On May 25th, 2018 a new privacy law took effect in Europe. The GDPR or General Data Protection Regulation, and it gives EU citizens control over who controls their personal data and over what happens with it. It’s the reason why you are bombarded with popups asking your permission to gather and process your personal data. It’s the same reason that e-mail newsletters ask you if you’re still interested in them and why a lot of companies are suddenly making it easier to grab a copy of the data they have on you.
Companies from all over the world are working quickly to make sure they are GDPR compliant because otherwise, they face the risk of paying heavy fines. However, Blockchain technology is changing everything so what happens when a blockchain contains personal data? The problem with the data on blockchains is that it is:
- Immutable ie. data stored on a blockchain cannot be changed or erased.
These are properties of this technology that cannot be changed and at the same time, doesn’t look very good for enforcing privacy.
Understanding the General Data Protection Regulation
Before we dive into the compliances of the GDPR let’s understand a few commonly used terminologies:
- Data Controllers – According to EU law, companies that store your data are known as data controllers. Common examples would be Facebook, Google, Apple etc.
- Data Processors – Companies that work with your data to analyze it are known as data processors. For example, Google Analytics, Moz Analytics, Socialblade etc.
In most cases, the Data controller and the Data processor is the same entity, however, the burden of complying with the GDPR lies with the Data controller. Let’s also make a note here, that the GDPR is only in play when the personal data of EU citizens are involved. Any company storing information of EU citizens have to follow the regulation, including Facebook or Apple.
EU law states that personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This is a broad definition, which essentially means any data such as an IP address, a Bitcoin wallet address, a credit card or any exchange, if it can be directly or indirectly linked to you, it can be defined as personal data.
The 3 GDPR Articles that conflict with Blockchain properties
There are three articles in GDPR namely Articles, 16,17 and 18 that make life difficult for companies that are planning to use a distributed ledger network for carrying out their business.
- Article 16: This article in the GDPR allows EU citizens to correct or change data a data controller has on you. Not only can you change existing data that they have on you but you can also add new data if you feel that the current data is inaccurate or incomplete. The problem is, in a distributed network, adding new data isn’t a problem but changing it – is.
- Article 17: This article refers to the “right to be forgotten”. It’s not possible to delete data from a blockchain and therefore this article immediately conflicts with the data protection regulation.
- Article 18: This article refers to the “right to restrict processing”. Basically, this prevents companies from using your data if the data is inaccurate or if it was illegally collected dark web bitcoin.
One of the major concerns ofa blockchain is the fact that they are completely open, so anyone can get a copy of your data and do anything they want with it. So, you don’t have any control over who is processing your data.
Possible solutions for co-existence!
Encryption – A popular solution would be to encrypt personal data before storing it on a distributed network. Which means, only those with the decryption key have access to the data. The moment this key is destroyed, the data becomes useless. This is acceptable in some countries such as the UK however, there are others who argue that strong encryption is still reversible. With advances in computing, it’s only a matter of time when encryption could be broken at faster rates and the personal data would be available again. The debate for encryption still rages on.
Permission Blockchains – In a public chain, anyone can put new data on the chain and the data is visible for everyone to see. However, in a permission blockchain, access is controlled and only given to a few known and trusted parties. This makes permission distributed network Article 18 compliant. But unfortunately, it doesn’t comply with Article 17, and the right to be forgotten. Even in a permission chain, the data is still immutable and cannot be deleted or edited. A possible solution to this would be to store the data on a secure server with read and write access. We then store a reference to that data on our blockchain via a link using a hash function. We can store this hash on the blockchain. Hash functions are popular for verifying the integrity of the files on our secure server. Also, hash functions cannot be reverse engineered to reveal data. If we delete the data on the server, the hash function becomes useless and is no longer becomes personal data.
This isn’t a elegant solution because blockchains are used because they are decentralized, and by using a secure server, you are back to centralizing again.
Zero Knowledge Proof – Zero-\ Knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x. This is quite perfect for verifying things like age-gates for example without revealing birthday information with Data collectors. Zero knowledge proof may be a possible solution to GDPR outside of blockchains.