Blockchain and GDPR

The European General Data Protection Regulation (GDPR) became active on May 25, 2018. It was created as a result of “surveillance capitalism” or otherwise known as “platform capitalism”, counting global corporations collecting ever more data without handling this data in a secure manner that protects the individual’s privacy. Facebook with Cambridge Analytica is just one example from a long list of breaches and misguided handling of personal data in the 21st century.

To accommodate for this, the EU has created the most far-reaching privacy legislation seen in the digital age. Any company that does business in Europe will need to comply or face steep fines of up to 4% of global annual revenue. The GDPR mandates that the rights of the “data subject,” that is, the individual whose data it is, be protected. Some articles to highlight are listed below:

Article 12: The right to have questions about use of personal data answered, and to seek redress if these questions are not answered in a clear, concise, timely manner.
Articles 13 & 14: The right to know how personal data is being used at the time of collection, as well as the length of time for which it will be stored and contact information for the collecting party.
Article 15: The right to access the personal data that is being processed.
Article 16: The right to have incorrect personal data rectified.
Article 17: The right to have personal data erased when they are no longer necessary for the purposes for which they were collected and there is no legal ground for their maintenance.
Article 18: The right to restrict data processing where the data is inaccurate, its collection unlawful, or its processing no longer required.
Article 19: The data collecting party must inform all additional data processors with whom it shares personal data to cease processing data that has been rectified or erased.
Article 20: The right to receive their personal data in a structured, commonly-used, machine-readable format which they can freely share with other data processors.
Article 21: The right to object to personal data being used to profile or market to them.
Article 22: The right to not be subject to legal outcomes that rely solely on automated data processing.

Besides the articles stated above about data access, data portability, right to be forgotten, etc., the GDPR also mandates that data controllers and processors abide by the principle of “data protection by design and default”. This means building solutions data handling with privacy carefully thought through, rather than limiting data handling as an ad hoc or add-on feature. This means using techniques for handling data such as pseudonymization (decoupling data from identity) and data minimization (sharing only absolutely necessary data) to protect privacy. And with techniques to handle privacy data, a new kid in the class is getting more and more attention, introducing Blockchain.


Blockchain: Data Protection by Design and Default

With public ledgers, blockchains are getting us closer than ever before to a digital identity in which the user is the primary owner of their data. Centralized models of data storage rely on the implicit premise that administrators of information are trustworthy actors with a mandate to steward personal data. Blockchains, however, were designed to be distributed ledgers in light of the frequent failure of even the best-intentioned centralized authorities to live up to their promise as stewards of the public trust. Accordingly, blockchains were built to function in a “trustless” environment  –  that is, one in which people can transact directly with one another without needing to trust any other individual or intermediary in the ecosystem. This is why blockchains are not only decentralized but distributed  –  none of the servers, or nodes, in the network running a blockchain protocol acts as an authority over others. This ultimately avoids any central points of failure. A structure of incentives mediated by solid cryptography ensures the integrity of a ledger of transactions is shared by all the nodes, without relying on human beings to achieve consensus. In sum, math, executed and validated by a network of computers, functions as a substitute for the middleman.

To see how blockchain is “data protection by design and default”, we need to look at how blockchain removes the need to trust a centralized authority in order to keep an accurate record of activity. There are many different types of blockchains today with even more cryptocurrencies, however, the Bitcoin blockchain continues to be not just the world’s first but also it’s largest and most adopted blockchain, designed with pseudonymity and data minimization built in. The Bitcoin blockchain records the following pieces of data for every transaction that takes place:

  • The public key of the transaction sender
  • The public key of the transaction recipient
  • A cryptographic hash of the transaction content. This could be anything: a land title, a birth certificate, an academic diploma, a copyright, an article of clothing, currency, a quantity of precious metal, etc.
  • The date and time of the transaction

This is what “data protection by design and default” means. It’s impossible to tamper with the information of a transaction using a one-way cryptographic hash. And unless one of the parties to the transaction decides to link a public key to a known identity, such as a name, email or phone number, there is no way to map transactions to individuals or organizations. What this means is that even though the Bitcoin blockchain is “public” — that is, anyone can see all the transactions on it — no personal information is linked to the transaction or made public. This is by design: it allows anyone to validate the integrity of the transaction ledger without violating the privacy of the parties making transactions. While data is protected by design, this doesn’t answer on an individuals’ data having the right to be forgotten.


Blockchain vs GDPR: Right to be forgotten?

So with “data protection by design and default” how does blockchain stay GDPR compliant and allow users the right to be forgotten? To recap Article 17 from above:

Article 17: The right to have personal data erased when they are no longer necessary for the purposes for which they were collected and there is no legal ground for their maintenance.

There seems to be a conflict. Blockchains might have “data protection by design and default”, but they are also open public ledgers running on a distributed network where nodes keep a version of the whole blockchain, making it is impossible to erase data written on the blockchain. Hence, how can a decentralised application (dapp) offer its users the “right to be forgotten” when running on a blockchain where data cannot be deleted?
The answer boils to down anonymity.

On a blockchain, you are anonymous. And even if you choose to use a central authority to store both your private or public keys, this central authority can remove these from their database and make all your transactions anonymous.
In other words, any application that runs on a blockchain, whether it is a cryptocurrency or a decentralised application (dapp), can anonymize a person’s data, making the person’s data trail and history completely anonymous and hence, GDPR compliant.

In sum, as long as individual’s history can become anonymous, it is not necessary to be able to erase data.