GDPR : the good excuse to finally stop your Blockchain projects ?
GDPR is here.
Now that it is established, benevolence and the presumption of innocence enjoin us to consider that everyone is in order, unless proven otherwise. We can once again dive into our digital transformation projects… Our access management is compliant, our databases are in order, nothing can stop us! To infinity and beyond !
“By the way, did anyone consider the Blockchain projects ? Don’t we have a problem here ?”
“Let me get this straight… GDPR is the thing where you have to appoint a “Process Manager”, who is legally accountable for the data?” (See article 4)
“And is Blockchain not a totally decentralized technology without governance?”
For private Blockchains, which are mostly used for industrial purposes, the consortium’s CDO will assume this responsibility.
But for public Blockchains (like Ethereum), the question arises indeed… No one is formally appointed. Thus, who is accountable for the compliance with the GDPR rules? The Smart Contract developers? The Minors? The Users / initiators of transactions?
No obvious answer … and one would even be tempted to dodge this responsibility with a technical pirouette, stating that the Blockchain is not an Information System nor a database, but a protocol, just like HTTP, and as such can not be held responsible, as a router is not accountable for the internet traffic it relays.
But if it takes a name, then accountability probably lies with the one who initiates the transaction. Just as this initiation implicitly validates the user’s consent (which is also important for GDPR by the way), the user and initiator implicitly takes responsibility for the data transferred within the Blockchain.
The right to be forgotten ?
“GDPR is the thing where we committed to delete any user’s data on simple request ?” (See article 17)
“And is Blockchain not the revolutionary technology that stores forever any data input ?”
Blockchain natively generates some kind of anonymity through the asymmetric encryption protocols on which it is built. A user does not broadcast his identity in transactions, but a public encryption key. One might think that we are compliant with GDPR since it would then be impossible to directly or indirectly identify a physical person…
Well… no… Actually, what we have at best is a kind of anonymisation, but nothing prevents to track back to the owner of a public key by crossing references, just as we would track back an IP address to its owner.
Furthermore, nothing prevents anyone to storing explicit personal data in Smart Contracts variables!
So the “right to be forgotten” issue is a real one.
So, how do you erase personal data that has been stored in a Blockchain?
Well… you don’t… This data is basically immutable, unerasable, once it has been validated in a block.
So you have to use tricks…
There are technical solutions that can work around the “personal data stored on a Blockchain” issue : just don’t store it !
We can design solutions based on “Blockchain Layer 2”, which allows us to store in the Blockchain, not the data itself, but a digital footprint (hash) of the data - data which remains stored off-blockchain, in standard databasewhere we can operate GDPR recommendations : data deletion, time limited storage, etc.
We can also rely on “Zero Knowledge Proof” encryption protocols that provide “proofs with no disclosure of knowledge”: we store the data on a Blockchain while ensuring that no one has access to it, and yet the user can provide evidence that this data exists if needed. Use cases exist but remain difficult to define as of today.
Blockchain is not incompatible with GDPR. On the contrary, its fundamental concepts: transparency, encryption, and integrity make it an ideal tool for GDPR requirements.
However, the “right to be forgotten” issue remains and must be addressed upstream in the project design, in order to establish a compliant architecture.
So keep on your Blockchain projects, nothing can stop you !