[This is the second part of a two-part article by Muskan Agarwal (National Law Institute University, Bhopal) and Arpita Pandey (National Law Institute University, Bhopal). Part 1 can be found here.]
Previously, the authors looked at the contradictions between blockchain and GDPR with regard to the principal obligations enlisted in GDPR. In this post, the authors will carry out a feasibility assessment of the solutions proposed.
Assessment of the Solutions
Before getting into the murky waters of how to make GDPR compliant blockchain models, it is worth noting that GDPR compliance is not about the technology but rather how the technology is used. Just like there is no GDPR-compliant Internet or GDPR-compliant AI, there is no such thing as GDPR-compliant blockchain technology. There are only GDPR- compliant use cases and applications. In this regard, it is important to discuss the classification of different blockchains. On the basis of permission levels of different categories of participants, blockchains can be classified as public, private and or permissioned blockchains. Public blockchains are accessible to all. Permissioned blockchains allow restricted entry to the network while private blockchains work as a traditional database where a controller oversees participation and validation. Given their special characteristics GDPR requirements are easier to implement in private permissioned networks while on the other hand public permissionless networks pose the greatest challenge when it comes to GDPR compliance. A few solutions that can help in this regard are-
- Shifting to more controlled networks
One of the proposed solutions is to have a closed system. Blockchain technology doesn’t have to be implemented as a public blockchain like Bitcoin rather it is advisable to have a more private, limited system, where it would be possible to define roles when dealing with data
- Storing personal data off-chain
It has been suggested that rather than collecting all data and storing it on the chain, all GDPR sensitive data must be stored separately on another system with access control restrictions. This is known as off-chain storage which can be done either in distributed or cloud-based servers. The “off-chain” system can be set up to restrict access to the transaction details to the authorised parties only. Storing personal data in a separate database managed by an identifiable controller will allow modification and deletion of data without disturbing the blockchain. However, storing information “off-chain” also negates a number of the advantages of using blockchain. The blockchain can no longer be a single, shared source of truth and in most cases, both counterparties will be required to maintain their own records. One such method to give effect to the off-chain solution is sidechains. Sidechains are blockchains that allow for digital assets from one blockchain to be used securely in a separate blockchain and subsequently returned to the original chain.Even though this parallel blockchain sits alongside the parent or the master blockchain, it is independent of the master blockchain. If they fail or are hacked the damage will be limited within that chain. This is a good solution which can be considered by blockchain technologies yet to be released.
- Encryption techniques such as hashing
To meet the challenge posed by GDPR, technology experts have argued that blockchain networks should be used to store immutable proofs that certain data exists, rather than to store the data itself. Once personal data is stored off the chain, techniques such as hashing, which is specific encryption of the data and the reference or linkage to this data is stored in the blockchain.To put it in other words hashing is the fingerprint of specific data. When processing personal data, a hash would be generated for each unit of personal data and it is this hash which will be stored in the blockchain network while the actual data will be stored in some common external database. The other database where personal data is stored will not suffer from the challenges posed by the innate characteristics of blockchain technology. However, this solution would work only when hash in this context is not interpreted by regulatory authorities as personal data.
- Looking beyond technological solutions: Finding regulatory redressals
GDPR was first proposed by the European Union in 2012, a time when the internet was focused around web-centric centralized cloud base networks.However decentralized internet technologies which are the foundation of blockchain came in 2017. Thus, when the GDPR was conceptualised, the regulation of decentralized technology was not taken into account leading to functional inconsistencies between the two. Given that such regulatory uncertainties exist with respect to the future of blockchain in the GDPR paradigm it might be helpful for the European Data Protection Board to issue guidance at the earliest to clear the air. Some clarity has been brought in this regard by the French data protection authority, CNIL which published first-of its kind guidance on this matter.
Another suggestion that has come up for public systems is that there be a system of binding network rules where people have to sign up to a standard set of rules to participate in the network. This could help in allocating roles and responsibilities to participants and go a long way in resolving the conflict between the two to a certain extent.
The GDPR versus blockchain debate is one of the most significant debates taking place in the law and technology sphere in recent times. While the majority of discussion surrounding GDPR and blockchain pertains to the inconsistencies between the two, it is important to note that both share the same ethos as both are driven by the idea of empowering individuals and reducing the power asymmetry that exists between data subjects and persons/organization using their data. Given that GDPR was conceptualized keeping a centralized network with identifiable controllers of data in mind it is no wonder that blockchain technology which has decentralization at its very core, runs in direct conflict with some of the key rights and obligations under GDPR. Though the compliance challenge so posed seems to be a herculean task for both lawmakers as well as technology experts, this seemingly irreconcilable conflict is not without its own set of solutions. As pointed out earlier there can be no GDPR compliant blockchain just like there can be no GDPR compliant AI or internet, there can be only GDPR compliant use cases and applications. Given their specific characteristics GDPR requirements are easier to implement in permissioned private networks as opposed to public permissionless networks which pose the biggest compliance challenge.
A number of solutions have been proposed to address this. As already discussed, these include techniques such as off-chains which store GDPR sensitive data outside the blockchain, encryption techniques such as hashing etc. While these solutions may help persons/organizations making use of the blockchain technology to follow the letter of the law however they run contrary to the very fundamentals of blockchain which are to create a decentralized, immutable chain of data and therefore negate the benefits that flow from its innate characteristics. While the solutions so proposed may address some points of friction that exist, certain issues such as identification of roles and fixation of responsibility in permissionless public networks and how blockchain users would comply with the data protection by design and default still remain unanswered. The contention of whether GDPR will affect the adoption of blockchain technology has also remained an ambiguous topic While one group of observers believes that businesses would refrain from making use of the blockchain technology out of the uncertainty and fear of liability in case of non-compliance, others believe that if the technological hurdles are addressed by the regulating authorities it is quite possible that companies may use blockchain models in the future to become GDPR compliant given the unparalleled data security and control offered by it.
Observing EU’s strong commitment to become a leading player in the field of blockchain technology it is high time that the regulatory authorities provide regulatory guidance to this compliance challenge to generate more legal certainty.