On May 25th, 2018 a new privacy law took effect in Europe. The GDPR or General Data Protection Regulation, and it gives EU citizens control over who controls their personal data and over what happens with it. It’s the reason why you are bombarded with popups asking your permission to gather and process your personal data. It’s the same reason that e-mail newsletters ask you if you’re still interested in them and why a lot of companies are suddenly making it easier to grab a copy of the data they have on you.
Companies from all over the world are working quickly to make sure they are GDPR compliant because otherwise, they face the risk of paying heavy fines. However, Blockchain technology is changing everything so what happens when a blockchain contains personal data? The problem with the data on blockchains is that it is:
In most cases, the data controller and the Data processor is the same entity, however, the burden of complying with the GDPR lies with the Data controller. Let’s also make a note here, that the GDPR is only in play when the personal data of EU citizens are involved. Any company storing information of EU citizens have to follow the regulation, including Facebook or Apple.
EU law states that personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This is a broad definition, which essentially means any data such as an IP address, a Bitcoin wallet address, a credit card or any exchange, if it can be directly or indirectly linked to you, it can be defined as personal data.
The 3 GDPR Articles that conflict with Blockchain properties
Encryption – A popular solution would be to encrypt person HK Blockchain al data before storing it on a distributed network. Which means, only those with the decryption key have access to the data. The moment this key is destroyed, the data becomes useless. This is acceptable in some countries such as the UK however, there are others who argue that strong encryption is still reversible. With advances in computing, it’s only a matter of time when encryption could be broken at faster rates and the personal data would be available again. The debate for encryption still rages on.
Permission Blockchains – In a public chain, anyone can put new data on the chain and the data is visible for everyone to see. However, in a permission blockchain, access is controlled and only given to a few known and trusted parties. This makes permission distributed network Article 18 compliant. But unfortunately, it doesn’t comply with Article 17, and the right to be forgotten. Even in a permission chain, the data is still immutable and cannot be deleted or edited. A possible solution to this would be to store the data on a secure server with read and write access. We then store a reference to that data on our blockchain via a link using a hash function. We can store this hash on the blockchain. Hash functions are popular for verifying the integrity of the files on our secure server. Also, hash functions cannot be reverse engineered to reveal data. If we delete the data on the server, the hash function becomes useless and is no longer becomes personal data.
Zero Knowledge Proof – Zero-\ Knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x. This is quite perfect for verifying things like age-gates for example without revealing birthday information with Data collectors. Zero knowledge proof may be a possible solution to GDPR outside of blockchains.