The Regulator’s Dilemma: GDPR’s conflict with blockchain

The Regulator’s Dilemma: GDPR’s conflict with blockchain GDPR aims to strengthen security and empower end users, quite similar to blockchain technology. So, why is GDPR on a collision course with blockchain? Shashank Venkat sheds light on the subject

The General Data Protection Regulation (GDPR), a landmark European data privacy regulation, came into effect from 25th May 2018. GDPR aims to strengthen privacy and data protection efforts in the European Union (EU) and offer a uniform set of regulations for businesses with customers in the region. While the legislation is well-intentioned, there are growing concerns that some provisions of GDPR are not compatible with blockchain technology. Will Europe’s newest regulation act as a roadblock to the hottest technology of the moment? Or can GDPR and blockchain find a middle ground and co-exist?

Key Provisions of GDPR

To understand GDPR and its implications on blockchain technology, it is necessary to understand some key provisions of the regulation first:
Privacy by design: Privacy needs to be inherent to systems and processes, and that includes the technological architecture used by businesses.
Right to be forgotten and data erasure: Organisations need to be able to delete personal data of EU citizens upon request (where there is no overriding legal reason to retain the data).
Explicit opt-in consent: Individuals are in complete control of their personal data, and companies need to seek explicit consent before processing their data.
Right of access: Businesses should be able to provide full details of the personal data being processed upon request.
Heavy non-compliance fines: Non-compliance with GDPR can result in penalties of up to 20 million Euros or 4% of worldwide turnover (whichever is higher), depending on the nature of the violation.
More details about GDPR can be found here.

Basic Blockchain Concepts

A blockchain is essentially a distributed, decentralised ledger that keeps a permanent record of transactions in a secure, chronological and immutable fashion. Now, let’s look at some basic blockchain concepts before examining the conflict with GDPR:
Decentralisation: Decentralisation is the essence of blockchain technology – no central party or authority is in control of a (public) blockchain network. Blockchains utilise consensus protocols to validate transactions.
Immutability: Blockchains are immutable, meaning you cannot change or delete transactions once recorded on a blockchain. This is the biggest point of friction between blockchain and GDPR.
‘Permissioned’ blockchains and public blockchains: ‘Permissioned’ or private blockchains are controlled by a centralised group. Public blockchains are decentralised and not controlled by any one party.
Node: A blockchain is made up of nodes. Essentially, a node is a device connected to a blockchain network which supports the network by maintaining a copy of the blockchain.
Hashing: A process which transforms data into an unreadable piece of information (called hash) through cryptography which can be stored in the blockchain. 

Points of Conflict

With a host of new businesses now implementing blockchain technology, it is inevitable that blockchains will end up storing some amount of personal data, especially related to transactions. This problem gets magnified when dealing with public blockchains, since any entity in the world can host a node. However, GDPR puts a lot of accountability on data controllers, so who will be counted as the data controller in a decentralised public blockchain network? Who is really in control of this data?
Another big point where GDPR is at odds with blockchain is immutability. GDPR mandates that it should be possible for any personal data of EU citizens stored within a business to be deleted upon request (subject to there being no legal basis for retaining that data). However, as discussed above, immutability is a core idea within blockchain technology, without which it’s really just another database.
To illustrate this better, let’s take a look at an example. One of the big use cases for blockchain technology in the telecommunications industry is to replace the current process for managing roaming agreements. This will happen through smart contracts with other operators to keep the services efficient and cost-effective. Some of the benefits include faster identification of visiting subscribers, prevention of roaming fraud, along with claims and cost reduction. But how will telcos deal with requests for personal data to be deleted? Considering the conflict between the technology and the regulation, can blockchain achieve its full potential within the telecoms industry or other industries which will have similar concerns?

Are workarounds available?

There is a lot of debate going around regarding the possible solutions to the GDPR-Blockchain conflict. It’s fairly well accepted that in the case of private blockchain networks, GDPR compliance will be the responsibility of the organisation that controls the blockchain. The murkier space is public blockchains, where some experts have suggested that the onus should be on  the user to see whether a network is compliant with GDPR. However, that would be the case with most public blockchains at the moment, and it is not viable to have a data processing arrangement with each node on the blockchain.
As far as personal data removal is concerned, one solution is off-chain storage of personal data which means that it is kept separate from the blockchain itself. While this does negate some of the unique characteristics and benefits of blockchain technology, it allows for removal of personal data upon request and therefore supports compliance with GDPR.

Another solution proposed by the now defunct IPDB Foundation was ‘blacklisting’ certain types of data, which means that even though this data is present on the blockchain network, it wouldn’t be served when requested and is permanently inaccessible. 

Blockchain and GDPR: The Road Ahead

The framework of GDPR was laid out before the rise of blockchain technology and it doesn’t seem sufficient to regulate this nascent industry. As Anne Toth from the World Economic Forum suggests, policy needs to be as flexible as technology. Regulators therefore need to have a layered and collaborative approach to policy making to ensure that innovation is not stifled by them, and flexible frameworks need to be built to realise the full benefits accorded by the newest technologies.
Europe has been the hotbed of the blockchain revolution, and it is sad to see entrepreneurs struggle amidst an uncertain regulatory environment. Let’s hope that common sense prevails, and European authorities take a practical approach to regulating blockchain technologies. In the short term, the best approach could be to let the industry self-regulate and come up with its own mechanisms to protect personal data. Blockchain-based start-ups can start by collecting lesser data points and implementing hashes to restrict exposure of personal data. Somewhere down the line, regulators can then consider appropriate amendments to GDPR to account for the unique characteristics of blockchains.
It is somewhat ironic to see blockchain and GDPR in conflict with each other when both are trying to do the same thing: decentralise control and empower users. Blockchain technology also improves transparency, trust and control – it just tackles these issues differently from GDPR. In that sense, it wouldn’t be an exaggeration to call blockchain and GDPR two sides of the same coin!