Blockchain and GDPR are an unstable mix. There may be hope, though…
Data Protection
As you are probably well aware, it was revealed that Facebook was at the center of one of the largest data breaches in modern times. Without going too much in to detail, Cambridge Analytica had unlawfully gained access to the personal data of between 30 million and 87 million Facebook users. The data harvested could be used to develop in-depth psychographic maps. Just by scanning your online activity, the information collected by Facebook can build a somewhat sinister profile of you that quite accurately portrays your intellect, political affiliations, and even sexual tendencies.
We do not know precisely what data the app shared with Cambridge Analytica or exactly how many people were impacted.
— Source: Facebook via The Guardian
As this scandal occurred just months before the official adoption of the Europenan Union’s General Data Protection Regulation (GDPR), major corporations around the world are being jolted into activity. The new regulation becomes enforced on May 25th, 2018, and threatens non-compliant companies with a hefty fine.
GDPR has a few major themes:
- Companies trying to share data with third parties will need explicit consent from users.
- Users have the right to know what personal data is stored about them, what the company uses it for; in the event of a data breach, the company has 72 hours to inform the users.
- Users have the right to ask that their personal data is deleted from the companies servers AND that the company be able to prove it within 48 hours.
Failing to meet these standards can result in the company being liable to pay fines of up to 4% of the companies annual turnover, or 20 million Euros, whichever is higher.
GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
— Source: EUGDPR.org
Awkward…
Admittedly, GDPR comes into play at an ideal, yet awkward timing. Data breaches, identity theft, personal information abuse — these things advocate for modern and all-encompassing data protection regulation. Unfortunately, “all-encompassing” does not quite extend to blockchains working with personal data.
Recently, we have seen an explosion in developments for blockchain startups, as well as corporations seeking to invest in blockchain solutions. Sadly, one of the huge issues that these companies will face remains that blockchains are generally not GDPR compliant.
One critique of GDPR is that article 4 which covers GDPR definitions fails to define what the regulation means in terms of “erasure of data”. Computer programming looks at persistent storage (for traditional systems) as the ability to “CRUD” or Create, Read, Update, Destroy. However, with blockchain, data is immutable, meaning that data cannot be changed or destroyed once it is entered.
As you can imagine, this presents an enormous issue for GDPR, as one of the main areas of regulation is the right to terminated data. Moreover, the shared nature of a blockchain means that every node in the network will have a copy of the ledger — it’s virtually impossible to guarantee that every copy of the data is destroyed if that is one’s wish.
As programming looks to persistent storage as CRUD, it too can look to blockchain coding as “CRAB” or Create, Retrieve, Append, Burn. Append refers to the ability to add additional data to the end of a block, which is stored indefinitely as part of the chain. Burn refers to the ability of the individual to destroy the encryption codes which give access to the data. However, as the data is technically not destroyed, and as there is no definition of “erasure of data” from GDPR at this stage, we must conclude that burning encryption codes is insufficient and therefore non-compliant.
Already now, it is clear that GDPR needs to be reviewed and updated to contend with blockchain technology. GDPR addresses issues in systems where centralization is the main theme — which is simply not the case with decentralized, permissionless ledgers.
“I can’t see the regulators being so stubborn as to not adjust the regulation. … They’ll just see the other countries will use the technology and Europe is at a disadvantage.”
— Jutta Steiner, Parity.io
Best (or worst) of both worlds
There are some theoretical methods on how potential “workarounds” can make blockchains GDPR-compliant when it comes to personal data, but in the end, they take away key elements of why we use blockchain in the first place. I refer to one such method elaborated upon by TheLedger, where they give a much more in-depth explanation — we recommend you check it out.
Storing personal data “off-chain” in and adding a reference to the data on-chain.
Ultimately, this increases complexity in retrieving the data. It is, however, GDPR-compliant, as you can delete the data off-chain and render the on-chain references useless.
However, by storing the data off-chain, you reduce the transparency of who accessed the data and what they may have done with it. Enhanced trust and transparency is pretty much what blockchain technology is all about. Additionally, as the data lies in an off-chain ledger owned by a company (presumably), the data ownership benefits of blockchain are nullified.
The aforementioned article brings up weakened security: “Each company has its own infrastructure and application landscape. By spreading the personal data over these different companies, the risk increases for a potential breach where part of this personal information can be stolen.” Not only is this adding security risks and attack vectors, but this added complexity also increases the risk of errors and system flaws.
However, not-storing the personal data itself on blockchain does not need to be a bad thing. The concept of ‘self sovereign identity’ is getting more traction nowadays. The blockchain-part is then used as some sort of access control layer. This could be an new interesting take on the matter.
— Source: Andries Van Humbeeck
To sum up
In conclusion, we feel that GDPR needs to review and update its terms to define situations where blockchain technology is used. It’s unlikely that GDPR will simply deem blockchain technology unsuited for personal data storage; it will ultimately result in Europe falling behind in technological development. For companies seeking to store or enhance personal data by means of blockchain, the quick fix may be to store the data off-chain and use blockchain as an access layer.
For more insights into the future of blockchain, please visit ARYZE’s blog and website.