Blockchain and the General Data Protection: the Paradox in Two Parallel Systems

The online sphere in the past few years has been infused with dialogue on two significant innovations –  Blockchain and the General Data Protection Regulation.  These have accumulated appeal and popular interest within the general community, as well as to professionals in Financial Services, Healthcare and Banking among other fields.

The General Data Protection Regulation was drafted by the European Union as an overhaul to the former Data Protection Framework, which lacked elements necessary to modern application. This is why, the concepts of technological and sectoral neutrality were dominant determinants ensuring that the replacing framework’s applicability would extend across all sectors and to any prospective technological innovations. However, this ambition seems futile in light of Blockchain technology, which has provoked wide controversy due to the inherent incompatibility with the structure and principles of the General Data Protection Regulation.

General Data Protection and Blockchain – the Homogeneity in the Respective Purposes 

Whilst structural animosity between the two anomalies subsist, the General Data Protection Regulation and Blockchain were both designed with the aspiration of satisfying an adequate standard of privacy and security.  However, the General Data Protection Regulation developed a centralized legislative framework, affording rights to data subjects which are to be enabled by the competent data controller. Contrastingly, Blockchain adopts a distributed ledger system, being a decentralized system in which participants operate anonymously. This protects data by limiting the weaknesses which a centralized system would otherwise conceive. Therefore, whilst the General  Data Protection Regulation functions by attributing duties and responsibilities to key participants, principles of data protection are prescribed in Blockchain by fundamentally addressing security and privacy within the technology itself. Blockchain technology is grounded on the idea of a system functioning autonomously, whereas the General Data Protection Regulation functions on the accountability of the data controller, being the person with the faculty of determining use and holding of the data.  Instead, the data controller is replaced functionally by the peer-to-peer system.  All anonymous participants in a blockchain will hold a copy of the ledger, being a node supporting the network, whilst miners will operate the proof-of-work procedure.  These constitute data controllers and processors in an extremely unconventional sense, so much so that it would not be just to hold them accountable for any incompliance, especially since the remits of control are extremely restricted, and rendered null once the data is crystalized to the block.

Data in Blockchain – Identifying Personal Data in the Anonymous System

As aforementioned, Blockchain is a technological system which records and updates data independently from a dominant decision maker.  However, whilst being anonymous, application through online platforms lead to use of online identifiers, for instance the IP address, expressly categorized as personal data in the General Data Protection Regulation. All other data which may express identification is secured through pseudonymisation, making data unidentifiable at first sight. However, this still constitutes personal data since with additional information, one may still discern the identity, regardless of the pseudonymised data.

Blockchain uses an asymmetrical encryption methodology, whereby there is a public encryption key and corresponding decryption private key.  The public key is the visual representation of an identity, similar to a digital signature. Therefore, necessary certificates used to prove the public key make data susceptible to identification, as corroborated by Reig and Harrigan in  their publication – ‘An analysis of Anonymity in Bitcoin system’. Naturally, through the elaborate encryption and hashing mechanisms adopted in blockchain, only a hash of someone’s identity is stored, making it virtually impossible to associate a person’s identity with their hash. However in many cases, creating an account demands disclosure of particular data, which inherently would be included in the blockchain with limited accessibility. This is possible only if the blockchain protocol allows the storage of data, which would incur General Data Protection Regulation compliance.  

Blockchain may theoretically be used in its entirety as a storage technology, an innovation which has not been widely applied as of yet.  A circumstantial complication has been anticipated by professionals in the instance of this being applied to a public blockchain.  This is a permissionless vessel of data which invokes a legal paradigm due to the application of a centralized system to a decentralized technology. This is why, area professionals envisage privacy poisoning as a prospective reality.  This will occur when either illegal data is disseminated and stored on the blockchain, or when the storage of data is no longer justified.  This will create an adverse scenario due to an illegality which may not be reversed or counteracted.

A basic observation to make regarding the General Data Protection Regulation and Blockchain is that it is legal to store personally identifiable data on the blockchain, however the law demands that the owner may amend, remove or delete such data, being a very rare ability in a public blockchain due to reliance on immutability. Since permissioned blockchain would allow an enhanced level of privacy and control, this would not contravene the General Data Protection Regulation, seeing as elements of control and accountability could be enforced.

Using blockchain as a storage mechanism is beneficial since it is transparent, decentralized and since any tampering would be self-evident. However it is relatively expensive, slow and burdensome to operate. Using the transaction model, storing data can be materialized by essentially adding the data to the address of the sender and forwarding this to the receiver, packaging data in the process. Other blockchain systems allow one to adjoin data to a transaction, making a storage blockchain system easy.

Personal Data Security – Security of Data in Light of Hacks

The novelty brought about by the Blockchain Technology was one which addressed security in the most absolute manner – by ensuring that the technology may not be susceptible to hacks. However, time has shown that this was nothing but an ill-founded claim, as several hackers have successfully targeted blockchain, such as the occurrences of the Ethereum Attack. This is done through the 51% attack, being when a hacker gains control of 51% of the network’s computing power, hence gaining powers such as rewriting transaction history. In fact, around 2 billion Euros worth of cryptocurrency have been stolen in the past two years.  Theoretically, this could be applied to systems containing data. If a blockchain is not grounded in proof of work ideas, then they would not be susceptible to 51% attacks, so the hacker would not be able to create forks which are made authoritative over the previous chain.

The General Data Protection’s Complex of Rights – Applicability within Blockchain

As this article establishes, the General Data Protection Regulation is a framework grounded in a complex of data protection rights and corresponding obligations afforded to the subject and ensured by the data controller respectively. However, in absence of an attributable data controller, this scheme is inapplicable to blockchain. Moreover, in a public blockchain,   data is accessible to anyone on the blockchain, making imputability impossible.
Even if a data controller could be discerned, exercise of particular rights is impossible. For instance, the General Data Protection Regulation ensures that a person may demand his or her personal data to be rectified or forgotten, hence demanding modification or erasure of personal data. However, blockchain uses eternally immutable systems, invulnerable to the possibility of changing data. The reason why blockchain is perpetually stored without possibility of modification, is that through this, fraudulent attacks would be more difficult. However, whilst masking it through creation of a fork or erasing the private key is possible, this would not constitute erasure. However, if association of personal data is held externally to the blockchain, which makes data identifiable through association to the blockchain id, then erasing that data will render the personal data held on the blockchain anonymous, hence beyond the scope of the General Data Protection Regulation. Therefore, whilst data erasure may somehow be exercised, even if not conventionally, data rectification is impossible.  This also causes issues in implementing retention periods and applying storage limitation as well as accuracy where personal data is inaccurate.

Blockchain and the General Data Protection Regulation: A Way Forward

Whilst blockchain is constantly ameliorating in adaptation to different sectors and uses, there seems to exist a legal vacuum – a lacuna leaving blockchain’s data protection unregulated. This is detrimental since without adequate application, there will be hindering of developments of both systems. However, optimistic prospects may be observed, as many companies are embracing the coexistence of the two mechanisms, such as through potential smart contracts designed to track opt in and opt out requests in a transparent way.

For more information on the General Data Protection Regulation
Get in touch with us

 📧 ybusuttil@easl.com.mt

📞 2166 1273

Share this post?

Get in
Touch

+356 2166 1273