Blockchain GDPR Paradox: Is it a Rising Conflict Between Law and Technology?

2

Since GDPR became law on 25th May 2018, there is a growing debate among tech experts how it will affect the Blockchain, which is currently one of the fastest developing technologies in the world. In fact, the debate is more about how to find a way for blockchain around the GDPR, or how to make it GDPR compliant.

GDPR is a new law that protects data security and promotes more control over a person’s individual information and data on digital platforms. Blockchain, on the other hand, is a technology that develop immutable transaction ledger.

The point here is, why is there a debate about it? What is the connection between Blockchain and GDPR? The issue here is, if you read about GDPR, which is General Data Protection Regulation, you can see that it contradicts blockchain.

For example, GDPR gives a right to every individual to decide about their personal information and personal data, if they want to edit or delete it. On the other hand, blockchain is an immutable ledger, which ensures available data is visible to everyone and can’t be deleted.

BLOCKCHAIN GDPR Paradox Explained – InfographicBlockchain GDPR

What is GDPR?

GDPR is a General Data Protection Regulation that is recently adopted by European Union (EU) as a law. The main purpose of the law is to cater to the needs of personal data privacy of an individual (EU citizens).

The law gives certain rights to the users, which include:

  • The right to be forgotten
  • The right to data portability
  • Right to access information related to you
  • The right to make companies edit/correct/change the data about you

The law actually gives control of the personal information back to the person that it belongs to instead of the company that holds it. This way, companies don’t have any control over the personal information of user anymore.

According to industry experts, GDPR will have a significant impact on the tech industry. According to IAPP (The International Association of Privacy Professionals), it will create more than 75,000 DPOs in the privacy industry.

The same report also estimates that more prominent companies, like Fortune 500 companies will spend around USD eight billion to make sure their business is compliant with the GDPR.

What does this mean? That tech companies are taking it seriously and want to be compliant with the law. EU can enforce heavy fines if companies fail to comply with GDPR regulations.

However, is it possible for these companies to use blockchain and remain compliant with the GDPR?

We will explore the answer in the next sections.

Note: Even when GDPR is a law adopted by EU only, it is not limited to EU based companies. Any company that uses the personal data of EU citizen to provide services also falls within the domain of GDPR.

Why GDPR and Blockchain Contradict Each Other? The Blockchain GDPR Paradox

Blockchain means Immutable ledger, and immutable ledger means a record that cannot be changed. However, GDPR is a law that allows individuals to change any personal data if they wish so. This is what we call a “conflict” or “contradiction”.

This is exactly why there is so much debate about the effects of GDPR on the blockchain, and if GDPR can cause serious hurdles against the rapid growth of blockchain.

We need to keep one thing in mind. When GDPR was initially drafted back in 2012, it was designed for social networks and cloud services to make sure users have control over the use of their personal information on these platforms.

This means blockchain is not a primary target of the new law. However, as blockchain stores personal data as well as personal transaction history, it now falls within the domain of GDPR and all applicable laws under the GDPR legal framework.

This may force companies to re-evaluate if the blockchain they plan to adopt in the near future complies with the GDPR.

The issue here is, even if GDPR finds a certain blockchain contradicting the law, who will the data protection auditors blame in a purely decentralized blockchain system? 

This makes the connection between GDPR and blockchain a little tricky.

Can GDPR Stop Blockchain from Going Mainstream?

Well, this is point of a fierce debate nowadays. However, blockchain users don’t have to worry. The more popular opinion is, blockchain can actually facilitate companies to comply with GDPR laws.

This is because it is the sole purpose of GDPR to make sure that the companies and tech giants handle the information related to users in a more transparent and structured way. And when it comes to transparency of data, blockchain offers exactly the same.

In fact, there is a lot more common between GDPR and blockchain. Both, the technology and the law focus on the same thing, to decentralize data control.

However, there are still lots of ifs and buts, with many issues that are open to legal debate.

If GDPR can stop blockchain from going mainstream? It looks highly unlikely as blockchain technology is evolving, and the chances are, it will evolve around GDPR.

There are already people working on theories and methods that can help blockchain avoid the actual conflict with the data protection rights, that we will discuss in one of the next sections in detail.

However, when there are many optimists in the tech industry who believe that blockchain will find its way around the GDPR, there are also some pessimists.

For example, David Gerard, a popular writer on blockchain technologies claim that blockchain can no longer be used for personal data under the GDPR regulations.

Fortunately, what David Gerard believes in is not a popular opinion. Most tech experts agree that blockchain needs new ways, a better and innovative approach, and different applications and blockchain components that can help blockchain comply with the GDPR regulations.

Blockchain And the Right to be Forgotten

GDPR and blockchain go hand in hand when it comes to structuring the personal information of users in a better way. However, there is one fundamental conflict between the two – the right to be forgotten.

The right under the GDPR legal framework allows users to ask organizations to delete all their personal data. However, blockchain is immutable, which means, you can’t edit or delete any information once it adds to the blockchain.

Well, tech experts believe there are multiple solutions that can cater to the issue.

First, blockchain can encrypt the personal information of each user. This mean, when the user asks to delete personal information, forgetting or deleting the encryption key will make the data inaccessible. In the case of the blockchain, inaccessibility means the data is no more available, not retrievable.

For some experts, it equals deletion, as in the case of UK’s Data Protection Act. However, this may be open to legal debate, as there are ways, like quantum computing that can break the encryption.

Is it Possible to Delete Data from an Open blockchain?

In theory, it is. However, the blockchain data is available on so many machines (nodes) on the network, that it is almost impossible to request each machine to delete the data. This is exactly why we call it “immutable ledger”.

Also, if you delete the data from an open network, it breaks the chain which makes the entire blockchain useless.

However, there is a also a process of “forking”. In this method, the nodes change the data stored by moving onto the new version of the blockchain. In this process, you can delete the data from a previous block, but it breaks the hash pointers between the blocks. The blockchain than needs to rehash the blocks by updating the links. This is called forking, or a process to move to a new blockchain version.

However, this is possible and easier to do in a close system, with a limited number of local machines or nodes where the information is available. On an open system, it is near to impossible to link back each node. Also, there is a need to use proof-of-work on public blockchain that makes the process more complicated. This is not the case with private blockchain.

However, this makes many people question the decentralized nature of blockchain, as private blockchain makes it centralized. Although this is true, it is still among the best possible option to delete personal data from the blockchain.

Blockchain GDPR Compliance

In its current popular form, blockchain is not GDPR compliant. An information stored on an open network is impossible to delete, which means, you cannot provide users with the right to be delete or edit their information.

Many people believe that by using a blockchain that uses fully anonymized data is the best way to avoid or comply with the GDPR. However, blockchains with customer anonymity are mostly useless for businesses.

Second, businesses also have to keep customer’s identities under two different EU laws, the Anti-Money-Laundering Law (AML) and Know Your Customer Law (KYC).

You can also read about how blockchain adopts to KYC and AML in one of our previous articles.

However, experts believe that creating a private blockchain, instead of an open blockchain can make it GDPR compliant. The private or permissioned system, also called a closed system, does not use open nodes to save the data. Instead, they keep the information stored on the local machines. This way, it is easier to delete the information on someone’s request.

Blockchain GDPR Solutions

We have already discussed one solution above, how making the data inaccessible can help meet the GDPR regulations. When someone wants their data deleted, make it inaccessible using encryption.

In this case, blockchain stores encrypted entry or ciphertext, with its key pair saved off the blockchain. Whenever someone asks to delete the information, you can delete the key, which makes the data inaccessible.

Many tech experts call the process CRAB, which is alternative of the term CRUD. CRUD is a term for traditional databases that stands for Create – Read – Update – Delete. These are the operations of a database.

The term CRAB stands for Create – Retrieve – Append – Burn. The Burn here is the process of deleting encryption key. This way, you just burn the information.

There are more innovative solutions as well to resolve blockchain GDPR conflict.

Another solution is to keep the personal information “off the chain,” instead of “on the chain”. As the blockchain information is available on an open network or “on the chain,” deleting and editing information is almost impossible.

We have also discussed another solution, developing a closed blockchain. In closed or permission-based blockchain, the information is stored on local machines or rented cloud storage. This way it is comparatively easier to delete the personal data on user’s request using the method called forking.

The Final Words

GDPR and Blockchain both come with their own benefits for end users and ensures data protection. However, the right to be forgotten under GDPR regulations put the new law in direct conflict with the blockchain technology.

The good news is, there are ways to keep blockchain GDPR compliant. All we need is creative thinking, innovative approach, and new applications that can avoid conflict with GDPR. Even though closed blockchain is a good way to ensure compliance, but these blockchains are not very useful for the large-scale business applications.

However, to develop open blockchains, that are more useful for businesses, experts are working on more out of the box solutions like binding network rules that may make open blockchain networks GDPR compliant.

However, a lot is still not clear and needs a legal debate. To come up with a better solution for companies that are now hesitant to use blockchain in fear of GDPR, a more concrete solution is needed. Tech experts, business managers, and lawyers need to sit together to find a way to overcome the legal challenges blockchain now faces.

Some More Resources:

https://thenextweb.com/contributors/2018/06/09/week-two-of-gdpr-were-still-not-ready/

https://thenextweb.com/syndication/2018/07/26/gdpr-blockchain-cryptocurrency/

https://www.ibm.com/blogs/blockchain/2018/05/five-considerations-for-blockchain-applied-to-data-privacy-and-gdpr/


About Author

Just is a born geek who loves tweaking his computer and gadgets for effectiveness and productivity. He seems to have a greater interest in blockchains, which makes him perfect for sharing his new discoveries on 101 Blockchains.

2 Comments

  1. Nice paper and good points stated.
    But there are other solutions for “conflict” between GDPR and blockchain. All experts, especially tech experts forget that core of privacy protection of personal data is consent (of the respondent). So, when you publish your data in a blockchain, which is public, consent is given. That’s the rule since privacy of personal data was first mentioned. From that point, encrypted or not, data in blockchain is public nad there’s no violation of GDPR.

    • ? Bruno, you seem to assume compliance stops at Consent. Consent can be withdrawn at any time unless there is a legitimate ‘Balanced’ or ‘Legal’ basis for refusing. If it can’t then it is violating GDPR and any associative legislation’s.

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.