This article was published on March 26, 2018

Blockchain is on a collision course with EU privacy law


Blockchain is on a collision course with EU privacy law

Those who have heard of “blockchain” technology generally know it as the underpinning of the Bitcoin virtual currency, but there are myriad organizations planning different kinds of applications for it: executing contracts, modernizing land registries, even providing new systems for identity management.

There’s one huge problem on the horizon, though: European privacy law.

The bloc’s General Data Protection law, which will come into effect in a few months’ time, says people must be able to demand that their personal data is rectified or deleted under many circumstances.

A blockchain is essentially a growing, shared record of past activity that’s distributed across many computers, and the whole point is that this chain of transactions (or other fragments of information) is in practice unchangeable – this is what ensures the reliability of the information stored in the blockchain.

For blockchain projects that involve the storage of personal data, these two facts do not mix well.

And with sanctions for flouting the GDPR including fines of up to €20 million or 4 percent of global revenues, many businesses may find the ultra-buzzy blockchain trend a lot less palatable than they first thought.

“[The GDPR] is agnostic about which specific technology is used for the processing, but it introduces a mandatory obligation for data controllers to apply the principle of ‘data protection by design’,” said Jan Philipp Albrecht, the member of the European Parliament who shepherded the GDPR through the legislative process.

“This means for example that the data subject’s rights can be easily exercised, including the right to deletion of data when it is no longer needed.

This is where blockchain applications will run into problems and will probably not be GDPR compliant.”

Altering data “just doesn’t work on a blockchain,” said John Mathews, the chief finance officer for Bitnation a project that aims to provide blockchain-based identity and governance services, as well as document storage.

“Blockchains are by their nature immutable. The GDPR says you must be able to remove some data, so those two things don’t square off.”

There are two main types of blockchain: private or “permissioned” blockchains that are under the control of a limited group (such as the Ripple blockchain that’s designed to ease payments between financial services providers); and public or “permissionless” blockchains that aren’t really under anyone’s control (such as the Bitcoin or Ethereum networks).

It is technically possible to rewrite the data held on a blockchain, but only if most nodes on the network agree to create a new “fork” (version) of the blockchain that includes the changes — and to then continue using that version rather than the original.

That’s relatively easy on a private blockchain, if not ideal, but on a public blockchain, it’s a seismic and exceedingly rare event.

At least as the technology is currently designed, there is little to no scope for fixing or removing bits of information here and there on an ongoing basis.

“From a blockchain point of view, the GDPR is already out of date,” Mathews said. “Regulation plays catch-up with technology. The GDPR was written on the assumption that you have centralized services controlling access rights to the user’s data, which is the opposite of what a permissionless blockchain does.”

Jutta Steiner is the founder of Parity.io, a startup that develops decentralized technologies, and the former security chief for the Ethereum Foundation. She agrees with Mathews that “the GDPR needs a proper review.”

“From a practitioner’s perspective, it sounds to me that it was drafted by trying to implement a certain perspective of how the world should be without taking into account how technology actually works,” Steiner said.

“The way [public decentralized network] architecture works, means there is no such thing as the deletion of personal data. The issue with information is once it’s out, it’s out.”

“Given the stage where the technology is at, I think there’s time to hopefully adjust certain things in the GDPR,” Steiner added.

“I can’t see the regulators being so stubborn as to not adjust the regulation. … They’ll just see the other countries will use the technology and Europe is at a disadvantage.”

That seems unlikely to happen anytime soon.

The GDPR is a new regulation, and EU laws tend to last for a long time before revision — the Data Protection Directive that preceded the GDPR was drafted way back in 1995.

“Certain technologies will not be compatible with the GDPR if they don’t provide for [the exercising of data subjects’ rights] based on their architectural design,” Albrecht insisted.

“This does not mean that blockchain technology, in general, has to adapt to the GDPR, it just means that it probably cannot be used for the processing of personal data. This decision is the responsibility of every organization that processes personal data.”

Although the clash between the GDPR and blockchain technology has received little attention so far, it has occurred to some people.

The Interplanetary Database was, until its main funder recently pulled support, a project that aimed to build a blockchain-based database system – it was to be a sort of hybrid private-public blockchain, where the nodes in the network were preselected, but anyone could send transactions to the network or read the data stored on it.

According to IPDB Foundation co-founder Greg McMullen, the Berlin-headquartered team was well aware of the problems posed by the GDPR.

One problem, McMullen said, was the inability to modify or delete data stored in a blockchain. But there was another issue, too.

“The GDPR is written for a cloud services model where, say, I’m a startup and I collect restaurant order data and I store it all on Amazon Web Services, and they do my hosting for me, so I have to have a contract with Amazon that passes on my privacy obligations to them,” McMullen said.

“It works really well when there are one or two providers, but when you start having a decentralized network it breaks down entirely. You can’t have a contract with [all] the nodes on the Ethereum network. It’s unfeasible.”

So who actually is liable for data protection in a decentralized network?

After all, one of the big attractions of such networks is that they are resistant to censorship, because there’s no central body – no Amazon or Facebook – for enforcers to go after, and because the nodes or users that make up the network are scattered around the world.

According to Albrecht, if it’s a private blockchain, GDPR compliance is the responsibility of the organization that’s deploying it.

“For decentralized and public blockchain applications, it would be the responsibility of each user who puts personal data in the distributed ledger to ensure this is GDPR compliant,” the parliamentarian said. “Which in most cases it won’t [be].”

The liability issue will scare many businesses off using blockchains, McMullen warned. “It’s true that the regulations will need to catch up with the technology, but you have to be realistic about the fact that the GDPR is a real thing and it’s happening, and there will be enforcement of it,” he said.

“When you’re asking companies to use blockchains, they’re not going to take that risk with their customers’ data – or at least they shouldn’t be.”

According to McMullen, the IPDB Foundation had been working on various ideas for dealing with the data protection problem.

One was a system of “blacklisting” certain data so that, even if it wasn’t deleted from the network when this was required, it wouldn’t be served when requested.

Another idea was to only put “hashes” of personal data into the blockchain, rather than the data itself.

Hashes are mathematical derivations of data that, if properly implemented, cannot be reverse-engineered to expose the data that’s being represented – but you can use them to verify the underlying data, by repeating the hashing algorithm on that data and comparing the result with the stored hash.

With a blockchain of hashes, rather than the underlying data, it might be possible to delete the data without having to alter the blockchain.

That way, the blockchain might manage to be useful for verifying data while remaining GDPR-compliant, McMullen suggested.

Is it likely that regulators would crack down on this emerging sector, though?

McMullen, a lawyer, said the first enforcement targets would most likely be “the usual suspects — the Googles, Facebooks, Amazons,” but it “could be very easy for a regulator to decide to make a show of going after a blockchain company because it is a very hyped term.”

“As companies start understanding [the GDPR’s implications], we could see a real move to adjust to the laws by collecting fewer data and using the data in a way that doesn’t expose it to the public internet, such as with hashes,” McMullen said.

“In that way, the technology might adjust to the law as well as the law adjusting to the technology. It could, in the end, be very good for user privacy.”

This article was originally published by The International Association of Privacy Professionals: Policy neutral, we are the world’s largest information privacy organization. You can connect with them on LinkedIn here, or follow them on Twitter down here:

Get the TNW newsletter

Get the most important tech news in your inbox each week.