor is the same entity, however the burden of complying with the GDPR falls on the data controller. Let’s also make a note here, that the GDPR is only in play when the personal data of EU citizens is involved. Any company that stores information of EU citizens must follow regulation, including Facebook or Apple.

EU law states that personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to physical aspects, physiological, genetic, mental, economic, cultural or social identity of that natural person. This is a broad definition, which essentially means any data such as an IP address, a Bitcoin wallet address, a credit card or any exchange, if it can be linked directly or indirectly to you, it can be defined as personal data.

The 3 articles of the GDPR that conflict with the properties of Blockchain

There are three articles in GDPR, namely articles 16, 17 and 18 that make life difficult for companies planning to use a distributed ledger network to conduct their business.

1. Article 16: This GDPR article allows EU citizens to correct or change the data that a data controller has about you. Not only can you change the existing data they have about you, but you can also add new data if you think the current data is inaccurate or incomplete. The problem is that, in a distributed network, adding new data is not a problem, but changing it is.
2. Article 17: This article refers to the “right to be forgotten”. It is not possible to delete data from a blockchain and therefore this article immediately conflicts with the data protection regulation.
3. Article 18: This article refers to the “right to restrict processing”. This essentially prevents companies from using your data if the data is inaccurate or illegally collected.

One of the main concerns of a blockchain is the fact that they are completely open, so anyone can get a copy of their data and do whatever they want with it. Therefore, you have no control over who processes your data.

Possible solutions for coexistence!

Encryption – A popular solution would be to encrypt personal data before storing it on a distributed network. Which means that only those with the decryption key have access to the data. The moment this key is destroyed, the data becomes useless. This is acceptable in some countries, such as the UK, however there are others who argue that the strong crypto is still reversible. With advances in computing, it is only a matter of time before encryption can be broken at faster speeds and personal data becomes available again. The encryption debate continues.

Blockchain permission – In a public chain, anyone can put new data into the chain and the data is visible for all to see. However, in a permission blockchain, access is controlled and only granted to a few known and trusted parties. This makes the distributed network of permits comply with Article 18. But, unfortunately, it does not comply with Article 17 and the right to be forgotten. Even in a permission chain, the data remains immutable and cannot be deleted or edited. A possible solution to this would be to store the data on a secure server with read and write access. We then store a reference to that data in our blockchain through a link using a hash function. We can store this hash on the blockchain. Hash functions are popular for verifying the integrity of files on our secure server. Also, hash functions cannot be reverse engineered to reveal data. If we delete the data on the server, the hash function becomes useless and no longer becomes personal data.

This is not a fancy solution because blockchains are used because they are decentralized and by using a secure server it re-centralizes.

Zero Knowledge Test – The zero-knowledge protocol is a method by which one party (the tester) can demonstrate to another party (the verifier) ​​that they know a value x, without conveying any information other than the fact that they know the value x. This is pretty perfect for checking things like old doors, for example, without revealing birthday information with data collectors. Zero knowledge proof may be a possible solution for GDPR outside of blockchains.