Do you see the cookie consent banners on every website that you visit? Do you get emails from a long list of third parties asking to collect your information? Have you ever wondered how the items on your Wishlist are not showing up on the advertisements anymore?
Well, that the power of GDPR.
On May 25th, 2018, the General Data Protection Regulation (GDPR) was enforced by the European Union to secure the personal data of an individual and to control how any industry is using it.
Personal Data as defined by GDPR is Any information relating to an identified or identifiable natural person.
Businesses are obliged to follow the GDPR principles; e.g. minimized data collection, limiting the purpose of use and deleting when data is no longer required. There is a total of 99 Articles defined in the GDPR, which needs to be complied by the organizations.
GDPR moves the data ownership back in the hands of the data subject by providing them the fundamental rights to access, rectify, and erase their data stored by the businesses (or data processors). Even automated decision can be contested. Data processing needs consent as a foremost requirement. The individual has the full power to withdraw his consent anytime. In fact, if we look at the basic premise of GDPR, it is evident that the law is all about empowering Data Subjects to have full control of their personal data.
And that is where Blockchain comes in.
Yes, Blockchain brings the ability to control our data and is one of the key factors pushing the use of Blockchain in many real-world use cases. Blockchain-based solutions like Blockstack and uPort are enabling data subjects to own their data and have full control of their personal data.
While the objectives may seem similar, one is legal, and the other is technology. We need to have a closer look at the technology to better judge its fitment to the legal. Although GDPR is technology-neutral, the terms and definitions exhibit an iota of pre-supposed architecture, supposedly a centralized one, for data processing. And in some instances, these definitions might not map very well to the constructs of Blockchain in general.
For the sake of getting a perspective, let us look at Bitcoin blockchain and introspect who is the controller, who all are processors, can it enforce right to erasure? Who does the data subject direct her request? Does this non-addressability make Bitcoin network, or for that matter any non-authorized public blockchain, unlawful in GDPR terminology?
Blockchain technology defines two nodes in a network a validator node and a full node. A validator or a block creator verifies transactions on the network and appends them to the ledger, while a full node keeps the read-only copy of the ledger.
Controller means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data GDPR Article 4
In a public permissionless network, millions of people join the network residing in opposite corners of the world. Applying data controller responsibility on them is just an impossible task as these are recognized by an account address that may not directly link to a real-life entity. Also, there won ever be a clear decision about what responsibility a single entity holds.
Processor means a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller” GDPR Article 4
On the other hand, the validators/miners only validate the transactions. They have no power to alter, organize, erase, or structure the data. But storage happens on all the nodes; does this qualify them for being data processors. It may seem hard to fit the blockchain participants in the GDPR paradigm due to the overlapping roles of the participants.
Blockchain at its core, stores and processes data in the form of blocks. Immutability, transparency, and auditability form its fundamentals. It allows one to cross-check the authenticity of a transaction. Every protocol and consensus method that governs the functioning of the Blockchain is openly defined. It is an append-only ledger in which a block once added to the chain is tamper-resistant and non-modifiable because it is linked with the block content hashes. This immutability of Blockchain is conflicting for GDPR. It collides with the ‘Right to Erasure (or to be Forgotten)’ that allows an individual to get his data completely deleted from the organizations when it is no longer needed to be processed.
As we saw in the previous sections, it may not be straightforward to apply GDPR in the blockchain space. But, on the brighter side, most B2B solutions tend to form an authorized or a private network. These networks are well defined controlled networks. In these networks, the identification of data processors and controllers can be easily defined by a governance authority. Responsibilities of the different roles can be specified appropriately and assigned.
Further, if an organization stores its customers’ data on Blockchain and processes it on the self-executing codes, i.e., smart contracts, the smart contract developer might behave as a data processor on behalf of the organization or data controller. It is, therefore, recommended for an organization to hire an auditor for the smart contracts to lower the risks of vulnerabilities that might be found later and hamper the data.
Different implementations provide different solutions for using immutable nature wisely. One of them is using the concept of off-chain data and salted hashing. An off-chain storage of personal data and an on-chain identifier linkage solves the incompatibility issue. Deletion of the off-chain data links the on-chain identifier to reference a null or an empty location. The data linkages can further be secured on the Blockchain using the technique of salted hashing. In salted hashing, the identifier along with a randomly generated salt is hashed. The salt can be either prefixed or suffixed to the data, hence providing an extra security layer.
Compliant or non-compliant to GDPR – it all depends on the use case implementation.
To conclude, we can say that the applicability of GDPR on centralized architectures is easier to implement, but on the decentralized ledger technology, it will evolve, with the addition of Blockchain-enabled real-life use case solutions.
Any information that directly or indirectly identifies a natural person. Example: name, phone number, home address, IP address, etc. It includes factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Operations performed on personal data, including the automated ones, such as collection, recording, structuring, storage, alteration, restriction, erasure or destruction, etc.
A natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data
Two or more controllers that jointly determine the purposes and means of processing personal data. Their arrangement should reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects.
A natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her