Can Blockchain and GDPR Coexist?
In today’s world of ubiquitous connectivity, everyone shares their personal data in one way or the other. There are more than 60 billion messages being sent on a daily basis on Facebook Messenger and WhatsApp not to mention over 250 billion emails being sent back and forth every day. From social media to your insurance company or even your doctor, sharing personal data is quickly becoming the norm. More of our personal information is in the hands of giant conglomerates that continue to gain more control over our personal lives.
Should we be afraid? Well, as these digital platforms and companies collect more data they become more centralized. This makes them a huge target for hackers and bad actors looking to harvest personal information. For that reason, there is a need for concern.
Personal Data Protection Concerns
In fact, most of these companies have already failed tremendously to guarantee the protection of personal data. A good example is how Facebook (a giant storehouse of personal data) got caught up in the chilling Cambridge Analytica scandal.
Apparently, Facebook mishandled personal data allowing Cambridge Analytica to harvest personal data from millions of users on the platform. Currently, Facebook faces a hefty fine by the UK data watchdog as a result of the misconduct.
In addition to Facebook, there have been other incidences of data breach and misuse by other organizations such as Equifax, Yahoo, and MyFitness Pal.
With that in mind, more people are waking up to the reality that the information they share to centralized entities is not that secure. Companies can choose to monetize on the personal information, or security flaws can get the entire firm hacked while losing data to bad actors.
Therefore, the European Union parliament approved and adopted the EU General Data Protection Regulation laws in April 2016. The EU General Data Protection Regulation became effective as of May 25th, 2018. The aim is to change the digital venture landscape by harmonizing data privacy laws across Europe. From banking to healthcare and beyond companies will have to restructure their data processing policies to comply with GDPR guidelines.
GDPR Regulatory Laws
First of all, GDPR’s regulatory laws apply to any information that relates to an identifiable person data. Granted, this definition covers a wide range of personally identifiable data, however, the regulations indicate the following types of information to fall under this category:
- location data
- online identifier
- ID number
- encrypted and pseudonymized personal data
To put it simply, GDPR laws apply to anyone who processes personal data in the EU region. The regulations also apply for those organizations outside the EU that process personal data for their customers in the EU. Therefore, as long as your company deals hold or processes personal data for EU residents the GDPR laws apply.
For companies that violate the GDPR regulatory laws, a maximum fine of 4 percent of that company’s annual global turnover has been set. There is also a 2 percent fine for companies that fail to keep their records in order or fail to notify the authorities of breaches in their system. As it stands, a good number of companies are going through the difficult task of rearranging their consent management strategies as more GDPR refinements, updates, and revisions are being implemented.
Benefits of GDPR
As a result of the implementation of EU’s GDPR regulatory laws, consumers now have power and control in their hands over the fate of their personal data. A consumer can prevent the monetization of their personal data since the regulations give customers, platform users and the general public right to access all the personal data a company holds. GDPR compliant companies can now establish trust with the public since companies stand to pay substantial fines if they refuse to comply.
GDPR gives back people the right to own and control their own private and personal information. However, even with the establishment of these regulatory laws, the implementation process is only going to get complicated.
Essentially, GDPR’s aim is towards technology companies that collect user data in order to efficiently render goods and services. This poses a huge problem. Anyone who has spent some time in the technology industry will agree that technology always leaps ahead of existing regulatory frameworks. In most cases, the legislative part of the industry plays catch-up to an industry that is always moving forward. A good example is the advent of Blockchain technology.
Blockchain technology has been around since 2008. However, the technology is only now starting to become popular among the mainstream public all credit to Bitcoin’s meteoric rise in price. As the pioneer cryptocurrency Bitcoin has taken center stage as an example of what can be achieved by Blockchain technology. Over the years, the price of Bitcoin has fluctuated even coming close to the coveted $20,000 mark at the end of 2017.
As a result of Bitcoin’s popularity, a lot of people assume that Blockchain and Bitcoin are the same things. This couldn’t be any further from the truth. Apart from Blockchain being invented earlier than Bitcoin, Blockchain, unlike Bitcoin is a database network and not a cryptocurrency. The Blockchain thus acts as a distributed accounting system for Bitcoin. Unlike Bitcoins volatile growth, Blockchain’s market worldwide has actually had a steady growth as seen in the graph below according to statista.com.
In fact, most futurist and technology experts believe that Blockchain will have more significance in the future compared to Bitcoin. Already, there are numerous commercial applications of Blockchain technology all thanks to its distributed ledger technology that enables companies to digitize data, enable easy verification, and cut costs. Basically, Blockchain’s advancement has been rapid and unprecedented leaving behind regulatory policies that are still playing catch up to this new technology.
How Does the Blockchain Work?
Essentially, the Blockchain operates as a decentralized and immutable database that can be used to verify transactions without the need of a third party. The Blockchain was first created by Satoshi Nakamoto and a variety of cryptocurrencies including Bitcoin and Ethereum have used it to verify peer-to-peer transactions.
However, apart from cryptocurrencies, there are a variety of applications where Blockchain can be used. For instance, since the technology is used to prevent double spending with cryptocurrency, it can also be utilized to digitize sensitive documents and help get rid of counterfeits and fraud.
From electoral documents to title deeds and even diamonds, you can practically use Blockchain anywhere and with anything as long as there is a need for authenticity. The authenticity of any piece of digital information boils down to trust. Data is given a digital thumbprint that is then uploaded to the Blockchain. If that information or document changes then the digital thumbprint changes thus no longer resembling the original document. And, since records written to the Blockchain are immutable and encrypted for anonymity, there is a sense of traceability and trust on a Blockchain network since it’s distributed on a peer-to-peer network. This simply means everyone is witness to any changes on the network.
This makes Blockchain technology a perfect platform for storing personal data. Or does it?
You see, data collection and distribution can be achieved with Blockchain thanks to its decentralized approach. And, unlike centralized servers of companies that are prone to hacks and data harvesting, Blockchain is built to allow every individual access to their personal data on a decentralized platform.
The Conflict Between Blockchain and GDPR
Blockchain technology is quickly emerging as the global standard for keeping a database of information. Under the scope of GDPR, however, there are certain concerns that most believe make Blockchain non-compliant to the EU laws and regulations. For instance, the GDPR stipulates that any identifiable information must be subject to the control of the user whereby the user has the freedom to delete or change his or her personal data.
In the context of Blockchain, this can be a bit tricky considering every document recorded on a Blockchain database is immutable. According to Jan Philipp Albercht who guided the GDPR through its legislative process and is a member of the European Parliament “this is where Blockchain applications will run into problems and will probably not be GDPR compliant.”
Like most experts, he agrees that the GDPR regulations are out of touch with technological advancement as the regulations were formulated with the assumptions of centralization and control of user data. Most Blockchain skeptics have also argued that there is simply no way a Blockchain application and GDPR can coexist.
The basic argument is that while the officials “were getting granular with legal wrangling” advancements in the world of technology and businesses were moving fast. Laura Jehl, a lawyer who specializes in compliance and Blockchain mentions that:
If whatever is on the Blockchain is defined as personal data, then they’re fundamentally incompatible because the Blockchain is immutable.” She also says that the intent of Blockchain and GDPR are quite compatible but only “until you get to the right of erasure and data portability.
As you can see, even though there is room for Blockchain and GDPR to exist some bottlenecks are inevitable. While the GDPR and Blockchain agree on allowing people to have more control over their data, problems inherent in Blockchain technology can get in the way of compliance. The problems include:
The blockchain is immutable and that goes against the harmony that the GDPR is designed to establish. The right to erasure is one of the key points of the GDPR. The law allows users to request the erasure of their data when the personal data is no longer necessary in relations to its original purpose. Users can also opt to have their data erased if they withdraw consent of data processing. Even though the GDPR does not exactly define what it means to erase data the Blockchain still presents a unique problem whereby data on the distributed database cannot be removed or altered easily.
Data Transfer Outside the EU
This is another area of conflict that most skeptics see as proof of the incompatibility between Blockchain technology and GDPR. Blockchain networks are designed to be decentralized, i.e. the network is distributed across a globe-spanning network. This is contrary to what the GDPR is aiming for since each node on a public Blockchain has access to the complete ledger. As a result, the individual has no real control over the personal data on the network.
Through the use of hashing functions, tokenization, and cryptographic encryption, personal data can be stored on the Blockchain and retain its anonymity. However, the GDPR standards for anonymity are quite high. Besides, Blockchain’s methods of achieving anonymity have not proven to provide actual anonymization. With the growth of quantum computing, it might get easier for cryptographic and hashing encryptions to be broken. If this is to happen in the future, Blockchain’s anonymity would become less effective.
With all this in mind, is there any other way Blockchain and the EU GDPR regulations can coexist? Well, what about setting up a private Blockchain network?
Public and Private Blockchains
While Blockchain arises from crypto anarchy with a philosophy of disrupting centralized institutions, the EU GDPR regulations are institutional centric and government dependent. It is no wonder most skeptics believe the two cannot coexist. However, from a GDPR as well as a Blockchain perspective, setting up a private Blockchain network is a much easier way of achieving accountability while maintaining compliance.
The difference between a public and private Blockchain is clear. While a public network allows participation from anyone with an internet connection, a private network requires an invitation and comes with a set of rules. Businesses looking to establish compliance with their Blockchain applications can set up private Blockchains that only gives entities invited to transact information in the database. For instance, a business can set up a private network and rent out cloud services for storage of their database and sign controller – processor agreements as stipulated by the GDPR.
If a customer wants to edit or remove their data from the database, the business leaders will easily achieve consensuses to search, extract, and edit the data on request thanks to the private Blockchain network that is easy to control as opposed to a public one.
How Do you Delete Data from a Private Blockchain Network?
Well, we’ve seen that even with advanced programming and cryptography, Blockchain data cannot be completely anonymous. Likewise, editing or removing data from the Blockchain is hard but not impossible. With a private network, the nodes can easily come up with a consensus that allows the Blockchain network to be forked thus giving rise to a newly edited version of the network. Forks are used to add new features to a Blockchain, reverse hacking effects or fix bugs in the Blockchain network. The same process can be used to update the network of a business whose customers are trying to erase their personal data from the database.
Granted, some would argue that using a private Blockchain that can be forked with the consensus of the invited entities still poses a problem of trust between the business and the customer. For this reason, we will have to take a look at other solutions that can achieve compliance:
Off-Chain Data Storage
As an alternative, organizations can store relevant personal data on encrypted private databases while only including the hash of the personally identifiable data on the Blockchain. The hash will act as a thumbprint that points to a specific data, therefore, its only use on the network will be to confirm that the relevant data is intact.
Furthermore, the private off chain system can have restricted access so that only authorized individuals or entities are allowed to make changes to the database. The only problem is that the subject will have limited control over the data that is stored off- chain and the company will have full guardianship of the individual’s personal data.
Another possible way to work around GDPR regulations so as to achieve compliance is to use a public Blockchain but with encrypted public and private keys. The organization can set up public keys that encrypt data and private keys that decrypt the same data.
Theoretically, this process can enable full encryption of personal data if the company can destroy all the private keys thus eliminating any chances of decrypting the personal data. This way the subject still gets control over the data while the Blockchain platform achieves compliance with GDPR.
Coming up With Flexible Policies
According to Anne Toth, the head of data policy at the World Economic Forum,
Technology shifts, pivots and morphs at a speed much greater than laws and regulations are designed to move.
Well, no one is arguing against regulations such as the GDPR, however, policymakers need to be flexible and forward thinking. Besides, apart from the role of enforcing mechanisms to punish bad actors, governments also have to ensure the creations of development-friendly environments. Therefore, instead of a layered cooperative approach to policymaking, regulators can become more flexible so as to make things easy for all stakeholders.
So, there you have it. Blockchain and GDPR can coexist but that can only happen when regulators collaborate with the private sectors, academia, and the civil society. In order to realize fast futuristic developments, regulators need to come up with policies that are as dynamic as technology. Besides, the use of Blockchain technology is increasing almost every day. As you have seen, there is room for Blockchain to be flexible enough to fit into the regulatory demands of the GDRP. However, to make it a success, policymakers have to be engaged in the conversations as well.