The General Data Protection Regulation (GDPR) is due to come into force in May 2018; for blockchain technology this may pose a mighty obstacle. One aspect of the GDPR is that enterprises are required to erase the personal data of EU citizens who request this.
The big issue is, therefore: do blockchains process personal data? Prima facie, one of the assets of blockchains has the potential to become an acute vulnerability. With hundreds of apps being built on Ethereum, Hyperledger Fabric, will these investments require reconsideration?
The Hogan Lovells’ view
In a blog from last September, the solicitors Hogan Lovells argued that “Blockchain technology could herald a data revolution, but big questions remain about how it will co-exist with privacy legislation, particularly when it comes to the use of personal information. Blockchain is a type of distributed ledger technology (DLT) that enables a shared ledger to be maintained by multiple parties and updated simultaneously. This shared information can be used to record transfers of property, receipts, transactions, and more. It is typically intended to be immutable, so that it can only be altered by consensus among the participant.
“Herein, lies the problem: a fundamental tenet of DLT is the immutability of the data in the distributed ledger. The data cannot be changed once it is validated and bound to the ledger, moreover, the data in the ledger will persist for as long as the system exists. With ledgers being distributed across a network, and in many cases openly available to all network participants, it is imperative to carefully consider any potential privacy concerns with the data that is being stored in it.”
The use of personal data
Personal data is any information relating directly or indirectly to a ‘living natural person’. The key is not whether this actually identifies them but whether it makes them identifiable. To determine if GDPR applies, enterprises must evaluate if data which can be regarded as personal goes onto a blockchain.
The nature of public blockchains – like those underpinning Bitcoin or Ethereum – is every transaction added to a blockchain publishes to the outside world for all to see. The data links via a public key which belongs to a particular user.
As Hogan Lovells put it: “that key is encrypted so that no-one who views the blockchain would be able to directly identify the individual or corporate entity that represents the user. However, the re-use of the public key enables individuals to be singled out by reference to their public key, even if they cannot be directly identified. Indeed the very purpose of the public key is to single out the authors of a given transaction, to ensure that transactions are attributed to the correct people.”
The problem (according to Hogan Lovells)
“The public key, when associated with an individual, will likely qualify as personal data for the purposes of European data protection legislation. Some newer blockchain technologies permit the public key not to be published, which may alter the analysis.
“When the public key is visible, it could be possible to attain information that enables an individual to be identified, either because it is held by the service provider or because someone is able to connect a public key to an individual or organisation, (for example, through their IP address or its connection with a website). At that point, all transactions that the relevant individual has made are publicly available.
“In 2014, the Article 29 Working Party – a group made up of is made up of representatives from data protection authorities of each EU Member State, the European Data Protection Supervisor and the European Commission – provided guidance on the difference between pseudonymised and anonymised data in its Opinion 05/2014 (WP 216). “This distinction is important in relation to blockchain as data protection rules do not apply to anonymised data; as such data cannot be traced back to a living individual.
“However, the threshold for data to qualify as anonymised is very high. The guidance states that ‘anonymisation results from processing personal data in order to irreversibly prevent identification.’ Data controllers must have regard to all means likely reasonably to be used for identification (either by the controller or any third party). Because hashing permits records to be linked, hashing will generally be considered a pseudonymisation technique, not an anonymisation technique.”
At this point it is worth throwing in a the differentiation between public (decentralised) and permissioned (usually private) blockchains:
- in a private blockchain, GDPR compliance would appear to be the responsibility of the deploying enterprise or organization
- for decentralized and public blockchain applications, the issue becomes still more complicated: is it the responsibility of every user who adds data, especially personal data, to the distributed ledger to ensure this is GDPR compliant?
In one sense this differentiation matters: it is clearer who has responsibility. Conversely, it doesn’t assist the root problem – how to remove personal data.
What does this mean
GDPR imposes high standards. Until the last week or so, many outside the EU (most notably in the USA) complained that GDPR sets too high a standard. With the Cambridge Analytica/Facebook revelations, the whole privacy bucket has upended, in favour of more privacy.
Until now, the conflict between GDPR and blockchain was, with notable exceptions like the Hogan Lovells contribution, relegated to a problem for the future. Now this conflict is back on the table, which means that enterprises are going to have to ask more profound questions about any data they propose to place on a distributed ledger (blockchain).
If it is possible to trace encrypted personal data back to a person, encrypted data would seem to qualify as personal – and not as anonymous. This suggests – unless the EU makes exceptions from GDPR specifically for blockchain technologies, which seems improbable though regulation always chases actual practice – that in most instances the GDPR privacy rules will apply to at least some of the data involved in blockchain systems. Assessing the impact will require investment, or risk legal action.
For a final technological thought, imagine how you might remove personal information from an immutable record (without forking). That is the issue. If you can do this, then the record is no longer immutable…
A GDPR blockchain conflict may yet prove to be a technological confusion to rival the practical one which Brexit represents.