[This is the second part of a two-part article by Muskan Agarwal (National Law Institute University, Bhopal) and Arpita Pandey (National Law Institute University, Bhopal).]
This is the first part of a two-part post that undertakes an analysis of the points of friction present between the fundamentals of blockchain technology and GDPR and of the various solutions that have been proposed to address the inconsistencies.
Blockchain, the technology behind bitcoins which came in 2008 has taken the world by storm and is slated to transform every major sphere of life from financial services to governance. Blockchain technology is characterized by certain peculiar features namely data immutability, transparency, and storage which not only sets it apart from traditional databases but also offers numerous benefits over them.
To put it simply, a blockchain is a type of distributed ledger, comprised of digitally recorded data in packages called blocks which are linked together in a chronological manner. The process of creating a block starts when one of the parties to a transaction initiates the process of creating a block. Each transaction generates a hash
which is a string of numbers and letters dependent not only on the current transaction but on the previous transaction as well. This is to be verified by a majority of the participating computers called nodes by solving an energy-intensive complex calculation. A reward is given to the validating node in the form of newly minted tokens. Once verified, an immutable block is added to the chain not just with a unique record but also a unique history.
The EU’s General Data Protection Regulation (GDPR) which came into effect on 25 May 2018 has been called the single most important change in data privacy paradigm in over 20 years. The GDPR regulates the processing of ‘personal data’ by individuals, companies, and organizations. Like any other data protection law, it aims at creating a balance between the competing goals of privacy and the free flow of information. The EU brought out the GDPR on 25th May, 2018 as an update to its previous data protection regime i.e. Data Protection Directive (often referred to as DPD) of 1995. The jurisdictional scope of GDPR is quite broad as it applies to all personal data of data subjects in the EU. Personal data, in the GDPR has been defined as ‘any information relating to an identified natural person’.
While both GDPR and blockchain technology reinforce the same idea of giving control to the users of the data, the manner in which blockchain technology functions currently has brought it in direct conflict with the requirements of GDPR. Witnessing the exponential growth of the blockchain technology, the EU has time and again acknowledged its commitment of resolving the tensions between GDPR and blockchain, indicating that despite their seemingly irreconcilable nature, blockchain technology is here to stay. The resolution on ‘Distributed ledger technologies and blockchains: building trust with disintermediation’ passed in October 2018 is yet another attempt in this direction.
In this post, the authors make an attempt to understand some of the key concepts of blockchain and GDPR respectively and make an analysis of the points of friction between the two.
Blockchain and GDPR: Points of Friction
Before delving into the contradictions between blockchain and GDPR it is imperative to discern how GDPR applies to blockchain technology in the first place.
Blockchain technology runs into trouble with GDPR on the following issues:
- Processing of ‘personal data’ by blockchains
GDPR lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. ‘Personal data’ in the GDPR means “any information relating to an identified or identifiable natural person”.
Blockchain stores the information on transactions and the identity of the persons doing the transactions. Blockchain technologies use hashes to store transactions and a combination of public and private cryptographic keys to create a secure digital identity reference. While the public key is the ‘sent to’ address accessible to others on the network, the private key keeps the true password of the one doing the transaction. The public key can be thought of as an individual’s bank account and the private key as the PIN to that bank account. The question that needs to be asked here is whether these hashes and public keys allow ‘linkability’ to the data set and the relevant person respectively. The working party in Opinion 05/2014 of Article 29 relating to the effectiveness and limits of anonymisation techniques considered hash as a pseudonymisation technique as it reduces and not negates the linkability of the data set with the original identity. Similarly, public keys can be used for indirect identification of a person i.e. when public keys are associated with a person.
As per Recital 26 of the GDPR, GDPR is not applicable to anonymised data but it is applicable to personal data which have undergone pseudonymisation. Moreover, it is important to note that the aforementioned Recital of GDPR states that“to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.” It can be interpreted from the phrase ‘means reasonably likely to be used by another person’ that the Recital takes into account all the possibilities and chances of identification as the third person could be any person in the world. A case on point here is Patrick Breyer v. Bundesrepublik Deutschland, where the European Court of Justice ruled that IP addresses can constitute personal data if the relevant additional information is held by a third party, such as an internet service provider. It follows from here that an absolute approach to identifiability under GDPR would make the information stored on blockchain fall under the definition of what is considered to be personal data.
- Fixing accountability: Who controls the data
The GDPR defines a ‘data controller’ as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. A data controller, thus, determines ‘why’ and ‘how’ the data is to be used. However, as explained earlier, blockchain is a distributed database of records. Each node connected to the network gets a copy of the blockchain. No node is in control of the data once it is put on the blockchain network. As there is no central operator, every participant/node in the blockchain is a data controller for himself and a data processor for others. Decentralization, thus, makes it impossible to identify ‘data controllers’ in a blockchain environment.
- The conundrum of rights
Tensions exist between rights offered by GDPR and the way blockchain operates:
- The legality of data processing
According to GDPR, data can be processed only with explicit consent from the data subject to that effect. In a similar vein, GDPR also provides the data subjects the right to be protected from automated data processing. However,a right to information on the processing of personal data cannot be guaranteed when it is difficult to ascertain the data controllers in a blockchain as stated out above.
- Right to be forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. However, data on the blockchain cannot be changed or erased. This immutability is the foundational principle of the blockchain. By ensuring that there is no modification and tampering with the data, “immutability of records” principle provides the users with security and accuracy of the data. Moreover, any tampering with the data renders the blockchain ineffective. This goes on to establish that blockchains are designed to last forever. Thus, on a prima facie basis, ‘right to be forgotten’ or the ‘right to erasure’ cannot be provided in blockchain as per the requirements of GDPR. However, it should be noted that GDPR does not define what constitutes an ‘erasure’. Does erasure mean actual deletion of data? Or making data inaccessible would also be categorized as deletion of data? Since data can be made inaccessible in blockchain through deletion of encryption keys, would it mean that right to erasure is available to the data subjects in a blockchain? It thus leaves room for interpretation and also for the commentators to provide a number of solutions around it.
- Data protection by design and default
The principles of data protection ‘by design’ and ‘by default’ are referenced in Art. 25 of the GDPR. These principles embody the notion that data protection measures should be adopted at the earliest stages of the design of the processing operations. The principles demand that the data controllers implement appropriate technical and organizational measures such as pseudonymisation of data to ensure data minimization (data protection by design) and also that data is “not made accessible without the individual’s intervention to an indefinite number of natural persons” (data protection by default). In this regard, the end goals of data minimization and limited accessibility are difficult to achieve in all types of blockchains, even if the blockchains have the feature of pseudonymity built in. For example, in public blockchain networks like ‘Bitcoin’ and ‘Ethereum’, the transactions are accessible to the public, and thus, data protection is not provided by default there.