Can blockchain’s immutability survive GDPR’s right to be forgotten?  

Profile picture for user jbowles By Jerry Bowles May 8, 2018
The conflicts between the GDPR and the technical realities of blockchains raise major legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU citizens.

The GDPR establishes a uniform data privacy law across the EU based on the assumption that data privacy is a fundamental human right.  Companies do not need to have an office in the EU or even set foot in the EU to be subject to the GDPR. The regulations apply to any type of business, wherever it is located, that either: (1) offers goods or services in the EU; or (2) monitors the behavior of EU citizens. If your company offers its services in the EU and has personal information about residents of the EU, it is subject to the GDPR.

In significant ways, the GDPR is a reaction, or correction, to the emergence of the American-led “global surveillance economy” that puts information transactions at its core. Big data is big business. Facebook is hardly the only or even the biggest transgressor. It is inevitable that information mined for its commercial value will also fall into the hands of bad actors.

The GDPR aims to restore some balance by giving individuals the right of control and power over who can access their personal data.  Among its most important protections are:

  • the right to be “forgotten,” which means the erasure of personal data when the personal data is no longer needed for the purpose for which it was collected, when the individual withdraws consent, or when continued processing of the data is unlawful;
  • the right to require correction of incorrect data; and
  • the right to restrict processing when the data accuracy is contested, when processing is no longer necessary, or when the individual objects.

Personal data is defined broadly and includes any information relating to an identified or identifiable natural person. Under current EU legal interpretations, this includes encrypted or hashed personal data as well as public cryptographic keys that can be tied to a private individual.

The penalties for failing to comply with the GDPR are draconian, including fines of up to the greater of €20 million or four percent of a company’s annual worldwide revenue.

What’s the problem with blockchain?

The GDPR was developed for a world where data is centrally collected, stored, and processed. In order to protect the use of personal data, identifiable data controllers and processors are responsible for who accesses the personal data, where and to whom it is transferred, and by whom it is accessed.  Tom Cox and Andrew Solomon from the international law firm Kingsley Napley write:

The GDPR was designed using the assumptions that custodians of data would continue to be centralised entities. However, technologies such as blockchain are facilitating a move towards a decentralised model of data management. In spite of the dramatic changes taking place, regulators appear to be taking a ‘wait and see’ approach before considering how best to address the challenges of the future.

The key distinguishing features of blockchains is that they are decentralized and immutable. For users of conventional databases, altering and or erasing specific bits of information is easy. If the actual personal data is embedded within the blockchain, how can you delete it?   Entrepreneur Matt Baxter-Reynolds wrote:

The blockchain, however, is an entirely different form of database. You can’t physically remove the records without regenerating the blockchain again from that point — and the principle of a blockchain expressly prevents you from doing that. You could have transactions further down the chain that annotates or marks suspect data, but the base data will still remain. An individual can still suffer damage because the data exists in some form. Essentially, you cannot “delete” from the blockchain in the same way that you can from virtually any other sort of database.

Workarounds, anyone?

Blockchain comes in two flavors--public and private.  A public blockchain, like that which powers Bitcoin, is accessible and anyone can participate in the network.  A private blockchain requires an invitation, with validation required by either the network founder or adherence to a set of rules implemented by them.

Businesses that set up a private blockchain will generally set up a permissioned network--one that restricts participation in the network and what transactions are permitted.  Private blockchains are subject to the same GDPR rules but compliance is easier because there are usually fewer participants and they are known to each other. The fact that private blockchains are permissioned implies compliance but it is not a done deal.

One potential solution to the GDPR compliance problem might be to store all personal data off of the blockchain in separate “off-chain” databases.  R3 researchers Neepa Patel and Kevin Rutter wrote:

The GDPR introduces a new concept called “pseudonymization,” which means separating data from direct identifiers so that linkage to a specific identity is not possible without additional information that is held separately. There are several techniques such as salted hash algorithms and data masking that constitute as acceptable pseudonymization methods that are highly recommended in the regulation.

A Swiss regulated company, Pikcio AG, has offered another idea through its private, permission-based blockchain, PikcioChain. The proposed solution is that the blockchain stores only the hashes and validation of the data on a proprietary, private, permission-based blockchain.

Data is sent to the blockchain and validator nodes validate the data and store a hash of this data on a permissioned blockchain. The data, or validator proof, can be offered on the PikcioChain data marketplace for resale. This allows data that has been verified to not have to be reverified but maintain secure usage.

My Take

The EU has been a huge supporter and promoter of blockchain technology over the past year so it seems unlikely it will it will allow the inherent conflicts between GDPR and blockchain to kill what it perceives to be a huge economic development opportunity for its members.  More likely, regulators will wait and see what specific problems arise once the law is enacted and what innovations the always creative blockchain proponents come up with.