Blockchain & GDPR: Demystifying a Complicated Relationship (Part Two of a Two-Part series)
Reconciling GDPR’s emphasis on privacy with blockchain’s immutability is the key to the future of blockchain innovation in the EU, and by extension, the world over. As new research suggests, achieving this balance will not be easy, but can be done.
The rise of blockchain technology over the past couple of years has been phenomenal. In just three years, a total 562 startups and incumbents have jumped into the fray to create solutions based on the distributed ledger. The introduction of the General Data Protection Regulations (GDPR) rules has, however, put the cat among the pigeons by kicking off debates on secrecy, privacy, and even what counts as private information. Research by Simon Schwerin of the Berlin School of Economics and Law sheds light on the various points of contention in this ongoing tussle. Part One gave an overview of the research findings. This installment takes a deep dive into the results and looks at the way forward for the EU and blockchain developers.
Blockchains Impact Personal Data
Creating an electronic identity layer that allows individuals increased control over their own personal data is an idea that found consensus among the respondents. Nevertheless, this comes with major risks in the form of lost keys, carelessness and an inability to manage keys properly. Blockchain is also seen as potentially having a major impact on the enforcement of consent requirements as set by the individual. Additionally, this will also impact businesses in areas such as entitlements, reputation management and privacy-enhancing business solutions where disruptive companies are already offering solutions.
Data Protection Regulations Will Impact Blockchain-Related Personal Data
A minimum standard of user data security and the ability for users to manage who can see what found high consensus among the respondents. GDPR’s privacy by design (PbD) requirement obligates companies to take data privacy into account at the design stage of their projects. Blockchain is also seen as relevant for the use of personal data shared voluntarily by users online, as it can help create transparency about how this data is used. Nevertheless, respondents observed that there is a need for further dialogue between policy makers and blockchain developers.
The Blockchain4EU initiative is seen as a step in this direction as it could allow sociotechnical exploration of existing, emerging and potential blockchain applications for industrial/non-financial sectors.
Personal Data Cannot be Directly Stored on Blockchain Networks
Storing personal data on a public blockchain is seen as problematic. Moreover, what constitutes personal data is itself a matter of debate. For example, there is little consensus on whether personal data can be defined as reputational data (i.e., data posted by users online using avatars). Making reputational data public may, therefore, not go down well with all users. A definition along the lines of GDPR’s definition of personal data also leaves room for arguments on concepts such as virtual identities. For instance, a picture of a user’s face won’t constitute personal data, a retinal scan would constitute personal data, but a fingerprint might not constitute personal data. Overall, this is seen as more of a problem of human preparedness than technological capability.
PbD Enables Blockchains Designed in a Privacy-Friendly Manner
There is high consensus on the idea that blockchain can be made compliant with PbD. The rationale: distributed ledge technology is not a sole solution, but part of a stack that works alongside other technologies to make up for its weaknesses. A distributed network such as blockchain would work best when combined with existing systems of record, engagement and intelligence to optimize online transactional integrity.
To ensure the integrity of the data within such a solution, the research suggests that supportive, open standards should be developed. However, initiatives in this direction have only just started. Relative to PbD, recovery of hidden information and private keys is seen as problematic. Suggested solutions could include social validations in the form of multiple signatures of spouses that help to recover such a key and/or a governmental official.
Blockchains can Help Solve (Privacy) Challenges that Arise from GDPR
Blockchain is expected to be useful for following data protection regulations. The management of user consent is as a particularly strong use case according to the respondents in the Delphi study. Blockchain would provide regulators and individuals with certainty about their given consent on collected data. Companies (data processors and data controllers) would benefit through well-defined user management. Potential users could revoke, extend and renew their consents autonomously.
The realization of such a solution could be provided through blockchain serving as a type of processing log that creates a single point of truth and uses smart contracts to regulate the processing permissions. Some experts contend that blockchain enables a change in the dynamics of data ownership and aligns with the goal that the GDPR aims to achieve. This could be accomplished by providing an identity for each EU citizen that remains in full control of that individual. It is important, however, that all blockchain developers are conscious of human rights, data protection and privacy as well as the need to consider how technology can protect the privacy of the individual without impeding technological progress.
Blockchain Privacy Impact Assessment
The insights obtained from this study hint at the need for a framework that can be used in practice to increase the probability for blockchain applications and solutions to comply with the GDPR. This framework calls for a privacy impact assessment (PIA) — or data protection impact assessment (DPIA), as referred to by the GDPR — for blockchains. This aims to prepare researchers and developers to design their solutions and software architecture in a privacy-friendly manner by asking the right questions. A PIA helps organizations to identify and minimize privacy risks and is usually conducted while developing and implementing new processes, projects, policies and systems. The steps involved in this assessment are represented in Figure 1.
GDPR will have a significant impact on the development of distributed ledger technology, mainly because most blockchain solutions use public key cryptography. For now, every private or public key can be considered personal data. The regulation will, therefore, require blockchains to consider a privacy impact assessment and the principles of privacy by design. Blockchains can be used to enhance GDPR compliance by using its “immutability”— storing data processing information in the form of metadata on the blockchain -- by creating a single source of truth about all personal data related processing.
For blockchain-based solution providers, GDPR means they need to place privacy at the heart of their products. This applies equally to enterprises looking to leverage blockchain technology in their offerings that would require them to store customers’ personal data. As digital become more deeply embedded in people’s daily lives, user data protection is more important than ever. Blockchain’s inherent strength of immutability means that it can play an important role in a future defined by GDPR.
However, as this research highlights, there are issues that need to be ironed out beforehand. To this end, it is important that the dialogue between regulators and the blockchain ecosystem continue toward a common goal of creating the right environment for blockchain innovation to thrive. Efforts toward the creation and implementation of standards and certifications approved by the EU are a great first step.