Blockchain technology thrives on transparency and immutability, both of which seem directly opposite to user data privacy.
Its 2018 and the two buzzwords you must have heard by now is Blockchain technology and GDPR. Blockchain constructs an immutable ledger of data that can be viewed and verified by anyone. The data on Blockchain is intended to stay forever, by design any change in already written data corrupts the ledger and invalidates the entire chain. GDPR or General Data Protection Regulation is a regulation in EU law that guarantees user’s some basic rights regarding their personal data stored online. You can view the complete official GDPR document here. The key points of GDPR are that user data must be private and the user has the right to be forgotten (erasure).
For a little bit of background, the discussion on GDPR started around 2012, back then blockchain technology was limited to just cryptocurrencies. The technology is still evolving and has the potential to transform several industries. The ideals of Blockchain technology and GDPR are polar opposites.
First let us go over some basic concepts of blockchain that are completely at odds with GDPR,
Blockchain is being touted as a trustless system, or a system where the trust is built into the architecture. This immutability of transactions or the inability to erase or modify a transaction once it has been written to the chain is one of the key factors that ensure this trust. This is in direct violation to the right to erasure in GDPR.
You cannot modify or erase a transaction once it is written on the blockchain.
Not only are transactions not editable, but these transaction are visible to all nodes in the network. Consider Bitcoin, right from the genesis block (the first block in a blockchain), all the blocks and the transactions can be independently viewed and verified. In fact if you want to start mining Bitcoin, you have to do exactly this process before you can get started with mining. This transparency is an advantage when we are talking about a crypto-currency but not so much in other applications like banking. Private blockchains have a different take on transparency, but it is still guaranteed in many ways.
The article 15 of GDPR, states ‘The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed’. This can never be guaranteed in a public blockchain.
In a public blockchain there is no control over who can host a node, any person or corporation in any part of the world can setup a node and join the network. An important aspect of GDPR is the fact that personal data is not to leave the EU, and if it can not be avoided only to countries permitted by the EU. This guarantee can only be given in case of a private blockchain.
Solution or Workaround?
The most obvious solution to the above paradox is the hybrid storage model. We can store the personal data off-chain, in a traditional database where the data can be erased and access restricted. This model is already used in blockchains that handle a large amount of data, where storing the data on the blockchain is not technically feasible. In this case, only a reference to the data is stored on the blockchain. This solution however increases complexity and costs related to data storage. Spreading data across centralised company servers also invites a lot of compatibility issues when using blockchain.
This workaround however has some major drawbacks, it goes against all the principles that blockchain stood for — decentralisation, transparency and immutability. If a blockchain cannot guarantee decentralisation and immutability, then is it even worth implementing?
The goal of GPDR is to “give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.”
But the current definition of GDPR and blockchain cannot exist symbiotically. Workarounds are always possible, but the result cannot be called a blockchain, it is a Distributed Ledger. Blockchain will be used merely as an indexing table, not utilising a lot of benefits that comes with this technology.