Image source: https://blockapps.net/gdpr-compliant-enterprise-blockchains/

This article has been written by Shreya Mazumdar, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.

Introduction 

The development of blockchain technologies is like an inauguration to this new era of data storage and a new way to deal with business models and markets. Blockchain has gained its prominence since 2009 and it provides management of data that is resistant to being tampered with and it needs consensus to modify this data. In very simple words and to understand the crux of this article, blockchain is a time-stamped series of unchallengeable records of data that can be managed by a cluster of computers that are not owned by any single entity. Every block of data is secured and bound by each other that uses cryptographic principles. The blockchain was invented by a person or a group of persons (it is still unknown) using the name Satoshi Nakamoto. The concept of blockchain and the EU General Data Protection Regulation (GDPR) does not align from its very foundation. GDPR applies to any arrangement where it is necessary to know who is the “data controller” whereas the blockchain model believes in anonymity and it is difficult to confirm the identity of all nodes, the node’s activity, and who is processing the node. 

Furthermore, the difference also lies in the objective where GDPR aims to give back control to the user’s personal data whereas blockchain is a technology that creates an “immutable” ledger. This article talks about despite these stark differences how can a blockchain be compliant with the GDPR guidelines as these guidelines are mandatory. Since this compliance is not optional, violation of GDPR guidelines can attract penalties of up to 20 million euros or 4% percent of global revenue, whichever is greater.    

This article is limited to the ways in which blockchain can follow the guidelines of GDPR. It is not an in-depth analysis of the concept of blockchain or the GDPR guidelines. 

Blockchain technology

In simple terms, blockchain is a time-stamped series of unchangeable records of data that is controlled by a cluster of computers that are not owned by a single entity. Each blockchain containing these “blocks” is secured and it is bound to each other as per the cryptographic principles, which is the chains. This blockchain network has no centralized authority and they do not believe in regulation of this by any government. As this is shared and is an immutable ledger, the information is open for anyone and everyone to see. Therefore, anything that is built using blockchain technology is very transparent and everyone involved is accountable for their action. So the data in the blockchain is transparent but the controllers of it are not. Following is the in-depth analysis in which the blockchain technology is used:

 

Mandates of GDPR 

As mentioned before GDPR is privacy legislation that is designed to enhance the protection of personal data and this gives the citizens in the EU more control over their data. GDPR mandates transparency to be provided by the companies concerning the consumer data and clear consent has to be given by the owner of the data for its use. Therefore, GDPR regulates the collection, transfer, processing, and retention of every EU citizen’s personal data which requires companies to provide transparency and control to the user on their data, on-demand. 

Key provisions that impact Blockchain

  1. Rights of EU Data Subjects: The citizens in the EU are given better control over their personal data by easier access to their own personal data, right to rectification, right to be forgotten, a new right to data portability, right to consent, and the right to be informed about the breach of one’s personal data. It becomes obvious that a blockchain that uses fully anonymized data will become contradictory to this GDPR rule. 
  2. Security of processing: There has to be an appropriate amount of security that data controllers and data processors should implement as per Article 32 of GDPR. The guideline to implement the security of personal data such as pseudonymization and encryption, confidentiality, integrity, availability, and resilience of service and system. It is further stated that in case there is an accident or any unlawful destruction, loss, alteration, unauthorized disclosure or access has to be considered while taking into account the appropriate level of security according to risk. 

Blockchain as technology helps to protect the data against any manipulation so this in a sense increases the security of data. But if this is generally analyzed this security provided by blockchains is achieved by way of making records that are stored in various blockchains which is transparent and immutable and this is achieved through the redundant and distributed storage of each record at several different nodes that are distributed across a large network and the location is unknown. This is against the rules of GDPR. 

  1. Data protection by design and default: GDPR mandates data controllers and processors to abide by the principle of data protection and privacy by design and default. There should be a high level of privacy settings by default and the controller shall have technical, procedural, and organized measures in place to abide by this GDPR. The data of blockchain could fall through the cracks of this rule if the person behind the data cannot be identified directly or indirectly by a person trying to do so. 
  2. Right to be Forgotten: The owner of the data has a right to obtain from the controller confirmation if their personal data is being processed which includes the information on the recipient to whom the personal data have been or will be disclosed. The data owner (“data subjects”) also has the right to ask the data controller to correct his or her personal information in case it is incorrect.

The personal data that is added to the Blockchain is publicly visible and cannot be tampered with and is immutable which means the public permissionless Blockchain is there forever as they are copied to any single distributed blockchain nodes which ditch the rule of ‘Right to be Forgotten’ under GDPR. 

Compliance of Blockchain and the GDPR

A panelist in “The Privacy and Security Challenges of New Technologies” in the University of San Francisco in his paper for Practicing Law Institute’s (PLI) Institute on Privacy and Data Security Law Conference advised the following on Blockchain and the GDPR compliance which is summarised in the table below:

Recognizing “data controller” 

One has to determine who plays the role of ‘data controller’ and ‘data processor’. In blockchains, participants have the right to make entries and hence act as data controllers, accessors are those who access the data of individuals other than themselves process data under GDPR and miners act as processors.

As this understanding of ‘data controllers’, ‘data processors’ and ‘accessors’ are complex to identify, it is easier to assign the ‘data controllers’ beforehand. It can be done by creating legal personnel for an association or economic interest group or recognizing one participant who will be responsible for making decisions of the group and assigning the said participant as a data controller. The entity or participant can be called the controller along with the other participant who will act as a processor provided that the participant processor does not determine the “purpose and means” of the processing (controller by fact and not by law). Otherwise, these participants will be considered as a joint controllers which is joint and has several liabilities and requires to determine transparently, their respective responsibilities to ensure compliance with GDPR (Article 26- ‘Joint Controllers’).      

In order to identify a data processor, the smart contract developer who processes this personal data for the participant (acting as a data controller) can act as a processor. The smart contract is a kind of self-executing contract where the terms of the agreement between the parties are written down in codes and it is automatically triggered by a situation or an event. So, the developer of this smart contract solution may act as the solution provider or when the said algorithm developer participates in the processing of the data can be qualified as a data processor or data controller as per their purpose of the processing. Let’s take an example to make this clearer, a software developer offers solutions to a banking company by providing a smart contract that enables customers to automatically get a cashback if they buy shoes from Reebok. This developer shall be identified as a data processor if he/she intervenes in the processing of the personal data specifying each party’s obligations and ensure that the contract mentions Article 28 of GDPR (‘Processor’). Analyzing this in terms of blockchain, if several banks decide to make a permissioned blockchain for the processing where the customer has to provide KYC (“Know Your Customer”) obligations, they may decide to be the data controller. The other banks will act as “miners” to validate the transaction and can be considered as data processors. 

Cross-border transfers

Although there might be appropriate safeguards for the transfer of the data outside the EU may be used by a permissioned blockchain, a standard contractual clause that binds the corporate rule, code of conduct, etc., the safeguards are hard to implement in a public blockchain that is given to the data controller who has no real control over the location of the miners. In order to comply with GDPR permissioned blockchains should be favored more as they allow better control over the personal data governance especially transfers outside the EU. 

Any data processing operations shall be governed by appropriate contracts in place to ensure the flow of data cross border which according to appropriate safeguards and the new system may need to be purchased and implemented. 

Addressing “Right to be Forgotten”

As Blockchain is the “immutability of records” principle any data that is on the Blockchain transaction is virtually impossible to modify. It is because of the way blockchain is structured the data that is added to the public, is there forever and this data cannot be altered. This information on the Blockchain and the records that are entered into the distributed ledgers are publicly visible, tamper-proof, and immutable. 

To be GDPR compliant under Article 17 (Right to be forgotten) all the sensitive GDPR information could be stored off-chain in distributed or cloud-based servers where the corresponding hashes are stored in the Blockchain layer. The hashes are the control pointers to the GDPR sensitive data that is stored off-chain. So, these hashes are not user data that GDPR mandates to protect but a pseudonymization of the original data. 

The other way that the blockchain can be architected is by distributed data storage. The other way around this is by storing the personal data in the user’s device by creating metadata and hashes of this personal data in the user’s device (think cookie technology) and creating metadata and hashes of this personal information and referring back to this local data by using third party server or the blockchain layer itself. 

Addressing “data protection by design and default”

This is considered to be the most controversial point of all, according to my research. Article 25 of GDPR states “Data protection by design and default” and it states about pseudonymization techniques for the data subject’s stored data. Pseudonymization Technique in GDPR refers to the data management and de-identification process by which personal data in data records are replaced in such a way that the data cannot be attributed to specific data subjects without the use of additional information.  

Hashing is considered to be a pseudonymization technique in Blockchain but it is not anonymous. The data linkage is no longer considered personal when it is established and if this linkage is deleted it will comply with Article 17 (Right to be Forgotten). The other analysis is that even with all cryptographic hashes, it can still be linked to the original personal data by way of a cyberattack.

In this situation, the data controller should assess if the engagement of blockchain technology provides an appropriate structure for data processing. After the Data Protection Impact Assessment should be carried out in order to identify the risk of the personal data that is being collected if the blockchain is used. It is also suggested that private permissioned blockchain should be used instead of public permissionless blockchain as private permissioned blockchain structure allows the data controllers more control over their personal data.   

Conclusion

Although the concepts and the objectives of GDPR and blockchains seem to run opposite to each other there are ways where both can coexist together. Blockchain can help remove the tension that exists in the traditional business process. This article talks about the compliances that the blockchain can follow so that it can co-exist with GDPR. Blockchain is not a solution to all the GDPR challenges but blockchain can help control the use of personal data. With the changing world, it is time that both find a way to coexist rather than repel. 

References


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here