Blockchain technology has many exciting potential applications that could solve (or facilitate the solving of) many problems facing us. Its identity management properties could be a boon to the problem of tracking and identifying migrants or identifying property owners after a natural disaster. Banking and investment transactions could be made simpler and more secure. Blockchain may even make the simple act of voting safer.
Chances are that by now you are aware of the many potential blessings of blockchain technology. Goodness knows, we’ve covered many of these benefits in great detail over the past year in this space. The blockchain is not only the basis for Bitcoin and other cryptocurrencies, but a potential solution to many prickly problems in the world today revolving around information technology. But it’s prospects may be dimmed with the advent of the EU’s General Data Protection Regulation (GDPR).
This is both a problem and a conundrum. On one hand, the law will dictate that individuals have the right to change or delete data online. On the other, you have the public ledger that is blockchain – which has as one of its strengths its unchangeability. This is what guarantees the reliability of the information stored in the blockchain. So, how does one square that circle -i.e., the EU’s requirement that user data to be removed if asked, and blockchain’s immutable nature?
Changing or altering data and blockchain technology are like oil and water—they just don’t mix. “This is where blockchain applications will run into problems and will probably not be GDPR compliant,“ opines MEP Jan Philipp Albrecht. And with the penalty for running afoul of the GDPR pegged at about $25 billion or 4 percent of a company’s turnover, you can see why some companies might be in no hurry to embrace blockchain applications.
An article in iapp.org explains that there are primarily two types of blockchain – private “permissioned” blockchains and public “permissionless” blockchains. Private blockchains are made up of a limited group of entities – perhaps financial institutions – seeking to streamline and facilitate transactions. Here, as the article details, “it is technically possible to rewrite the data held on a blockchain.”
The public or “permissionless” blockchain is a horse of a different color, however, and is most problematic if one wants to be simpatico with the GDPR. As it currently stands, with this type of blockchain there is no realistic way to remove bits and pieces of information. What this portends is that since blockchain, in some form or other, is likely to be a player in information storage and data, the GDPR is obsolete even as it becomes law.
John Mathews, the chief finance officer for Bitnation, a project that aims to provide blockchain-based identity and governance services, says as much:
“Regulation plays catch-up with technology. The GDPR was written on the assumption that you have centralized services controlling access rights to the user’s data, which is the opposite of what a “permissionless” blockchain does.”
And he has company in this assessment from other experts. The consensus seems to be that the GDPR, and perhaps other initiatives like it, were drafted in a way that suggests an information landscape as the regulators would like it, as opposed to the way the state of technology actually is. And the way things are makes it untenable for blockchain and the GDPR to coexist without clashing.
Some observers say there might be hope for the private, “permissioned” category. But the public, “permissionless” blockchain does not have limited participants, is decentralized, and presents a thornier, if not impossible, situation.
In that instance, according to Interplanetary Data Base co-founder, Greg McMullen, “you can’t have a contract with [all] the nodes on the Ethereum network. It’s unfeasible.” Therein lies the rub and the conundrum. Who is responsible for data protection in a decentralized system? The problem is that, by its very definition, the decentralized network is impervious to censorship because there is no central body that is accountable and, thus, able to regulate it. This is so cumbersome, and the liability so great for companies, that they would be reluctant to use a blockchain.
One way around this would be to put “hashes” of personal data into the blockchain rather than the personal data itself:
“Hashes are mathematical derivations of data that, if properly implemented, cannot be reverse-engineered to expose the data that’s being represented – but you can use them to verify the underlying data.”
Mc Mullen suggested that this is one way for a company using blockchain to be GDPR compliant. If a blockchain has hashes instead of underlying data, it could be possible to delete the data without having to alter the blockchain.
Since it is unlikely that the law – especially such a newly-minted one – is going to bend to the technology, the technology is going to have to adapt to the law. Or maybe there will be some accommodation between the two positions. So, for example, using “hashes” would be a way of not exposing the data to the public internet where it is definitely going to fall under the purview of the GDPR. Hence corporations will bend toward the law, but would still protect the privacy of data and be “very good for user privacy” in McMullen’s view.
Image credit: By Sashkin/Shutterstock.