Skip to main content

Can GDPR handle blockchain’s privacy problem?

(Image credit: Image Credit: StartupStockPhotos / Pixabay)

Blockchain is rising fast on the global agenda. Some of the world’s leading names in politics, economics, technology and business have sung its praises. But whether it really will revolutionise our banking system, up-end global supply chains or replace fiat currency remains to be seen. What we do know is that blockchain holds enormous potential, but also that it faces several significant hurdles. In particular, its potential conflict with current privacy regulation is coming under scrutiny.

New tech comes up against new legislation

The General Data Protection Regulation (GDPR), became law across the EU in May 2018, and has already had a significant impact on the way that businesses and the public sector relate to their customers and deal with their data.

Although the legislation has been designed to enable ‘its application to any technology’, the GDPR has real difficulties reconciling with blockchain. The way that blockchain works is actually relatively simple. Blockchains are ‘chains’ of code units called ‘blocks’, which are special cryptographic designations of data. Each block includes a hashed form of the previous ‘block’ of data, a hashed form of the multiple transactions contained within the block and a corresponding timestamp. Because blocks are linked through hashes, changing information on a blockchain is extremely difficult and would only happen in extraordinary circumstances. 

Blockchain may appear to be GDPR-friendly, but there are some fundamental elements that are complicating the issue. One is whether these blocks should be covered by the remit of the GDPR at all. The regulation covers the personal data of people online, but it seems a bit of a stretch to consider hashed blocks of data as personal data in the same way as someone’s name, address, medical history, social networks or profession, for example.

At the same time, these blocks could disclose personal data indirectly if the hash function’s ‘secret key’ were revealed, which allows for the information to be reverse-engineered and gleaned from blocks. This means individuals may be identifiable and so, as far as the GDPR is concerned, blockchains are likely to involve personal data processing.

The lack of ‘legal certainty’ (to use the EU’s term) around the GDPR’s application to blockchain may be slowing important progress in developing the technology. And this uncertainty is only being amplified by the variety of blockchain technologies emerging. Cryptocurrencies like Bitcoin and Ethereum, for example, run on public ‘permissionless’ networks that anyone can conceivably access, while Sovrin or Ripple’s network owners can decide who can and can’t enter.

The issues of distribution and non-deletion

Beyond these problems, the European Parliament has identified two core features of blockchain that may prevent a reconciliation. The first - and perhaps most important issue is blockchain’s so-called ‘distributed ledger’, which means that an identical blockchain record is usually in the hands of every member of the network.

Blockchain’s proponents argue that this ledger gives a natural safeguard against data abuses and a constant check on how user information is handled. Equally, though, such an approach complicates how regulation is supposed to categorise the usual agents involved in a transfer of data. The GDPR assumes that there is always a ‘controller’, against whom data subjects can enforce their data protection rights, with accompanying ‘processors’ potentially involved to manage the data on the controller’s behalf.

When blockchain has no single centre of control, how can we define each member appropriately? And when data abuse does occur, how can we determine who should be accountable? The European Parliament has called such a task ‘burdensome’, particularly in the light of the GDPR’s concept of ‘joint controllership’, which applies when two or more controllers together decide how personal data should be processed.

Another apparent problem is blockchain’s ‘immutable record’. As well as typically giving all network members access to the record, the blockchain’s hashing means that every block is extremely difficult to delete or modify once it has been added. Two of the central principles of the GDPR are ‘data minimisation’ and ‘purpose limitation’, which mean that any personal data stored and processed should be kept to the practical minimum required to conduct an organisation’s commercial and technical affairs. But given the difficulties of deleting blockchain data, the ledger will grow continuously into the future so long as additional information is added and it is duplicated across new computers and nodes in the network.

What’s more, blockchain seems equally ill-at-ease with the GDPR’s high-profile “right to be forgotten”, which allows data users to request the deletion of their personal data in some situations and limits the length of time it can be stored for.

Finding solutions

Solving blockchain’s privacy quandary will be a challenge regulators and technicians are likely to want to resolve. For the immutable record in particular, one answer could be to delete the methods that allow verification to take place. By deleting a hash function’s secret key, for example, the blockchain’s stored data would become practically inaccessible.

Another approach could be to carve personal data from the blockchain and store it in separate, off-chain data centres. This could be supported through applying separate encryption on the personal data. And while these approaches may not amount to a wholesale ‘erasure’, they could be sufficient to satisfy regulators.

France’s data protection watchdog has recommended that blockchain developers avoid using full permissionless formats for their networks. This would isolate the public’s access to any information and create a space for careful agreement among the members on their data responsibilities. As a broader approach, the watchdog even suggested that developers should seek ‘other solutions’ where possible until legal clarification has been reached.

Although the GDPR is a principles-based regulation, striking the appropriate balance of blockchain development and user privacy will require pragmatism. Indeed, more than any practical conflict between the two, the real issue may be the distinct lack of regulatory guidance. What is clear is that blockchain developers are currently operating in a precarious legal space and, in the absence of confirmation about how the GDPR principles should be applied to blockchain technologies, a lot of innovation may be running the risk of future compliance hits from regulators.

Whatever outcome is pursued, clarity and a pragmatic approach is needed soon – but swerving too far to either side risks either a hit to privacy or to economic potential.

Paul Knight, Partner, Mills & Reeve

Paul is a partner specialising in technology and commercial law, including data protection. He advises on commercial contracts, software licensing, e-commerce and GDPR compliance, amongst other things.