Some months ago, we all probably received tens of notifications from our service providers announcing changes in their Privacy policy. Facebook, Google, Amazon, your phone provider, your supermarket chain (where you have a loyalty card) … They all needed to comply to something many of us never heard about before but which became quite popular in a really short time: GDPR.
What is GDPR?
According to the official EU definition:
The EU General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The key aspects of GDPR, as well as information on its business impact, can be found throughout this site.
GDPR User rights
In a nutshell, service providers need to take into account the following EU Citizen rights when collecting their personal data:
- Right of rectifcation: “The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement”
- Right to erasure (‘right to be forgotten’): “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”
- Rights related to automated processing: “The data subject shall have the right to obtain from the controller restriction of processing where some conditions applies”
- Right of access: “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing”
Above all these rights, there is the obligation of requesting users consent for collecting and processing their data. This consent should be “freely given, specifc, informed and unambiguous” and the user has the “right to withdraw his or her consent at any time”
GDPR Actors
When the EU defined these rules for GDPR, it took the assumption that it would be possible, in all cases, to identify 3 actors:
- Data subject: is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
- Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
The data controller is then playing a major role here and is the main responsible for GDPR application. However, as we will see, in case of Blockchain products and services, it might not always be obvious who the data controller is.
What is Blockchain?
Blockchain is simply a decentralized database. It means that many actors keep a copy of information and can propose signed modifications or transactions that are then approved thanks to consensus mechanisms.
Blockchain technology has a huge potential as it allows to store information, and perform transactions without the need of a centralized entity.
When Blockchain appeared, with Bitcoin, its main purpose was to disrupt banks and financial transactions. It was also aiming to preserve the privacy of its users. All it needed to know to perform a transaction was the wallet addresses of the sender and the recipient. However, a lot of improvement has been done since then. Thanks mainly to smart contracts, it is now possible to perform complex transactions involving much more data than just a wallet address.
Advantages of Blockchain
Thanks to this evolution of the Blockchain, many companies are starting to propose new services and products running on Blockchain. The benefits for them and for their customers are not negligeable. According to IBM, these are the top 5 benefits of Blockchain :
- Greater transparency
- Enhanced Security
- Improved traceability
- Increased efficiency and speed (compared to traditional paper work and contract at least)
- Reduced costs
GDPR Compliant Blockchain
Considering the intrinsic characteristics of Blockchain, it seems, at first glance at least, difficult to imagine a GDPR compliant Blockchain. However, as nicely said in the ConsenSys report made on behalf of the European Union blockchain observatory and forum, “GDPR compliance is not about the technology, it is about how the technology is used”.
Private VS Public & Permissioned VS Permissionless
Bitcoin is the first application of Blockchain and it’s, without doubt, the most famous. Bitcoin is using a public permissionless Blockchain network. It means that anyone can join and participate to the network.
Majority of known Blockchain Networks are working the same way. However, in some cases, a Blockchain application can be:
- Private: The Blocks are not visible to anyone. An autority is responsible for providing access to some users or entities. For example, many banks and entreprises are experimenting or running private Blockchain-based solutions.
- Permissioned: The Blockchain can be private or public (anyone can see the the blocks). However, an autority is providing permission to some entities to validate and run the network. For example, Ripple is using a permissioned Blockchain.
Who is the data controller in a Blockchain?
In the case of a private and/or permissioned Blockchain network, it seems obvious that the Authority controlling the access should be considered as the data controller.
In the case of public Blockchain however, it seems a bit more tricky. The answer to the question is (drum roll): We don’t know yet! Indeed, In a public permissionless Blockchain, there are still some debates about this question.
While almost everyone agrees that developers of the Blockchain network (Ethereum for example), the nodes (including miners) and the users (the ones requesting transactions) cannot be considered as data controllers. There is still a debate about the smart contract publishers. Indeed, behind smart contracts, there are usually entities and startups proposing a service for which they might need to collect personal data.
Blockchain and Personal data
Should companies store their unanonymised customers name, address, phone and credit card numbers in a public Blockchain? The answer is clearly “NO! Don’t even think about it!”. It would be the equivalent of Facebook cancelling all their data privacy settings and allowing everyone to see everyone’s data.
But Personal Data, according to GDPR, are not only data that are obviously linked to the identity of a user. Its definition is much wider than this and concerns “any information relating to an identifed or identifable natural person”. If we really want to strictly apply this definiton, even wallet address, encrypted and hashed data can be considered as personal data if the techniques used are not strong enough to prevent hacking or pattern analysis.
Blockchain and data subject rights
As seen before, one of the main issue with GDPR application in a public Blockchain Network is how to identify the data controller. If this entity is not clearly defined it seems difficult for data subjects to execute their GDPR rights. For example, Who are they giving their consent to? Who should they contact to request their right to access or right for data erasure (if there is any way to erase data from the Blockchain)?
In addition to this, the fact that many Blockchain projects are developed by open source communities, nothing (and no one) can guarantee that the solution will be “data protection per design”.
Blockchain and GDPR: The impossible love?
Indeed, it seems impossible to comply to GDPR when using Blockchain. But as said above, there is no GDPR compliant technology. It all depends on how the technology is used.
One needs to keep in mind that the technology is not mature yet. There are and will be a lot of non-GDPR compliant implementations out there. But many actors are deploying huge efforts to standardize the usage of Blockchain. We also think that there should be more effort to be done on the regulatory side to adapt GDPR to Blockchain specifities. For example, adding alternatives when data controller identification is not possible (or not easy). Or describing “Blockchain-compatible” ways to delete data (encryptions and key destruction for example)
In the meantime, the previously mentioned report is providing some great principles that Blockchain solution entrepreneurs and designers should try to follow to avoid any GDPR breach.
Principle 1: Start with the big picture: how is user value created, how is data used, and do you really need blockchain?
Principle 2: Avoid storing personal data on a blockchain. Make full use of data obfuscation, encryption and aggregation techniques in order to anonymise data.
Principle 3: Collect personal data off-chain or, if the blockchain can’t be avoided, on private, permissioned blockchain networks. Consider personal data carefully when connecting private blockchains with public ones.
Principle 4: Continue to innovate, and be as clear and transparent as possible with users.
To these principles we would add:
Principle 5: Integrate with secured Digitial Identity solutions where users OWN their personal data. Use and process the data they provide you access to only when needed and in all transparency.
Conclusion
As a conclusion, all is a matter of finding the good balance between these 2 statements
- Regulators shouldn’t stop innovation
- Innovators shouldn’t ignore the data privacy of their customers.
One of Blockchain’s first purposes was to give back power to the people. It gave them financial alternatives where they didn’t need middlemen (banks) anymore to exchange value. The entrepreneurs and designers using Blockchain should keep this in mind. They should design a solution where customers will have full control of their personal data.
Do you like this article? Do you have any remark/suggestion to it? Please let us know in the comments!
You can also follow us on social medias here:
Khalid Belghiti
Khalid is an experienced project and product manager with technical engineering background.
His passion for innovation and emerging technologies pushed him to co-found Scrypt.Media with Maike.
Together, they intend to help Startups and Entreprises bring to market their impactful and disruptive solutions.