Can Blockchain coexist with GDPR?

On May 25, 2018, a new privacy law came into force in Europe. The GDPR, or General Data Protection Regulation, gives EU citizens control over who controls their personal data and what happens to it. It is the reason why you are bombarded with pop-ups asking for your permission to collect and process your personal data. It’s the same reason email newsletters ask if you’re still interested in them and why many companies are suddenly making it easy to get a copy of the data they hold about you.

Companies around the world are working quickly to make sure they are GDPR compliant because otherwise they risk paying hefty fines. However, Blockchain technology is changing everything, so what happens when a blockchain contains personal data? The problem with data on blockchains is that it is:

1. open
2. Transparent
3. Immutable, that is. data stored on a blockchain cannot be changed or deleted.

These are properties of this technology that cannot be changed, and at the same time, it doesn’t look very good for privacy enforcement.

Understand the General Data Protection Regulation

Before we dive into GDPR compliance, let’s understand some commonly used terminology:

1. data controllers – Under EU law, the companies that store your data are known as data controllers. Common examples would be Facebook, Google, Apple, etc.
2. data processors – The companies that work with your data to analyze it are known as data processors. For example, Google Analytics, Moz Analytics, Socialblade, etc.

In most cases, the data controller and the data processor are the same entity; however, the burden of GDPR compliance rests with the data controller. Let’s also make a note here, that the GDPR is only in play when the personal data of EU citizens is involved. Any company that stores information of EU citizens must follow the regulation, including Facebook or Apple.

EU law states that personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological state , genetic, mental, economic, cultural or social identity of that natural person. This is a broad definition, which essentially means that any data, such as an IP address, Bitcoin wallet address, credit card or any exchange, if it can be directly or indirectly linked to you, can be defined as personal information.

The 3 GDPR Articles That Conflict With Blockchain Properties

There are three articles in GDPR namely articles 16, 17 and 18 that make life difficult for companies planning to use a distributed ledger network to conduct their business.

1. Section 16: This article of the GDPR allows EU citizens to correct or change the data that a data controller has about you. Not only can you change the existing data they have about you, but you can also add new data if you think the current data is inaccurate or incomplete. The problem is that, in a distributed network, adding new data is not a problem, but changing it is.
2. Section 17: This article refers to the “right to be forgotten”. It is not possible to delete data from a blockchain and therefore this article immediately conflicts with data protection regulations.
3. Section 18: This article refers to the “right to restrict processing”. Basically, this prevents companies from using your data if the data is inaccurate or illegally collected.

One of the main concerns of a blockchain is the fact that they are completely open, so anyone can get a copy of their data and do whatever they want with it. Therefore, you have no control over who is processing your data.

Possible solutions for coexistence!

encryption – A popular solution would be to encrypt personal data before storing it on a distributed network. Which means that only those with the decryption key have access to the data. The moment this key is destroyed, the data becomes useless. This is acceptable in some countries, such as the UK, however there are others who argue that strong encryption is still reversible. With advances in computing, it is only a matter of time before encryption can be cracked at faster speeds and personal data becomes available again. The debate about encryption is still going on.

Blockchain permission – In a public chain, anyone can put new data on the chain and the data is visible for all to see. However, in a permission blockchain, access is controlled and only granted to a few known and trusted parties. This makes the distributed network of permissions compliant with Article 18. But unfortunately, it is not compliant with Article 17 and the right to be forgotten. Even in a permission chain, the data remains immutable and cannot be deleted or edited. A possible solution to this would be to store the data on a secure server with read and write access. We then store a reference to that data on our blockchain via a link using a hash function. We can store this hash on the blockchain. Hash functions are popular for verifying the integrity of files on our secure server. Also, hash functions cannot be reverse engineered to reveal data. If we delete the data on the server, the hash function becomes useless and it no longer becomes personal data.

This is not an elegant solution because blockchains are used because they are decentralized, and by using a secure server, you go back to centralizing again.

Zero Knowledge Proof – The Zero-Knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) ​​that they know a value x, without conveying any information other than the fact that they know the value x. This is pretty perfect for verifying things like ages, for example, without revealing birthday information to data collectors. Zero-knowledge proof may be a potential solution to GDPR outside of blockchains.