Data protection and privacy, among others, are two important reasons for the global enthusiasm around Blockchain and why the technology is transforming the way trusted, transparent, and traceable transactions occur across the Internet.
So it’s ironic that much of the initial reaction around Blockchain relative to General Data Protection Regulation (GDPR) is that the technology is an ill fit for the new European Union directives intended to enhance the protection and privacy of consumer data. It also happens to be a superficial and unhelpful misassumption. A closer look at Blockchain’s underlying concepts and technologies reveals how the technology improves the fundamental aspects of data privacy and security specified in GDPR, depending on how this solution is designed to meet the GDPR needs.
The fundamental challenge is adapting the new decentralized peer-to-peer Blockchain Internet technology for GDPR directives that are fundamentally predicated on the traditional centralized Internet approach.
Alternative Blockchain techniques allow for implementation oriented toward GDPR compliance. These techniques demand a thorough comprehension of Blockchain distributed ledger technologies (DLT), as well as their ecosystem. Blockchain’s identification management processes, such the ones that store and process personally identifiable information (PII), are crucial in designing GDPR-compliant solutions.
One of the key principles of GDPR is Article 17's “Right to erasure” (or “right to be forgotten.”). Based on this GDPR principle, whenever required, consumers can request that their personal information be erased by their data processors (or “controllers”).
However, due to the Blockchain "immutability of records" principle, any data contained on the Blockchain transactions are virtually impossible to modify. Data is copied to peer-to-peer nodes, which function as distributed databases, or distributed ledgers, and are the main components of the Blockchain. The data that is added to the public, permission-less Blockchain is, indeed, there forever, and, technically speaking, such data, or other metadata, cannot be altered. Because of how Blockchain blocks and transactions are constructed, all of the information and records that are entered into the distributed ledgers are publicly visible, tamper-proof and immutable.
So, does this immutability of data transactions imprinted in the very fabric of the distributed ledgers render Blockchain inconsistent with GDPR Article 17? Not necessarily. Adoption of hybrid off-chain architectures for distributed data storage is one alternative approach to adapt for this challenge. Other alternatives call for keeping PII data within the user's devices, creating metadata and hashes of this PII information, and referring back to this local data using third party servers or the Blockchain layer itself. This creates different Blockchain-GDPR compliance levels.
To account for Article 17, then, one alternative is that all GDPR-sensitive information and data could be stored off-chain in distributed or cloud-based servers, with only the corresponding hashes stored in the Blockchain layer. In this way, the hashes serve as control pointers to the GDPR-sensitive data, which is stored off-chain. These control pointers are not the user data that GDPR seeks to protect but a pseudonymization of that original data. The other database storing the original data is not, in practice, subject to the issues regarding record immutability that Blockchain provides. For the sake of Article 17 compliance, then, the service provider can erase the “linkability” of the Blockchain hash pointer to the data located in distributed off-chain servers whenever required.
Perhaps the most interesting — and most controversial article — related to Blockchain’s applicability to GDPR is Article 25, “Data protection by design and by default,” which addresses pseudonymization techniques for consumers’ stored data.
Hashing is Blockchain’s pseudonymization technique, and there are two critical interpretations for the pseudonym linkage using Blockchain relative to Article 25. The first one states that because data pseudonymization is accomplished in Blockchain hashing, but not anonymization, the data linkage is no longer considered personal when it is established, and if this linkage is deleted, it also complies with Article 17. However, the second interpretation is that pseudonymization, even with all cryptographic hashes, can still be linked back to the original PII data. There still may, however, need to be some mathematical proof that brute-force cyberattack of off-chain data linkage using hashing can compromise this assumption.
The conclusion that this discussion leads to is that this issue remains a moving target as Blockchain innovation is accelerating, just as GDPR is being implemented, and significant legal-technical battles lie ahead. GDPR regulation must adapt and come up to speed quickly on the ramifications, issues and opportunities that is enabling the next generation decentralized Internet using Blockchain technology.
You can check out my more extensive explanation of these ideas and join the conversation at the IEEE Blockchain website.
Claudio Lima is Vice-Chair of the IEEE Blockchain Standard and Co-Founder of the BEC-Blockchain Engineering Council. He holds a Ph.D. in Electronic Engineering at UKC (England).