Privacy in the blockchain
Privacy issues with Blockchain technology: can they be compatible?
Everyone talks about it: the blockchain technology and its potential applications. This new revolution started with an alternative currency called Bitcoin. The technology underlying the Bitcoin is called “Blockchain”.
Because of the rapid growth of the Bitcoin, businesses are now looking to utilize the Blockchain technology in other fields of business. There are tremendous opportunities in this disruptive technology, also for businesses outside of the financial sector! It is therefore important that every business understands what this new technology is, what forms can be chosen and the legal implications.
What is Blockchain and how does it work?
A Blockchain is essentially nothing more than a distributed online database (also called public ledger), consisting of linear blocks that contain all transactions or digital events that have been executed and shared among the parties participating in the chain (the “nodes”). Each transaction in the shared database is confirmed by consensus of the majority of the participants. Once the information is entered into the Blockchain it cannot be altered or erased. This allows the participating parties to know for certain that an event happened. Blockchain’s central attributes are that it provides security, anonymity and data integrity without any third party organization in control of the transactions.
Does the General Data Protection Regulation apply to Blockchains?
The General Data Protection Regulation (“GDPR”) applies if there is processing of personal data. As Blockchains are used for exchanging different types of data the GDPR applies when this data qualifies as personal data.
Personal data means all data relating to a living individual (the “data subject”) who is or can be identified either from the data itself or from the data in conjunction with other information. A person’s full name is obviously an identifier, but there is more. A person can also be identified from other types of information, such as physical characteristics, pseudonyms, occupation, address etc. Even personal data that has been de-identified, encrypted, pseudonymised or hashed into the Blockchain is considered to be personal data and the use of this data falls within the scope of the GDPR.
It is therefore likely that most businesses that use Blockchain technologies need to comply with the GDPR.
What are the privacy issues with Blockchain technology?
When the GDPR applies to the Blockchain this can have wide-reaching implications as data subjects are in a position to invoke their GDPR rights, including their right to access data and have it amended or deleted, thereby arguably undermining many Blockchain principles. It can in addition be difficult to determine which entity will be the addressee of these obligations (the “Data Controller”). Some may therefore argue that the Blockchain technology is incompatible with the GDPR. This does not have to be the case!
One of the main Blockchain’s attributes is that it creates a decentralized environment where data can be stored and shared without the interference or control of a third party organization. This wrings with the GDPR which applies to the processing of personal data by a “Data Controller” and “Processor”. Under the GDPR, the Data Controller is the central figure on whom in principle all legal obligations rest. The Controller can call in a Processor who processes the personal data.
The Controller determines what happens to the personal data. The Controller is also responsible for the security of the Blockchain. Does such a controlling party even exist in a Blockchain?
In a public or open Blockchain, every participant could qualify as Data Controller or as a Processor as there is no hierarchal relationship between the parties. The larger the group of Blockchain parties, the more difficult it will be to determine the privacy role of each party. A closed Blockchain offers a solution in this case. A closed or private Blochchain is much more controllable and manageable when it comes to the processing of personal data.
GDPR rights of the data subject
A greater challenge is to comply with the rights of the data subjects. One of the strong points of Blockchain technology is that one can trust the validity of the information because of its inalterability. This strikes at the heart of the GDPR which grants a right to the data subject to ask for erasure of his personal data. It can be argued that the erasure of personal data could be achieved by encrypting the personal data and deleting the key used afterwards. That way the (original) data would not be removed, but an extra block would be added detailing the encryption and subsequent deletion of the key. The same technique could be used with regard to the problem of needing to be able to alter personal data once the data subject requests this. You encrypt the data, delete the key and then add a new block with the altered information.
What measures can a company take to minimise these privacy issues?
There are different varieties of Blockchains that should be distinguished from one another. A Blockchain can for example be more private by limiting which parties can take part in the Blockchain and by limiting which information each party can access. In addition, businesses can focus on a so called “permissioned Blockchain” where not all parties need to have equal rights. From a privacy perspective there are several reasons why private permissioned Blockchains are preferable to public Blockchains. We will go into more detail about this in a later article.
There is a paradox between transparency and privacy. A fully transparent system like the Blockchain allows anyone to see any piece of information and therefore no privacy is provided. But, alternatively, a fully private system provides no transparency and requires dependency on a third party. However, a (private) Blockchain can still provide significant privacy guarantees while making the transitions transparent. So there is as yet no reason to ignore the Blockchain technology because of the GDPR. However, careful consideration must be given to the exact design of the system.
Would you like to know more about applying the Blockchain technology within your organization? Then contact our New Tech Team.