Will the EU’s coming GDPR data privacy regulations cancel out some of the benefits of blockchain, or will its distributed ledger bolster these new rules?
Will the European Union’s General Data Protection Regulation (GDPR) cancel out some of the prime advantages of blockchain or distributed ledger technology (DLT)? Or does blockchain and DLT actually provide some answers to the data privacy conundrums that accompany the May 25th activation of GDPR?
Perhaps a little of both, according to an analysis by Dejan Jovanovic, writing at the Hive Project site. On one level, blockchains can reinforce the need for individual privacy in online transactions.”In many ways, distributed ledger technology and the GDPR have several goals in common,” he says. “Unlike a traditional centralized database, DLT promises individuals more control over the disclosure of their personal data in the sense that they can freely decide the scope of the data disclosed and its recipients. DLT also mitigates many security risks regarding the sharing of personal information — such as identity theft.”
Some of the challenges and requirements involved in preparing blockchain or DLT networks for GDPR was also the subject of a recent paper prepared by researchers at the University of Zurich. The authors — Amos Madalin Neculau, Jessica Sudo, and Adam Baha – propose blockchain and torrent technologies as the foundation of a new decentralized platform that will help “provide safe and secure data storage and processing that grants users full control over their personal data.”
They said blockchain will “allow shared data to be encrypted and validated within the network, and the implementation of a Personal Certiﬁcate Authority allows users to limit data sharing with only select recipients” — which would be a GDPR-compliant path.
However, some blockchain or DLT arrangements may need to be rethought, Jovanovic continues. Any organization employing or exchanging data with European customers or partners is subject to the privacy rules embedded in GDPR. Thus, it is the source of concern for many organizations because data flows across national boundaries and oceans as easily and quickly as it does between neighboring buildings. GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations approach data privacy.
To meet the requirements imposed by GDPR, blockchain or DLT proponents need to think about the following precautions when it comes to meeting GDPR standards for data privacy:
Public nature of the blockchain: If the public key and the hashed transaction data that are part of a DLT “can be linked to an individual person, they both qualify as personal data and fall under the scope of the GDPR,” Jovanovic points out.
Immutability: The immutability aspect of DLTs clashes with the “right to be forgotten” that is at the heart of GDPR. “The most important characteristic of blockchain is the immutability of the data it stores — once data is on the blockchain, it cannot be removed or changed,” says Jovanovic. “This approach contrasts with the rights that data subjects now have under the GDPR, such as the right to be forgotten, to rectify, or to object.” While this can be addressed through a full migration of the blockchain, this will be an expensive and cumbersome effort.
The data controller and transfers of data to countries outside the EU: Blockchains and DLTs are built on nodes that are distributed across globe-spanning networks — the antithesis of GDPR, which is built on the idea of a central data controller. On the public blockchain, however, each node should contain a complete copy of the entire ledger and can, therefore, be deemed a controller of personal data under the meaning of the GDPR. This problem arises because nodes are, in essence, unable to comply with its requirements and can be located anywhere in the world.
Anonymization versus pseudonymization: Jovanovic recommends “either avoid storing personal data on the blockchain or keep the personal data completely anonymized.” However, with GDPR, “the threshold for data anonymization, in which data is no longer categorized as personal, is very high,” he cautions. “Encryption, hashing, and tokenization normally do not provide anonymization, only pseudonymization. Encrypted data can often still be traced back to a person if sufficient effort is invested in the task by experts or someone who holds the key to decryption.”
Ultimately, for GDPR purposes, a user is considered “safe” when he or she “has power over the data shared on the platform,” Neculau and his co-authors state, cautioning that “this would be an ambitious goal to achieve.” In an era in which user trust in how companies and institutions handle their personal data is at an all-time low, GDPR-compliant steps may provide some restoration of confidence. Decentralizing data ownership using blockchain and torrent technology will help ensure that “every user will have a small chunk of the data, making it very diﬃcult to hack and obtain personal information.”