316

GDPR, Privacy, and True Data Ownership with Blockchain

It’s beginning to look like 2018 will be the year of data privacy. The way tech companies utilize our data has finally come to the forefront of the media and the public’s consciousness. As European companies prepare themselves for GDPR regulations, the world has been made well aware of the Cambridge Analytica/Facebook scandal, where data from up to 87 million Facebook accounts were misused for political purposes.

Data privacy enthusiasts were quite disappointed by Mark Zuckerberg’s performance in front of the US Senate in April. After being questioned by a senator about the nature of Facebook’s business, Mark responded simply, “Senator, we run ads,” indicating that the tech giant itself does not know much about managing its data.

These examples prove that we require strict regulatory procedures, which is just what the GDPR legislation is all about. Blockchain projects that strive to solve complex privacy issues are, however, inhibited by the implementation of GDPR, so in this article, we will outline the key obstacles they face and suggest several workarounds while reflecting on the future of data privacy.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) was adopted by the EU in 2016 and came into force in May 2018. It has strengthened the protection of the personal information of EU citizens and has an extraterritorial effect; that is, it applies to all companies that process personal data of EU citizens and residents, regardless of the companies’ locations. The law did not come out of nowhere: It’s a replacement of the Directive 95/46/EC, which had been the basis of European data protection law since its introduction in 1995.

The Regulation will have a significant impact on businesses in all industry sectors, bringing with it both positive and negative changes for business in terms of costs and effort. The fines for breaches of the GDPR are substantial. Regulators can impose fines of up to 4% of the total annual worldwide turnover or €20M.

“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies. The key points of the GDPR, as well as information on the impacts it will have on business, can be found below.”

And the list goes on… but, as delving deeper into GDPR compliance rules is not the purpose of this article, we will concentrate only on the aspects that conflict with blockchain properties. For further details regarding the changes, we will provide links where required.

First of all, we should understand whom it may concern.

The GDPR law will have extraterritorial applicability, extending beyond the borders of the EU, meaning the law will affect non-EU businesses that process the data of EU residents and citizens. The GDPR applies if a company…

  • Has a subsidiary in EU.
  • Doesn’t have a subsidiary but provide goods or services to EU citizens.
  • Monitors the activities of citizens within the EU.

So, it seems like the GDPR will apply to a vast scale of people and organizations, as every profit-minded scrounger aims to acquire our data nowadays…

When talking about data subject rights, we must define the following terms:

  • Breach Notification Mandatory notifications about data breaches sent to the data subject within 72 hours.
  • Right to AccessThe receipt of confirmation from the data controller as to whether personal data concerning the data subject are being processed. For this, we must take a step aside to explain the two main actors of data relationshipscontrollers and processors. Controllers determine the purposes and means of the processing of personal data. Processors are people, public authorities, agencies, or other bodies that process personal data on behalf of a controller.
  • Right to be Forgotten – Also known as “data erasure,” the right of the data subject to erase his or her personal data.
  • Data Portability The right of the data subject to access personal data concerning him or her.

Additional broad definitions can be found on the official GDPR portal.

Apart from the rights defined above, we should also mention “privacy by design,” which is not an actual right but a principle and will be a legal requirement of the GDPR. At its core, privacy by design calls for the inclusion of data protection measures from the onset of a system’s design, rather than as an addition. Controllers should hold and process only the data absolutely necessary for the completion of their duties (data minimization), as well as limit access to personal data to those acting out the processing.

And here is where the problems for blockchain start. If we look at these requirements from the blockchain perspective, they may seem completely incompatible at first glance. Blockchains are immutable, feature no way to revert things, store data permanently until the last node, offer debatable privacy, and contain no geographical limitations (in this way, every ledger could have EU citizens among its users), among other possible issues…

Blockchain is not designed to be GDPR-compliantor maybe the GDPR is not blockchain-compatible in its current form.

Let’s dive a little deeper into this.

Issues with Blockchains

Considering the issues of GDPR compliance, let’s recall the basic properties of blockchains. First of all, and it’s often presented as a killer feature of the technology, is its immutability, meaning that once written, data cannot be deleted or modified retroactively. The second is the pseudo-anonymity (read: transparency) of public ledgers. That means even if encrypted, data are still available to all participants, and it’s just a question of the right method of deciphering to link it back to the actual user.

Keeping all this in mind, let’s look at the GDPR requirements and some workarounds for blockchain solutions. Here are a few more quotes from the GDPR law, called the “principles relating to the processing of personal data” with some remarks about blockchain applicability:

  • “Processed lawfully, fairly and in a transparent manner” – At first glance, due to encryption, blockchains are not transparent, but the data are still available to any party if identity is compromised.
  • “Collected for specified, explicit and legitimate purpose” – In blockchains, apart from general, project-specific use cases, data are collected for authentication purposes.
  • “Adequate, relevant and limited to what is necessary” (data minimization) – Data are duplicated among all nodes.
  • “Accurate and where necessary, kept up to date” – Data are not checked before being written to blockchains and cannot be rewritten.
  • “Identification for no longer than necessary” – Not for all blockchains, but the data exist forever.
  • “Processed in a manner that ensures its security” – Due to encryption, blockchains are secure but still can be compromised.

As can be seen, there are many issues with blockchain compliance in terms of the GDPR. Below are the most crucial ones.

Right to be forgotten

The right to be forgotten, or the right to erase your data, seems to be the most prominent problem for blockchain companies. However, the definition of the right to erase data is not so clear from the GDPR law. On one hand, it could mean that the data should be deleted from the database, which is possible with traditional server infrastructure but not with blockchains. On the other hand, it also means that the data should become inaccessible to everyone. In that case, blockchains can comply with this regulation, as you can just throw out your private keys, but even this measure might not be enough.

One more question we should ask is “Who is the controller?” As a blockchain company puts data onto the ledger, the company automatically becomes the controller. But if the company lets users put data on the blockchain on their own just by signing the transaction with their private key, it’s no longer the blockchain company’s responsibility to erase the data.

Global transfers of personal data

According to the GDPR, companies can’t send your data outside the EU (or a short list of certified countries) without specific permission. But such a guarantee is impossible for publiс blockchains. Public blockchains, with nodes distributed all around the globe and no limitations for creating new nodes, go directly against both the above-mentioned cases. With public blockchains, companies cannot control where data are sent.

Although the GDPR may sound catastrophic for public blockchains, private ones are more flexible in some senses. They have a fixed amount of trusted nodes, which could also be geo-bounded. Data are not available for every network member, and there are chipper consensus solutions at the expense of decentralization.

Solutions for mitigating the risks of GDPR non-compliance

Blockchain is not a database for storing data… or, at least, it would be a very bad one. The cost of storing all those data is enormously high, due to the massive duplication, so most blockchains tend to store not the actual data but rather references and indexes leading to data actually stored off-chain. The true value of blockchain technology comes with its ability to act as a trusted permission layer, with links to data but without actually storing any valuable information. Therefore, basically, it’s not the blockchain that should remove your data: The responsibility falls on the operators who rely on the blockchain as an index.

However, this matter is debatable, as not all blockchains work in this manner, and the GDPR act still doesn’t have a clear definition of personal data. Blockchain projects ought to wait for the first precedents in this area to make their first moves.

There are still some possible solutions that can be considered at the moment, however.

Hash and encryption

Encrypting data is a potential solution. Pseudo-anonymizing the data makes it harder to link them back to the user. This is quite a debatable solution, though, as the data may still be considered personal data and can be decrypted/hacked, thereby compromising the user’s identity.

Digital Identities on Blockchains

Another area where solutions could come from is digital identities (DIDs) on blockchains. Blockchains can ensure that a user’s DID is stored in a secure and incorruptible manner. Potential projects are rushing to develop blockchain solutions for this: Bitnation, Civic, Identity.foundation, Cambridge Blockchain LLC, Sovrin, BlockAuth, and Existence ID, to list just a few initiatives.

Most of these projects elaborate on GDPR compliance issues in their whitepapers and blogs, assuring backers that they are ready for the new changes.

However, it’s not nearly that simple. Parity, a blockchain company well-known for its wallet, shut down its “Parity ICO Passport Service” (PICOPS) project due to GDPR, and several other cases popped up even before the law come into force. LocalBitcoins disabled multiple accounts, and cryptocurrency exchange CoinTouch shut down over GDPR concerns.

Burning data

The most innovative approach comes from the decentralized database BigChainDB. These guys are also known for their data marketplace OceanProtocol, with an ICO that collected $22M this March. Ocean Protocol is an ecosystem powered by AI and used for sharing data and associated services.

The people behind BigChainDB came up with the solution of burning data. To understand this, we should first remember how traditional databases work. The basic operations of persistent storage are create-read-update-delete (CRUD). But if we tried to implement this process for blockchains, we would face a few significant problems, starting with the Update function. As blockchains are immutable, updating and deleting is not possible.

Instead, operations on the blockchain can be described as create-retrieve-append-burn (CRAB), a process created by BigChainDB. The concept includes the theory of the Append function, wherein you can only append new transactions to a ledger. This changes the state, as it’s the sum of all past transactions. According to BigChainDB, the Burn operation throws away the encryption keys, so you are unable to Append new transactions. Instead of just forgetting your encryption key, you can set the transaction to an “unsolvable” private key by choosing a completely random public key, thereby locking yourself and everyone else out.

This might be a solution, but proper testing is necessary to make it plausible. In any case, everything will depend on the first GDPR trials and the following law refinements.

This, of course, raises another pool of questions. Do we, as a society, need such procedures, and if so, how can they be improved?

Code is the new law

As we can clearly see, technological advancement is proceeding at a much faster rate than the regulations, primarily due to their complexity. The official regulation procedures come far behind the innovations and, in some ways, slow them down. As the case of the GDPR clearly demonstrates, despite its good intentions, the law left a lot of grey spots, thereby freezing some blockchain projects.

When European policymakers were debating and finalizing the GDPR, blockchain wasn’t even on their radar. This is the nature of most traditional regulations and illustrates how quickly technology shiftsat a speed much faster than laws and regulations move. In this case, while we wait for the rules to be stabilized, the question we have to ask is “Do we really need these procedures?”

Of course we need governance. Government regulation has a critical role in creating accountability, ensuring responsible use of data, and providing enforcement mechanisms to penalize bad actors. But rather than creating outdated laws, the next generation of government should adopt a more forward-thinking approach and stay updated with technology. Blockchain technologies provide us with some new instruments that can drastically increase performance, security, and privacy. Several projects in the blockchain field are seeking solutions to modern governance issues based on the studies of economic theory and sociology.

Putting such rules into code, via smart contracts, could make all regulation requirements much more transparent. Knowing the direct outcome of any action would allow companies to advance much quicker.

This is much easier said than done. We have a lot of stakeholders and a long way to go to satisfy everyone’s needs.

A few more words about the possibilities of blockchain and true data ownership

Since we have raised the subject of data privacy, we should mention other possibilities opened by blockchain technologies. All the data we’ve talked about in this article belong to nobody. We share them for free to gain access to modern applications. In most cases, we don’t even compare the value another app offers with the potential threats of privacy violations. Moreover, most of the data stored in centralized databases are in “data silos,” which causes them to lose their potential value. This trend is going to continue as we progress into an H2M (human 2 machine) economy and IoT mass adoption.

Blockchains provide us with the possibility of true data ownership, giving us the possibility to use our data at our own discretion. This process would be self-sovereign in the sense that the data subjects themselves have control over their personal data. It very much supports GDPR regulations, sharing the same finite goals.

There are a range of startups supporting this direction. We can look at data marketplaces like Datareum and the previously mentioned OceanProtocol. Cambridge Analytica, despite the huge scandal, recently came up with an ICO aiming to give people ownership of their data. The well-known IOTA launched its data marketplaces for IoT a few months ago. There are a lot of similar projects, and many more will appear in the near future.

We should, however, always think about the ethical aspect of such solutions. As, just by declaring you “own your data” and throwing a bunch of corresponding tokens via airdrop to the users, we don’t give them much of a choice, but merely creating new distribution channels.

The GDPR law could reshape the way we see the category of “consent.” Currently, we just click “agree” after briefly skimming the privacy policy. The GDPR forces us to actively opt in to every data interaction, just like how simple notifications about updated data privacy policies turned our inboxes into spam boxes at the end of May this year.

What will happen if companies start asking for our consent for every single move? Do we have the mental capacity to consciously make all these decisions? Do we even need all this freedom of choice?

All these questions have yet to be answered…

Conclusion

GDPR compliance is still quite a grey area as of yet. We don’t yet know what is hidden behind the ambiguous term “personal data”. Even hash, encrypted data, or private keys could be considered personal data. The blockchain community should wait for the first trials in this field to understand how exactly blockchain projects should tackle such issues. Until then, it is still risky to put actual user data on the blockchain.

Paradoxically, both the GDPR and data-centric blockchains share fundamental goals. Both aim to improve individuals’ rights to control their own data and to use them at their own discretion. But the angle of approaching these issues is controversial. Blockchains provide more rights with better governance procedures, even in untrusted environments. The GDPR often, in a sense, imposes restrictions on certain players to provide security to the end user.

The law should go along with technological developments and create a transparent environment for further development, not restrict the freedom of data usage for those who do not really need it. In its current state, the GDPR seems to be a political act to “make Europe great again”, rather than a technological act.

Hopefully blockchain companies will not suffer too much from the GDPR, and we would like to see the effort spent seeking compliant solutions be mutually beneficial for blockchain technology, regulators, and end users.