On May 25, 2018, a new privacy law came into force in Europe The GDPR or General Data Protection Regulation, and it gives EU citizens control over their personal data and what happens to it. This is why it is bombarded with popups asking for your permission to collect and process your personal data. That’s why e-mail newsletters ask you if you’re still interested and why many companies are suddenly making it easier to get a copy of the data you have.
Companies from around the world are working hard to ensure that GDPR complies because otherwise, they run the risk of paying heavy fines. However, blockchain technology is changing everything so what happens when a blockchain contains personal data? The problem with blockchain data is:
That is, immutable. Data stored in the blockchain cannot be changed or deleted.
These are features of this technology that cannot be changed and at the same time, do not look very good for applying privacy.
Understand general data protection regulations
Before diving into GDPR compliance, let’s understand some commonly used terms:
- Data controller – Under EU law, companies that store your data are known as data controllers. Common examples would be Facebook, Google, Apple etc.
- Data processor – The companies that work to analyze your data are known as data processors. For example, Google Analytics, Moz Analytics, Socialblade, etc.
In most cases, the data controller and the data processor are the same entity, however, the burden of complying with GDPR rests on the data controller. Let’s make a note here, GDPR is only effective when personal information of EU citizens is involved. Any company that stores information on EU citizens must comply with regulations, including Facebook or Apple.
As stated in EU law Personal information is any information about an identified or identifiable natural person (‘data subject’); An identifiable natural person is one who can be directly or indirectly identified, especially a reference to an identifier such as a name, an identification number, location data, an online identifier or physical, physiological, physiological, genetic, mental, economic, Cultural or social identity. This is a broad definition, which means any data such as an IP address, a Bitcoin wallet address, a credit card or any exchange, if it can be linked to you directly or indirectly, can be defined as personal data.
3 GDPR articles that conflict with the blockchain feature
GDPR contains three articles, Articles 16, 17 and 18 that make life difficult for companies planning to use a distributed laser network to conduct their business.
- Article 16: This article from the GDPR allows EU citizens to modify or change the data in your data controller. You can not only change the existing data they have, but you can add new data if you think the current data is incorrect or incomplete. The problem is, on a distributed network, adding new data is not a problem but changing it.
- Article 17: This article refers to the “right to forget”. It is not possible to delete data from blockchain and therefore this article immediately conflicts with data protection regulations.
- Article 18: This article refers to the “right to restrict processing”. Basically, it prevents companies from using your data if the data is incorrect or it is collected illegally.
One of the main concerns of a blockchain is that they are completely open, so anyone can get a copy of your data and do whatever they want with it. So, you have no control over who is processing your data.
Possible coexistence solution!
Pairing – A popular solution is to encrypt personal data before storing it on a distributed network. Which means, only those who have the decryption key can access the data. As soon as this key is destroyed, the data becomes useless. This is acceptable in some countries, such as the UK, but there are others who argue that strong encryption is still counterproductive. With the advancement of computing, it is only a matter of time before encryption can be broken down at a faster rate and personal data will be available again. The debate over encryption is still ongoing.
Permission Blockchain – In a public chain, anyone can put new data in the chain and the data is visible to everyone. However, in a permission blockchain, access is controlled and granted to only a few known and trusted parties. This allows the distribution network to comply with Section 18. But unfortunately, it does not comply with Article 17, and the right to forget. Even in a permission chain, the data is still unchanged and cannot be deleted or edited. One possible solution is to store data on a secure server with access to read and write. We then save a reference to that data in our blockchain via a link using a hash function. We can save this hash in the blockchain. Hash functions are popular for verifying the integrity of files on our secure servers. Also, hash functions cannot be reverse engineered to express data. If we delete the server’s data, the hash function becomes useless and no longer becomes personal data.
This is not an elegant solution because blockchains are used because they are decentralized and using a secure server, you are back to centralization.
Zero Knowledge Proof- Zero-6 Knowledge Protocol is a method by which one party (advocate) can prove to the other party (verifier) that they know a value x, they know the value of x without giving any information. It is quite perfect for verifying things like age-gates for example without disclosing birthday information with data collectors. Evidence of zero knowledge could be a possible solution to GDPR outside the blockchain.