Comment: Can GDPR and blockchain co-exist?
The EU’s General Data Protection Regulation (GDPR), due to be enforced on 25 May, implements new rights for people accessing the information companies hold about them and business obligations for better data management. GDPR defines personal data as “anything that relates to an identifiable, living individual whether it actually identifies them or makes them identifiable”. Luke Sayer asks if the two are in any way compatible.
We are continuously advising companies of the need to explain their data processing through applicable policies. How companies handle personal data will vary; the GDPR recognises this by creating distinctions between data controllers and data processors. A data controller is an entity that determines the purpose and manner that personal data is used. A data processor processes the data on behalf of the controller, i.e. obtaining, recording, adapting and holding personal data.
The GDPR aims to give individuals the right of control and power over who can access their data. One such right is the right to have inaccurate personal data rectified, blocked or destroyed where applicable. Further to this, individuals will have the right to be forgotten; their data transferred to another data storage provider, or deleted entirely.
Companies will be more accountable than ever for their handling of data, so how can the much-heralded blockchain technology assist.
Originally developed as the accounting method for the virtual currency Bitcoin, blockchains – which use what is known as distributed ledger technology (DLT) – are appearing in many commercial applications today. The technology is primarily used to verify transactions within digital currencies though it is possible to digitise, code and insert any document into the blockchain. This creates an indelible record that cannot be changed; furthermore, the record’s authenticity can be verified by the entire community (each a node, i.e. computer connected to the network) using the blockchain instead of a single centralised authority.
On a public blockchain, you can browse the complete history of all transactions. Each transaction will be linked to a public key, representing a particular user. Although that key is encrypted, it is possible to trace all transactions associated with a public key – specifically to ensure that the individual is associated with each transaction to avoid ‘double spending’ of an asset.
Under the comprehensive definition of personal data within the GDPR, it is possible that a public key associated with an individual will qualify. In theory, the public key might display information (maybe an IP address or connection with a website) that allows an individual to be identified via blockchain forensics. This is certainly not possible on all occasions but remains a valid concern when considering blockchain technology against the backdrop of the GDPR.
In summary, the two main features of the blockchain are: (i) information cannot be removed from the blockchain; and (ii) information transiting through the blockchain is visible to every node (subject to the public/private blockchain distinction below).
The difference between public and private blockchains
The sole distinction between public and private blockchains is related to participation in the network, execution of the consensus protocol and maintenance of the shared ledger. A public blockchain is accessible and anyone can participate in the network. Bitcoin is the best example of a public blockchain.
A private blockchain requires an invitation, with validation required by either the network starter or a set of rules implemented by them. Businesses that set up a private blockchain will generally set up a permissioned network, i.e. one that restricts participation in the network and in what transactions. Only entities participating in a particular transaction will have knowledge and access to it.
Right to erasure
Under the GDPR, the right to have personal data erased and to prevent processing is available where one of a number of grounds apply. These include, but are not limited to: (a) where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed; (b) the data subject withdraws consent; and (c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing.
The GDPR does not specify what the term “erasure of data” actually means; does it mean complete destruction of data or would encryption of the data rendering it incomprehensible be sufficient?
An obvious difficulty is how can personal data be deleted if stored on an immutable blockchain. In the view of Jan Philipp Albrecht, the member of the European Parliament who guided the GDPR through the legislative process, “This is where blockchain applications will run into problems and will probably not be GDPR compliant.” John Mathews, the chief finance officer for Bitnation, a project that aims to provide blockchain-based identity, governance services, and document storage, agrees, “From a blockchain point of view, the GDPR is already out of date. Regulation plays catch-up with technology. The GDPR was written on the assumption that you have centralised services controlling access rights to the user’s data, which is the opposite of what a permissioned blockchain does.”
While there are conflicts between GPDR and blockchain, for example the immutability of data on the blockchain, an analysis of the flexibility of blockchain technology suggests it can be compatible with the GDPR obligations.
1. Encryption – Public blockchains are run on encryption; a user has two keys: a public key to encrypt data and a private key to decrypt them. Public key encryption is very strong and users can only break through encryption with the ‘brute-force’ method; trying every possible secret key until you hit the right one. Theoretically, it would be possible for a company responsible for personal data to destroy private keys, thereby making decryption of the personal data impossible. Alternatively, the company can pass the responsibility of the private key to the data subject to use as they chose, i.e. handing back control to the data subject.
The United Kingdom’s Information Commissioner’s Office (ICO) has provided guidance stating that putting data beyond use satisfies the standards for data privacy in the UK’s Data Privacy Act (the current legislation) insofar as the data controller holding it: (a) cannot and will not attempt to use the personal data to inform any decision regarding an individual or in a manner that affects the individual in any way; (b) does not provide access to the personal data to organisations; (c) applies appropriate technical and organisational security to personal data; and (d) commits to permanent deletion of information when this becomes possible.
2. Off-chain databases – Mechanisms have been introduced whereby it is possible to store relevant data on a private encrypted database and only include a hash of personally identifiable information (PII) on the blockchain, serving as a reference point to an off-chain PII database. The hash, essentially the fingerprint of specific data, can be used to confirm that the data in the database has not been tampered with, but no actual identifiable data is present on the blockchain itself. The off-chain system can be set up to restrict access to the transaction details to authorised parties only. If data needs to be erased, the records in the database can be deleted, essentially leaving the immutable hash on the blockchain referencing a non-existent file.
Disadvantages to utilising ‘off-chain’ databases include the issue of ownership once data is stored off-chain. Realistically, the company that owns the database will be the data controller; the subject will no longer have all the encryption keys to administer their own data. Further, by spreading personal data to the guardianship of a company, individuals expose themselves to potential breaches and/or hacks of the private database. This raises the following questions:
– Is the ‘off-chain’ data encrypted?
– Where is it stored (inside or outside the EU)?
– Who can access the data?
– Who owns the data in the off-chain storage?
These are the very questions that need satisfactory answers once the GDPR is enforced.
3. Allow data to be stored and transferred in a peer-to-peer way, contrary to on the open blockchain. The idea is that the original owners of certain data can determine if only they should be storing the data, or if trusted nodes can store a copy as well. This approach has been implemented by a Swiss regulated company, Pikcio AG, through its private, permission-based blockchain, PikcioChain.
The proposed solution is that the blockchain only stores the hashes and validation of the data on a proprietary, private, permission-based blockchain. Data is sent to the blockchain and validator nodes validate the data and store a hash of this data on a permissioned blockchain. The data, or validator proof, can be offered on the PikcioChain data marketplace for (re)sale. This allows data that has been verified to not have to be re-verified, but maintain secure usage.
This approach can be applied to financial services businesses to allow them to meet their regulatory obligations in a streamlined process for both the client and the company. Individual users can trust the private blockchain to transmit their relevant data securely to companies they wish to do business with. They are even able to instruct third parties to send their personal details to other approved third parties per their wishes. Therefore, one bank can send approved client details to another bank that the client wishes to use for a loan, following permission given to the bank to do so. Ultimately, this should improve customer onboarding while reducing business costs. Storing the data on users’ devices, while the hashes are stored on a permissioned blockchain, makes this approach fully GDPR compliant.
The use of blockchain technology is becoming increasingly prevalent. The above solutions demonstrate that blockchain can be flexible, improving compliance with the GDPR (and other regulations). By putting hashes of personal data into the blockchain, rather than the data itself, the blockchain might manage to be very useful for verifying data while remaining GDPR compliant.
Luke Sayer is a senior associate at Carey Olsen in Guernsey, specialising in commercial litigation, compliance and financial regulatory matters.