Blockchain & GDPR: Demystifying a Complicated Relationship (Part One of a Two-Part Series)
What does the EU’s sweeping privacy and data protection law mean for blockchain and the companies developing decentralized ledger-based solutions? New research sheds light on the matter and suggests a way forward.
Concerns about data privacy are widespread in the digital age. As companies become custodians of more and more personal data, an inevitable and urgent question arises: what will happen to this data in the future? This question revolves around the trust (or lack of it) between users and the companies that own their data.
This year, the European Union (EU) introduced General Data Protection Regulations (GDPR) to empower people to control access to their personal data. This comes in the wake of an alarming increase in data breaches — publicly disclosed data breaches jumped 88% in 2017 to 2.5 billion — which has sent companies scrambling for a technological answer that will provide long-term assurance to their customers.
Blockchain has emerged as a technology with the most potential for bringing trust to the digital world. With its ability to store data securely on an immutable decentralized ledger, blockchain builds trust into the system while eliminating the need for credentialed third parties. Ironically, this very characteristic could make it run afoul of GDPR, which aims to put control of personal data into the hands of the user.
From a regulatory perspective, blockchain is still in its infancy. But its potential impact on policies and politics is being taken seriously. However, if blockchain is to become part of the go-to set of technologies that drive GDPR, understanding the interrelationship between the two is essential. Researcher Simon Schwerin of the Berlin School of Economics and Law dug deep into this topic in his study ‘Blockchain and Privacy Protection in the Case of the European General Data Protection Regulation (GDPR): A Delphi Study,’, which was published in the Journal of The British Blockchain Association. The research centers around the question about how the immutability of blockchain, a technology characterized by decentralization, can be harmonized with GDPR, a regulation focused on privacy. From a data protection perspective, this gives rise to three questions:
What should be done to help blockchain developers to become GDPR compliant, without hindering its innovative impact?
Can blockchain be privacy-friendly by being developed along the principles of privacy by design?
How could blockchain help regulatory bodies?
These questions don’t have straightforward answers because there has been little to no research to explore the relationship between GDPR and blockchain. However, analyzing the extensive literature on the two topics, and combining it with the views of experts in the area through the Delphi method, offers insights that bring a sense of clarity to the current situation and the way forward. While blockchain is not a panacea for privacy, it can, in combination with other technologies, provide potential solutions. To this end, five research hypotheses were drawn to explore the interrelationships between GDPR and blockchain (see Figure 1).
The results of this research offer key insights into the role blockchain, and blockchain-based solution providers, could play in enabling the GDPR to ensure citizen data privacy, while ensuring that blockchain-enabled innovation is unhindered. The following are the key findings of this research based on each of the statements listed above:
Blockchains impact personal data.
Creating an electronic identity layer allows individuals increased control over their own personal data. This comes with major risks in the form of lost keys, carelessness, and an inability to manage keys properly.
Data protection regulations will impact blockchains-related personal data.
There is a minimum standard of user data security and the ability for users to manage who can see what. GDPR’s privacy by design (PbD) rule requires companies to incorporate privacy into their offerings at the planning stage.
Personal data cannot be stored on blockchain networks, directly.
Storing personal data on a public blockchain is seen as problematic, since currently there is a lack of consensus on what constitutes as personal data.
PbD enables blockchains designed in a privacy-friendly manner.
There is high consensus on the idea that blockchain can be made compliant with PbD. The rationale: distributed ledger technology is not a sole solution, but part of a stack that works alongside other technologies to make up for its weaknesses.
Blockchains can help solve (Privacy) challenges that arise from GDPR.
Blockchain is expected to be useful for following data protection regulations. The management of user consent is seen as a particular strong use case according to the respondents in the Delphi study.
Schwerin’s study shows that GDPR will have a significant impact on the development of distributed ledger technology, mainly because most blockchain solutions use public-key cryptography. For now, every private or public key can be considered personal data. The regulation will, therefore, require blockchains to consider a privacy impact assessment (PIA) and the principles of privacy by design. What seems certain however, is that blockchains could be used to enhance GDPR compliance by using its “immutability”— storing data processing information in the form of metadata on the blockchain — by creating a single source of truth about all personal data-related processing.
Part Two of this series will take an in-depth look at each of the key findings listed above and delve into the PIA framework that blockchain providers will need to incorporate into their development process.