When Blockchain Meets GDPR – A Thorny Technical Challenge

Not a day goes by that I don’t see an article pop up about GDPR and blockchain, but rarely do I see them come up in the same context, so I thought I’d write one.

Here is the question, can a company use blockchain to manage transactional records with people and not run afoul of GDPR regulators? As of today, it appears that the answer is probably not.

Understanding GDPR

On May 25, 2018, the European Union (“the EU”) ushered in the Global Data Protection Regulation (GDPR). The GDPR is the culmination of decades of work by the European community, work that focused on developing a comprehensive omnibus regulation to protect and enforce the privacy rights of European citizens. In Europe, privacy is considered a human right, while in the U.S. and other countries and regions it is considered a sectoral, social, or a commercial right.

Under GDPR European citizens have a range of rights when it comes to being able to control their data. They can enact their rights on any company, anywhere in the world, that has collected their personal information. It is important that companies figure GDPR out. If enough citizens contact a company to exercise their rights and a company fails to comply to the requests, or if the EU finds a company out of compliance of the regulations, the company may be at risk of being fined 4% of global revenues or €20,000,000, whichever is higher.

Under GDPR, European citizens have the right to,

  1. Transparency (Article 12), organizations must, in plain language, explain how they are processing and using an individual’s data
  2. Access & Notification (Articles, 13, 14,15, 19), organizations must give people the right to access their data, including notifying them about data processing, transmission, etc.
  3. Rectification (Article 16), the individual will have the right to have their data corrected from any omissions or errors
  4. Erasure (Article 17), also known as the “right to be forgotten,” individuals will have the right to ask that their data be erased from corporate databases; organizations must comply, as long as the organization does not have other legal or regulatory reasons for maintaining the data or if it is in the public interest to retain it.
  5. Restriction (Article 18), the individual can restrict an organization from using their data if the accuracy of the data is in question, processing is unlawful, the data is no longer needed, or the individual’s objection to the data use stands.
  6. Portability (Article 20), individuals can request digital records of the personal data, companies must provide individuals a copy of their data in a commonly accessible digital format, like a spreadsheet or PDF file.
  7. Objection (Articles 21, 22), individuals can object to their personal data being processed and any decision that may have been made from the automated processing of their data.

Understanding Blockchain

To understand blockchain it is important to understand what blockchain is intended to accomplish. The blockchain is a computing method designed to securely decentralize the anonymous control of non-reputable transactional records, records whose authenticity cannot be challenged, across the Internet. That is, it is designed to remove reliance on a centralized authority, like a bank or an automated bouncer at a bar, to verify a transaction or a particular data point.

Blockchain accomplishes this by distributing encrypted transactional records (“blocks”) across an array of open ledgers stored in multiple computers (participating “nodes” linked together in a “chain”) wherever the nodes may be in the world. By design, the information stored in a blockchain is anonymous and resistant to hacking, as it would require simulatory hacking of the data in each node in the chain, which is theoretically impossible given the encryption and distributed nature of the information. The transactional record is anonymous since a real identity is not needed to claim authority over the transaction. All that is needed to claim authority over the transactional record is to hold the encryption key used to create the record in the first place.

An example of a transactional record stored in a blockchain could be any type of records that need to be verified, including a contract, the payment of an invoice, the exchange of currency from on account to another (like Bitcoin transactions), the sale of a house, the verification of a diploma, or the verification that someone is over 21.

I particularly like this last example because it helps explain how blockchain could be used to prove a point, i.e. I’m over 21, without unnecessarily giving away too much information. Let me explain, in most cases today if you want to prove your age, that you’re over 21 for instance, you’ll need to show someone identification, like your drivers’ license. When you do this you’re giving away way too much information, like your birthdate, your address, your full name, and your drivers’ license number, when all they really need to know is that you’re over 21. If you had a transactional record stored in a blockchain that verified you were over 21 all you’d need to do is give someone is the related key to the record, thus verifying your age without providing them the rest of your information (this process is also referred to as a “zero-knowledge truth”).

Where the GDPR and Blockchain Meet

So, what do blockchain and GDPR have in common you ask? Well, for one thing, many engineers are struggling as they try to figure out how to use blockchain in applications that require the processing of an individual’s personal information, like their birthday, in a GDPR compliant way.

As noted above, under GDPR people have the right to be forgotten, to have their data erased, to data portability, etc.; moreover, the controller of the data, i.e. a company, is responsible for maintaining “control” of the data and to maintain a direct relationship with any data processor they work with to manage the data, like “nodes”. Well, it turns out, with blockchain this is difficult to do since by design the blockchain transaction record is non-reputable (i.e. it can’t be changed, which includes the function of being erased), it can’t be ported, and the information is by design distributed; that is, it is out of the control of the controller.

So, as you can see, this appears to be a thorny engineering problem. It is unclear if blockchain can be used in situations where GDPR is applicable. It will be very interesting to see how GDPR and blockchain evolve and if their inherent differences can be resolved.

Editor’s note: Michael Becker is a member of the PDEC Governance Board, and serves as its President.