A new report by the European Parliamentary Research Service takes issue with the idea that blockchains are incompatible with the EU’s new data privacy laws.
“Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?” found that while difficulties remain, blockchains can meet the requirement that people have the ability to control and even erase personal information collected by companies.
The lengthy report, released in July, even suggests that in some areas, blockchain technology can actually be good for EU privacy rules.
“[T]his class of technologies could offer distinct advantages that might help to achieve some of the GDPR’s objectives,” wrote Dr. Michèle Finck, who authored the study for the service’s Panel for the Future of Science and Technology.
Specifically, she said, “[b]lockchains can be designed to enable data-sharing without the need for a central trusted intermediary, they offer transparency as to who has accessed data, and blockchain-based smart contracts can moreover automate the sharing of data, hence also reducing transaction costs.”
Beyond that, distributed ledger technology (DLT) “could support control over personal data in allowing them to monitor” if companies are respecting the requirement that data only be used for the stated purpose, Finck argued. “In the same spirit, the technology could be used to help with the detection of data breaches and fraud,”
That’s not to say that it will be easy, she admitted. The two main obstacles to blockchains’ GDPR compliance are well known, and at the core of how DLT works. First, GDPR assumes that in any system collecting personal information, there is one central person—a data controller—to whom EU citizens can go to enforce their rights to control or erase personal information. In a distributed system, however, there is no controlling entity.
The second is the GDPR’s assumption that data can actually be modified or erased in order to comply with the regulations.
“It is the tension between the right to erasure (the ‘right to be forgotten’) and blockchains that has probably been discussed most in recent years,” she said. “Indeed, blockchains are usually deliberately designed to render the (unilateral) modification of data difficult or impossible.”
Making blockchain work with GDPR
The first recommendation Finck made is one stressed by blockchain developers in the United States, most recently at Senate hearings on July 30: create a clear regulatory framework.
In the EU, this is made all the more important by the need to clarify how the GDPR’s broad requirements should be applied on a case-by-case basis regardless of the technological platform.
“[A]n attempt to map the regulation to blockchain technologies reveals broader uncertainties regarding the interpretation and application of this legal framework,” she noted. “What is needed to increase legal certainty for those wanting to use blockchain technologies is regulatory guidance regarding how specific concepts ought to be applied where these mechanisms are used.”
It’s almost like she’s talking about the U.S. Securities and Exchange Commission (SEC).
One way to deal with the major hurdles blockchain presents is to turn to private, or enterprise, blockchains, Finck concluded.
For one thing, these do have a central controller, or at least a limited group of controllers. This bypasses the difficulty of achieving a 51% consensus to rewrite a public blockchain, and the near impossibility of ensuring that all nodes comply. After all, data can hardly be said to be erased if all that is achieved is a forked blockchain.
At 105 pages, the report goes into a great deal of depth about a great many specifics of possible methods of making blockchains GDPR-compliant.
Among the areas worth investigating are encrypting the data stored on a blockchain it found. While the subject is complex and unsettled, GDPR makes clear, “at least as a matter of principle, it is possible to manipulate personal data in a manner removing the reasonable likelihood of identifying a data subject through such data,” Finck’s report said. [Report’s emphasis.]
Among the possibilities discussed are using zero knowledge proofs, a concept popular with blockchains trying to share data among competing companies. In a zero knowledge proof, encrypted data can only be accessed with a yes/no question. For example, is person X more than 18 years old?
Storing data in an off-chain database reached through a blockchain is one potential solution. Destroying the private key of an encrypted block is another.
But anonymizing data too effectively has another problem, Finck acknowledged. This is that data must also comply with laws like anti-money laundering (AML) and countering the financing of terrorism (CFT). GDPR largely protects people’s data from misuse by private companies and citizens, not from governments.
Despite the possibilities of a decentralized blockchain, defining and identifying a controller for the data stored remains a difficult task, Finck’s report found. Again, it is one in which much more regulatory guidance is needed.
Finck concluded that the study highlights “that blockchains can offer benefits from a data protection perspective.”
However, this is not something native to public or private blockchains, she said.
“Rather, blockchains need to be purposefully designed” to realize these benefits, Finck added. “Where this is the case, they may offer new forms of data management that provides benefits to the data-driven economy and enable data subjects to have more control over personal data that relates to them.”