A blockchain, data protection conundrum
The Holy Grail for both blockchain and the General Data Protection Regulations (GDPR) enacted by the European Union remains the control of user upon her own data. However, the implications of the use of blockchain on data ownership, control, and its monetisation conflicts with the GDPR in its implementation in two significant ways.
Identification of data controller
First, under the GDPR, a data controller is assumed to be a centralised authority responsible for determining the purposes/means for the processing of personal data. In a permissioned blockchain, there may exist a centralised authority that can control the way the data is fed and processed on the chain and therefore, the identity of a data controller or a data processor is easier to comprehend. The situation, however, is more complicated in a public blockchain when there is no controlling authority or even a clearly identified set of entities who take responsibility for the data. In a scenario of a data leak in the bitcoin blockchain, for example, it would not be possible to hold the developers of bitcoin responsible.
Right to be forgotten
Second, the challenge arises with respect to Article 17 of the GDPR, which is the right to be forgotten. This right entails that a data subject should have the right to have her personal data erased, where the personal data is no longer necessary in relation to the purposes for which the data was collected or where the data subject withdraws consent to the processing of her personal data, or where the processing of personal data does not comply with the GDPR. The right to be forgotten is not an absolute right, but is exercisable by a data subject under certain specific circumstances as outlined in Article 17.
In a blockchain, it is difficult to realise such rights as by its very nature, a blockchain is an immutable ledger of information. Any change purported to be made in one block will also lead to change in the preceding blocks and therefore, destroy the integrity of the data. As an illustration, think of a blockchain providing a ledger of medical records to allow easy portability across hospitals, doctors, insurance companies and the patient. In this blockchain, X logs her medical records voluntarily in the blockchain for the purpose of obtaining health insurance from a private health provider. This validated record is available to the insurance company after she provides it with the necessary access. Let’s say, after a few years she desires to have her medical records taken off the blockchain as she wants to move to another insurance company. However, the very nature of blockchain does not allow her to remove her records. How can she then realise her right to be forgotten? Given the stage at which the technology exists, it appears that it would be difficult for her to remove her medical data from the blockchain though she is free to move to another company for her insurance needs. In a permissioned blockchain, removal of records is also a challenge, albeit Fundamentally, there needs to be clarity about what does it mean for data to be erased? Does it mean that the data should cease to exist on the platform or mere inaccessibility to data would render the compliance sufficient? These are some of the questions that will need to be answered in due course of time.
Going forward
In order to make the blockchain compliant with the GDPR, there have been attempts to use a model wherein the data is stored offchain while only the hash and metadata of the personal data is stored on the blockchain. While this means that personal data can be modified/erased at will, it reduces the accountability that is in-built in a blockchain. Balancing trust and privacy is a tight rope that blockchain solutions will need to walk in the coming years. It is, therefore, a conundrum that the very technology sought to maintain the integrity of data is at odds with the law that endeavours to protect personal data. Is the answer then centralised databases where the GDPR is far easily implementable? But isn’t that exactly what blockchain intended to avoid? Centralised authorities? With the enactment of GDPR and similar laws across the globe, it appears a Rubicon has been crossed, but how it will engage with existing and future technologies, only time will tell.
The very technology that sought to maintain the integrity of data is at odds with the laws that endeavours to protect personal data