Can blockchain co-exist with GDPR?

On May 25, 2018, a new privacy law came into force in Europe GDPR, or General Data Protection Regulation, and it gives EU citizens control over their personal data and what happens to it. That’s why you are bombarded with popups asking for your permission to collect and process your personal data. For the same reason e-mail newsletters ask you if you’re still interested in them and why many companies are suddenly making it easier to grab a copy of the data you have.

Companies around the world are rushing to make sure they comply with the GDPR because otherwise, they run the risk of paying hefty fines. However, blockchain technology is changing everything, so what happens when a blockchain contains personal data? The problem with blockchain data is:

  1. Open

  2. Transparent

  3. That is, immutable. Data stored in the blockchain cannot be changed or deleted.

These are features of this technology that cannot be changed and at the same time do not look very good for applying privacy.

Understand general data protection regulations

Before diving into GDPR compliance, let’s understand some commonly used terms:

  1. Data controller – Under EU law, companies that store your data are known as data controllers. Common examples would be Facebook, Google, Apple etc.
  2. Data processor – Companies that work to analyze your data are known as data processors. For example, Google Analytics, Moz Analytics, Socialblade, etc.

In most cases, the data controller and the data processor are the same entity, however, the burden of complying with GDPR rests on the data controller. Let’s make a note here, GDPR is effective only when personal information of EU citizens is involved. Any company that stores information on EU citizens must comply with regulations, including Facebook or Apple.

As stated in EU law Personal information is any information relating to an identified or identifiable natural person (‘data subject’); An identifiable natural person is one who can be directly or indirectly identified, especially a reference to an identifier such as a name, an identification number, location data, an online identifier or physical, physiological, physiological, genetic, mental, economic, Cultural or social identity. This is a broad definition, which means any data such as an IP address, a Bitcoin wallet address, a credit card or any exchange, if it can be linked to you directly or indirectly, can be defined as personal data.

3 GDPR articles that conflict with the blockchain feature

GDPR has three articles, Articles 16, 17 and 18 that make life difficult for companies planning to use a distributed laser network to conduct their business.

  1. Article 16: This GDPR article allows EU citizens to modify or modify the data in your data controller. You can not only change the existing data they have, but you can add new data if you think the current data is incorrect or incomplete. The problem is, on a distributed network, adding new data is not a problem but changing it.

  2. Article 17: This article refers to the “right to forget”. It is not possible to delete data from blockchain and therefore this article immediately conflicts with data protection regulations.

  3. Article 18: This article refers to the “right to restrict processing”. Basically, it prevents companies from using your data if the data is incorrect or if it is collected illegally.

One of the main concerns of a blockchain is that they are completely open, so anyone can get a copy of your data and do whatever they want with it. So, you have no control over who is processing your data.

Possible coexistence solution!

Pairing – A popular solution is to encrypt personal data before storing it on a distributed network. This means that only those who have the decryption key will be able to access the data. The moment this key is destroyed, the data becomes useless. This is acceptable in some countries, such as the UK, but there are others who argue that strong encryption is still the opposite. With the advancement of computing, it is only a matter of time before encryption can break down faster and personal data will be available again. The debate over encryption is still ongoing.

Permission Blockchain – In a public chain, anyone can put new data in the chain and the data is visible to everyone. However, in a permission blockchain, access is controlled and only a few known and trusted parties are granted. The network that distributes this permission complies with Article 18. But unfortunately, it does not comply with Article 17, and the right to forget. Even in a permission chain, the data is still unchanged and cannot be deleted or edited. One possible solution is to store data on a secure server with read and write access. We then save a reference to that data in our blockchain via a link using a hash function. We can save this hash in the blockchain. Hash functions are popular for verifying the integrity of files on our secure servers. Also, hash functions cannot be reverse engineered to express data. If we delete the server’s data, the hash function becomes useless and no longer becomes personal data.

This is not an elegant solution because blockchains are used because they are decentralized and you are back to centralization using a secure server.

Zero Knowledge Proof- Zero-6 Knowledge Protocol is a method by which one party (advocate) can prove to the other party (verifier) ‚Äč‚Äčthat they know the value of x, they know the value of x without giving any information. This is perfect for verifying things like age-gates for example without disclosing birthday information with data collectors. Evidence of zero knowledge could be a possible solution to GDPR outside the blockchain.