The European Union Blockchain Observatory & Forum (Forum) published a report about blockchain and the data privacy legislation GDPR. The assertion is that GDPR compliance is not about technology. Instead it’s about how the technology is implemented. Consensys produced the report on behalf of the Forum.
Many web business models are built on trading free services for personal information, consciously or not. Of late there have been issues with misuse of that personal data. And increasingly personal data can be lost through hacking.
Unfortunately even though the report is published by an EU body, its not definitive since only data protection authorities or the courts can rule conclusively.
Who controls the data?
The authors noted that it’s easier to comply with GDPR on private or permissioned networks. One of the reasons is that GDPR was formulated prior to blockchain gaining profile and assumes that data is controlled by identifiable actors.
Hence it specifies that there must be a data controller that has certain obligations. For example, they have to respond to requests from an individual to delete their data. With a private blockchain, assigning a data controller is viable. But permissionless blockchains seek to decentralize, so identifying a controller is tricky.
As a result some blockchain services shut down when GDPR came into force in May. For example Parity run by Ethereum co-founder Gavin Wood shuttered a KYC solution. The main reason given was it would require too much work to make the project compliant and it wasn’t a high priority initiative.
This reinforces the earlier point that it’s a matter of how the project is implemented.
So the question for a public blockchain is who controls the data? It seems it’s not the software developers. The node operators are more involved but they’re unlikely as well. If a network user submits personal data to a blockchain as part of a business activity, then they’re likely to be considered as data controllers. Another possible controller is the smart contract publisher, though the report concluded that would be judged on a case-by-case basis.
Anonymising personal data
GDPR is only relevant to identifiable personal data. So it doesn’t apply to anonymised data but the bar is set high. The anonymisation must be irreversible. Pseudonymous data is still subject to GDPR.
It’s generally accepted that personal data should never be stored on any blockchains unencrypted. When it comes to anonymising data, for GDPR there’s a risk that the anonymised data can be either reversed or linked to other identifiable data.
Public / private key cryptography is commonly used in blockchains. While public keys may look undecipherable there’s the potential to link them back to an identity, hence they’re considered pseudonymous.
If an exchange executes transactions on behalf of a client, then the client’s identity is protected. Ring signatures allow multiple parties to sign a transaction, but nobody knows which one. While not stated in the report, ring signatures look like they could pose some GDPR risk.
There are two main ways to obfuscate data. One is to encrypt it where the owner of the encryption key can decrypt it. Because this is reversible, it’s considered private data for GDPR. Another option is hashing which creates a unique undecipherable fingerprint of whatever data is being hashed. This one is apparently a grey area for GDPR. The report also explores other options.
The authors set out a number of principles. Firstly, one should start with the big picture. How is user value created? How is data used? And is a blockchain needed?
Secondly, avoid storing personal data on a blockchain. Where possible use data obfuscation, encryption and other techniques to anonymise data.
Ideally collect personal data off-chain. If a blockchain is necessary then try to use a private permissioned one. And be carefully with personal data if connecting between a public and private blockchain.
Finally, continue to innovate and be as clear and transparent as possible with users.
In the last month two separate blockchain solutions were announced for handling private data between different companies. One is from the IAB in connection with advertising and consent. The other is from Fujitsu.