The Right to Be Forgotten (GDPR) vs Blockchain Technology
The General Data Protection Regulation (GDPR) is making the news again as it includes the so-called right to be forgotten which is considered to be one of the main threats to the further development of the blockchain technologies. On May 25, 2018, this piece of legislation is bound to enter into full force. Why is it so crucial for blockchainers to pay attention to it? What is this “right to be forgotten” (also known as the right to erasure) anyway?
Well, the execution of this right contradicts the very nature of blockchain technology. As all the data stored in the public ledger is not possible to edit or manipulate, if someone decided to execute his or her right to erasure, it would be a huge challenge and nearly impossible to do.
There is one thing you should know to understand the importance of this regulation – it is going to affect every company that processes and/or stores personal data of EU citizens, even if it is not registered in the EU and data processing occurs outside of the EU. With no further delay, let’s take a closer look at the right to erasure, GDPR compliance and blockchain to see our place in all of this.
What Is The Right To Be Forgotten?
Before we jump into the right to be forgotten and its peculiarities, we need to be on the same page regarding the following: the right to be forgotten is stated in GDPR, however, it is not the only novelty the regulation introduces.
A quick side note: unlike a directive, a regulation doesn’t require states to impose any additional laws to enforce it – so, it becomes obligatory to comply with for all companies starting from May, 25.
Basically, the GDPR is meant to provide EU citizens with expanded digital rights regarding how their personal data acquired via the Internet is used and what it is used for. It imposes certain regulations on third-party companies that collect and process personal data of EU citizens.
Key changes that we need to take into consideration are:
expanded territorial scope: if before it was quite ambiguous what companies the directive applied to, now it is going to be clear. All data controllers (those who gather data) and processors (those who process data) that deal with personal data of EU citizens have to follow the GDPR, regardless of where data processing takes place. Companies not established in the EU that perform activities related to behavior monitoring and providing goods and services must follow the GDPR as well.
penalties: not following the GDPR will be costly as fines can reach up to €20 million or 4% of the company’s global turnover. However, the maximum fines will be imposed in case of the most serious GDPR violations, such as collecting and/or processing personal data without having a sufficient consent from the owners of the data.
consent: data processors and controllers should pay attention to the newly established rules for acquiring consent for data collection and processing. Terms and conditions that are full of legalese and are difficult to understand are not enough to get consent anymore. The request for consent has to be clear, short, easily understandable; it must be written using plain language and must include the purposes of data collection and processing.
So, what is the right to be forgotten GDPR? Basically, it enables personal data subjects (i.e. the data owners) to make a request to data collectors to erase their respective personal data, stop further spreading the information, and get data processors to cease processing of the data. Data subjects should be able to withdraw consent for personal data collection and processing as easily as it is to give it.
What You Need To Know About Blockchain
Blockchain technology was introduced as the core technology for processing Bitcoin cryptocurrency transactions. It was designed as a means of solving the double spending issue that may arise when we spend digital currencies.
With blockchain technology, data (originally it was transaction data, but nowadays it can be any other data as well) is stored in a list of records where each next record (i.e. block) contains an encrypted image of the previous record, a timestamp and the new data. Thus, the technology makes the whole list secure and immune to data manipulation. A new record can be added only after the validation of the majority of blockchain users.
This technology is decentralized which means that there is no administrator and every participant of the chain has equal permissions. Besides, the list of records, i.e. the ledger, is open and public, meaning that anyone can review the blocks on the list.
Why Is There A Conflict Between Blockchain Technology And The GDPR?
The right to delete personal data is truly necessary in the era of scandals regarding the misuse of personal data by Facebook (i.e. Cambridge Analytica scandal).
The GDPR requires particular attention among companies that actively use blockchain technologies in their business. The right to data erasure, it seems, contradicts the whole nature of blockchain technology as the public ledger is supposed to be, well, public, i.e. transparent for all users, and, above all, intact. The whole reason for the technology’s popularity is that the chain cannot be altered, making it secure and, therefore, reliable.
What Are The Main Concerns?
Taking into consideration the technical aspects of blockchain, let’s analyze what challenges we have in front of us with the GDPR right to be forgotten coming into force soon:
the ledger cannot be modified: each block in the chain contains an encrypted image of the previous block. This algorithm, along with the requirement to follow the “consensus procedure” to create a new block, prevents data manipulation.
blockchain is a decentralized technology: in order to erase personal data per request, someone has to have the ability to edit the blockchain. This means that in order to comply with GDPR and delete an individual’s personal data, we would need an administrator of the blockchain with such rights. This contradicts the concept of blockchain being decentralized.
all information in the blockchain is public: anyone can see all the information stored in the blockchain as it is supposed to be transparent to prevent data manipulation. This information may include personal data.
You may be thinking: “Wait, all the operations on the blockchain are anonymous, aren’t they? So, there must be no personal data to talk about”. Well, one study revealed that Bitcoin address could be traced to the IP address and, subsequently, to the Internet provider and, potentially, connection owner. Besides that, blockchain can be used for storing any information aside from just cryptocurrency transactions, including personal data. For instance, the Swedish land registry is based on blockchain technology.
You should also note that the definition of personal data is quite ambiguous in the GDPR: it is considered to be any information related to a living individual. Therefore, a cryptocurrency wallet address is considered as personal data under the GDPR.
What Does It All Mean For Companies That Use Blockchain?
The introduction of the right to be forgotten has been a hot discussion topic for the CTOs and CIOs of companies that actively use blockchain technology for a number of purposes, from running Initial Coin Offerings to raise funds and making transactions with cryptocurrency to running a blockchain-based project. However, it is clear to everyone involved in using blockchain for business purposes - the technology has to be adapted in order to comply with the new regulations.
There have been several solutions for implementing the right to forget in blockchain offered here and there by blockchain experts. However, we are yet to see how blockchain technology can and will be adjusted to comply with GDPR in practice.
The most reasonable solution is encrypting data stored in the chain. This is the number one solution often suggested at the moment. Basically, if all the data stored in the chain gets encrypted before being written into the blockchain, destroying the encryption key means making the data unreadable. However, it is unclear whether it can be considered as compliance with the GDPR and what can be done if the encryption keys are stolen, made public or lost.
Another proposed solution is using blockchain technology to store timestamps for information which is located outside of the chain, e.g. on a website. If this approach is implemented, removing data would be much simpler. However, we need to consider the potential security risks that come with this idea.
The Bottom Line
Surely, while challenges for blockchain technology compliance with the GDPR are quite clear, solutions are not that obvious. The solutions described above are yet to be properly implemented and tested.
So, if you consider applying blockchain technology in your business, take the GDPR into consideration on the design stage to ensure that your final product will comply with its requirements. In case you have already run a project based on this technology, you don’t have much time to come up with a proper solution and test it, so waste no time. Violating the right to forget is too expensive, remember?
If you are concerned about the future of your blockchain-based business and seem to be confused about what can be done to comply with the GDPR, feel free to reach out to us for a consultation regarding any questions you may have. We can help you ascertain whether you are ready for the GDPR as we specialize in consent management, data flow map creation, DPO role and workflows consulting.