Since its publication early in 2018, we hear a lot about the European data protection regulations (GDPR) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 for the protection of natural persons with regard to the treatment of personal data and the free circulation of these data and by which Directive 95/46 / EC (General Data Protection Regulation), its acronym in English GDPR, is repealed.
Now, the key question is:
¿What elements should be taken into account in the processing of personal data, when we link with the use of Blockchain and Distributed Ledger (DLTs) technologies?
One of the main aspects of the Regulation is the possibility that the residents of a EU Member State now have, to exercise the well-known rights of Access to information, Rectification, Erasure (also known as the right of suppression or cancellation) and, more recently after the results of the infamous Costeja case at the European Court of Justice, the so-called right to be forgotten.
It is mandatory also, to face new European requirements in the limitation of treatment (what can the holder/responsible actually do with the collected data?), transparency and portability, which will determine an obligation of those responsible for managing the information. Or their delegates, to rectify or eliminate that personal data under a variety of circumstances.
We have to acknowledge the existence of a very relevant collision with the possible uses of the so-called blockchain technology, at the legal level, in terms of data protection.
Those who have been adopting and applying the blockchain technology will know that we are dealing here with the core that sustains the so-called cryptocurrencies. This new kind of assets saw its birth back in 2008, when they were presented to us in an almost miraculous way, by that immaterial entity, Satoshi Nakamoto, with the Bitcoin white paper. Since then, the use of this technology has only grown and helped the rise of a variety of figures, applications, records and even new identity management systems.
But there is a big problem that is not being taken into full consideration: the incompatibility of the DLTs with the current GDPR.
One of the key characteristics of the blockchain technology is that, in addition to working through a decentralized network of nodes, where each device connected to the network would act as such, it also works as a shared registry that does not stop growing and in which the information is shared and recorded on operations or fragments of any other type of data.
One of the main legal issues relates to the fact that, in practice, this registry operates as immutable; this is one of the pillars that supports the reasoning and widespread use of this type of technology.
For blockchain-based projects that need to store personal data, these two facts are not compatible at all, even more so if we put into perspective the sanctioning regime provided by the GDPR operates with fines of up to € 20 million or 4% of the global profit.
This is where the growing use of DLTs will cause serious problems and will probably mean that, in the development and execution phases, these projects are not compatible or cannot respect what is determined by the EU legislation.
Theoretically whenever we relate to a DLT, we are referring to a distributed network, backed by a concrete blockchain protocol, and with an immutable nature that directly collides with the GDPR. This determines that, as individuals, we must be able to eliminate any trace of our personal data, but not applicable, of course, to exceptions of concrete treatment without express consent of the individual listed in the current legislation.
However, it seems that recently an alternative way for eliminating information has been discovered:
Once the information has been recorded ¨on chain¨ through a procedure of “hashing” the content of a block (where a public key and a private key must also be created:(public / private keypair) and at the time of creation of the next block in our chain, repeating the same process of “hashing” the information, empowering the creator of the new block to delete or modify the content within it.
If so, we would find an ideal solution for the elimination of this personal data already recorded in the blockchain. Unfortunately we are talking about a path not yet proven, which would seriously endanger the sustainability of all so-called blockchain technologies, by breaking that principle of immutability of the information recorded in it.
Outside of this alternative solution, it is technically possible to rewrite the information once it has become part of our blockchain.
it is very important to differentiate between two different types of chains:
Private blockchain or Permitted blockchain, which will be subject to the control of a very limited group (for example, the Ripple blockchain that was designed to streamline payments between financial service providers ) as opposed to public blockchains, which are not actually under the control of any agent, as is the case with the Bitcoin or Ethereum networks.
Once the nature of our network, of our blockchain has been defined, we must then accept the possibility of rewriting the information contained in the blocks, but that will only be possible through a so-called “fork”. The ¨forking¨ process consists basically in creating a consensus of most nodes to create a new version of that blockchain that includes the changes and, later on, an agreement on continuing to use that version instead of the original one.
This would be relatively easy if we are dealing with a private blockchain, but when talking about a public chain we are faced with an extremely rare event.
From a blockchain point of view, the GDPR would not be updated since it seems that it is very difficult for this legislation to keep up with the current DLTs technological development. But this point of view is tremendously complicated to support since we are governed by a data protection regulation that has just been published (in general terms) and its application struggles to adapt it to the growing catalogue of new applications and projects that we find everyday.
As it is well known, the European regulation tends to be designed and enforced for long periods of time, before a possible revision is even raised. The previous data protection directive that touched on this matter, predecessor of the GDPR, is a regulation from 1995.
One of the most interesting points in relation to the GDPR and blockchain technology is that the regulations seem to have been designed for information storage services in the cloud.
Let’s take as an example that a small company that for the exercise of its activity needs to collect private data and store it in some online service such as “cloud” which at the same time is going to provide web hosting services through which our small business actually collects that customer data. There would be a hosting contract that would bind this company and the hosting provider, based on which responsibility would be transferred in relation to the privacy obligations that our small company initially had.
This scheme could work if we talk about cases in which there is only one provider, but it is infinitely complicated when we operate in a decentralized network, such as the blockchain, where it is impossible to formalize this contract with all the nodes of an Ethereum network or Bitcoin
We could then think about who would be responsible for the adequacy of the processing of personal data in a private blockchain. In this case, the answer would be simpler and we could frame as such the organization that was deploying it, but the equation becomes complicated when we try to determine who would be responsible if the information is recorded on a public or decentralized blockchain; in this case, one of the possible solutions would be to name as such, any user who makes personal data publicly available and would be responsible for ensuring compliance with the GDPR.
But not everything is panic in relation to this adaptation process to the current regulations. One of the solutions being considered to deal with this problem would be to create a “black list” system where certain data would see a kind of block when trying to be consulted, even if it had not been deleted from the block chain, it could not be consulted effectively.
Personally, I think that the most reasonable solution is to “hash”
those personal data that would like to be recorded on the blockchain, instead of including the data itself in it. By means of this hashing operation, what is done is to encrypt the information through mathematical formulas that, implemented correctly, would show the underlying content and that could be used to verify the, also, underlying information.
With this system of hashing the personal data, it would be possible to erase information from the blockchain without having to alter it and therefore, to be capable of respecting the foundations of the DLTs . In this way, this information could be included in the blockchain and at the same time, ensure compliance with the GDPR.
It is important to understand the correct recollection, management and storage of data within your project is key to be compliant with the current Data Privacy legislations.
In the EU framework´s case, we also recommend to take in deep consideration the range of applicability of this legislation that will extend its effects to data collectors non based in european territory.
The GDPR, understood as the archetypical Data Privacy legislation that has a strong influence over many other regulations such as the CCPA (California Consumer Privacy Act) in the U.S and the majority of legislative bodies in the Latin Americas. The EU law extends its applicability to the collected personal data of nationals of a EU member country, even when they are not currently located in european soil and defining territoriality as a key concept in the whole privacy equation.
This has enormous legal consequences due to the fact that any platform, project or individual who might be collecting, processing or storaging personal information from any EU national resident, would have to assure full compliance with heavy legal requirements in Data Privacy and its related obligations (consent management, data storage, security measures… etc.)