Is the blockchain compatible with the GDPR?
In recent years, two popular topics of conversation have been the General Data Protection Regulation (GDPR) and the blockchain. The GDPR is legislation which provides new protection for individuals in relation to their personal data. The blockchain is a variant of distributed ledger technology, which some people believe will create new business models, cut costs, and provide new ways of verifying identity.
The GDPR came into force in May 2018, and as such is still a relatively new and untested piece of legislation. It provides rights to individuals, such as the right to be informed about how their personal data is collected and used. Given that fines under the GDPR can be the greater of up to 4% of annual global turnover or €20 million, a breach of the rules can have serious consequences.
A blockchain is in essence a distributed database which stores records of transactions. When new transactions are confirmed by the network they are added in chronological order as new blocks on the chain. Each new block is cryptographically secured to the block before it, and the data stored within that block is then fixed and unalterable. This immutability is a key feature of blockchains, and one of the reasons why many argue that the accuracy of the data stored within them can be trusted.
In a public blockchain (such as that which underpins the most well-known cryptocurrency, Bitcoin), all members of the network have a copy of the database. This means that all the participants can see a record of all the transactions that have taken place within the network. In this way, a blockchain is thought to be highly resistant to tampering, as there is no single point of failure, and a majority of participants would need to collude in order to amend existing blocks. However, these features raise difficulties in relation to data protection legislation.
Firstly, the GDPR works on the principle that there is always a person or organisation acting as data controller. This is the body against which an individual would assert their rights if they were concerned about the processing of their personal data. As a blockchain is a distributed database held on many different computers, who is the data controller of any personal data contained therein? It has been argued that an individual user may be both the data controller of the data they upload to the blockchain, and also a processor of the data held on their computer. Where there may be hundreds or even thousands of such participants in a network, against whom does an individual enforce his or her GDPR rights?
Secondly, it is widely known that the GDPR provides individuals with a ‘right to erasure’, meaning in certain circumstances an individual can request that their personal data is erased. Given that information in a block is unalterable once it has been added to the chain, how would the right to erasure apply? Whilst subsequent transactions may be used to reverse a transaction that has gone before, this does not erase the information which has been fixed within a previous block.
When asked about data privacy, Andy Gray, co-founder of Manchester-based blockchain consultancy BlockRocket, had this to say:
“Some projects are creating new ways to verify transitions on public blockchains without displaying internal data or even the details of the transaction itself. This approach to privacy and anonymity would allow businesses to leverage the power of blockchain consensus without leaking information. Interestingly, proofs can be used on obfuscated data to verify the contents without knowing the internal information.”
In reality, blockchains can be public or private, permissioned or permissionless, and have a variety of use cases inspiring their development. Businesses looking to develop new services around blockchain technology should consider their data protection responsibilities at an early stage, to ensure their innovative blockchain project does not breach data protection legislation.