A blog based off the paper, “The Application & Impact of the European General Data Protection Regulation on Blockchains”
by: Neepa Patel and Kevin Rutter
Data privacy is trending…
With Facebook’s massive data breach affecting more than 87 million users in the headlines, it’s no surprise that companies are starting to review their own privacy policies just weeks before the European Union’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.
The stakes have never been higher for data privacy. Social media profiles have a treasure trove of personal information. Inquirers may use internet protocol addresses, website tracking pixels, and cookie identifiers combined with information received by servers to track browser history and identify natural persons. Further, the broader enterprise world has its own data privacy issues. In an age with more frequent major hacks (see this hack visualization), even information that consumers perceive to be private or siloed within a single company may abruptly become public due to bad actors and a lack of controls. In reaction to these developments the GDPR is part of a global backlash to protect consumers and return more control over personal data to individuals.
Quick Primer on GDPR
GDPR’s purpose is to strengthen data protection for all individuals in the EU and provide them rights and controls over their own data. The regulation defines the responsibilities and authorities of a data subject – the individual – a data controller and a data processor. An individual should be notified how their personal data will be processed and if data will be processed outside of EU borders. Individuals are also provided with the “right to be forgotten” which requires data controllers and data processors to delete personal data after the data is no longer necessary and record retention rules expire. The GDPR also introduces a new concept “pseudonymization”. Pseudonymization is separating data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. There are several techniques such as salted hash algorithms and data masking that constitute as acceptable pseudonymization methods that are highly recommended in the regulation.
GDPR Roles and Responsibilities
Blah, blah, blah. Get to BLOCKCHAIN
A blockchain can’t close its eyes and make regulations go away – regulations are not optional even for magic internet money. In recognition of this, companies aiming to implement blockchain technology have started inquiring about how blockchain’s “immutability” will be impacted by GDPR’s right to be forgotten – a rule that requires data controllers and data processors to delete client information after the information is no longer necessary. The regulation applies equally to both public (such as Bitcoin or Ethereum) and enterprise blockchains (such as Corda or Fabric), though we will discuss the two separately.
1. Are the current generation of public blockchains GDPR-compliant? If there is personal information available publicly on a blockchain, and that information cannot be erased, then the answer is no. The solution to more strict data privacy regulation is not to globally broadcast all data to everyone.
There are pseudonymization and data shielding techniques in place in several public blockchains, but this does not exempt you from complying with the arduous GDPR provisions. Public blockchains will have a tougher time complying with GDPR’s “right to be forgotten” requirements if personal information is propagated network-wide. Personal information on a blockchain would have to be anonymized to fall out of scope for GDPR.
2. But what about enterprise blockchains? Enterprise blockchains often discuss “immutability” and having a lasting “golden record” as well. Do the current generation of enterprise blockchains address GDPR concerns? The answer depends on the architecture of the platform, what the blockchain is used for, and how personal information is stored or shared.
Enterprise blockchain platforms that have a data privacy focus, such as Corda, are better positioned for GDPR than those that begin by forking or adjusting a global broadcast architecture. Transaction information on Corda begins from a point to point communication system instead of a global broadcast model, so there is less data propagation, pseudonymous or not. The Corda team is currently exploring sophisticated anonymization techniques to comply with the “right to be forgotten” – a hurdle for all blockchains.
Applications on Corda, known as CorDapps, may be designed where personal data stays within a network so individuals can be assured their data is not replicated to the entire blockchain, a feature that distinguishes Corda from public blockchains. Specifically, self-sovereign KYC solutions built on Corda can provide individuals 100% control over their personal data. This would ensure provisions in GDPR that allow individuals to access and correct their personal data would be fulfilled and provides a compliant solution to restrict data processing. Other enterprise blockchains are likely enacting similar initiatives to address data privacy – though no others begin with the point-to-point approach.
What are the main takeaways?