Blockchain VS Privacy: Are We on the Cusp of a Harmonious Coexistence or Still Facing an Impasse?

Blockchain technology offers exciting possibilities, but it also raises significant privacy concerns. In this article, we focus on the General Data Protection Regulation (GDPR) standards as the benchmark for data protection legislation. If your business operates in the EU or EEA, or targets their market, and processes personal data using blockchain, you need to find ways to balance innovation with compliance. This article focuses on public blockchains, which tend to pose greater privacy risks than private ones. Keep in mind, there are general reflections only, and nothing in this article constitute legal advice.

Blockchain In Simple Words

In general, Blockchain works by grouping multiple transactions into “blocks”, which are then linked together in a continuous chain through a process called hashing. What makes blockchain unique is that once a block is added, it cannot be changed or removed. This means blockchain is considered an “append-only” data structure. While this feature enhances security and transparency, it also creates challenges for complying with GDPR, which sometimes requires data to be changed or deleted.

Personal Data Stored on Blockchain

According to the GDPR, personal data refers to any information that identifies or can reasonably identify an individual (‘data subject’), either directly or indirectly. Even if you don’t know exactly who someone is based on the data you have, if it’s possible to figure it out, that data is still considered personal.

When you hear “blockchain data,” what comes to mind? Likely public keys, along with transaction details, right? You may wonder whether this type of data is considered personal data. Public keys, which work like account numbers shared with others, are strings of symbols that obscure the identity of the owner, making it difficult to link them to a specific person. So, on their own, public keys and associated transaction data aren’t usually considered personal data. However, if these keys are combined with other information, like a username or nickname, the owner’s identity might be revealed, and at that point, the data becomes personal.

In general, there are a few ways personal data can end up on a blockchain, such as:

• Travel Rule. According to new Financial Action Task Force (FATF) recommendations, virtual asset providers (VASPs) might be required to share details about the sender and receiver of virtual asset transfers, similar to how banks use the SWIFT network. This could lead to personal data being recorded on the blockchain.
• Decentralised Web Hosting. Instead of storing website data, which could include personal data, on one central server, decentralised hosting spreads the data across multiple computers or nodes. This could result in personal data being stored on the blockchain.
• Blockchain Identity Verification. Blockchain technology is transforming identity verification by allowing users to share verified credentials via encrypted keys, rather than repeatedly sharing personal information with numerous parties. However, using blockchain for identity verification raises privacy concerns if personal data ends up stored on public blockchains.

Understanding the above cases may help you to see how personal data might get onto a blockchain, even if it’s not intended.

Who Is a Controller of Blockchain Data

The GDPR is based on the idea that responsibility for data lies with the data controller — a person or entity deciding why (“purpose”) and how (“means”) data is processed. However, on public and permissionless blockchains, it’s not clear who the data controller is. To figure this out, we need to look at three key groups involved in blockchain:

• Users. The CNIL [1] believes that users who enter data into a blockchain and submit it for validation are considered data controllers in certain situations, including individuals processing personal data for professional or business purposes and entities registering personal data on a blockchain [2]. This may seem weird, since users often have no control over how data is processed once it’s on the blockchain. However, according to the broad CJEU interpretation of the data controller concept [3], excluding someone from being a data controller just because they don’t directly manage the data is inconsistent. Therefore, you are considered a data controller if you determine the purpose (“why” data is processed, such as entering into a contract) and the means (“how” data is processed, like choosing blockchain technology or the format used), even if you don’t directly control the personal data.
• Software Developers. It’s important to clearly define the level of influence over the purposes and means of data processing. A key point is that data controllers must always be the ones making decisions about the purpose of the processing [4]. Hence, software developers are unlikely to be considered data controllers, as they do not decide why data is processed and have little or no say in how it’s processed. Their role is more about providing the tools, not determining the data’s use.
• Miners and Nodes. Nodes are computers that store copies of the blockchain, and miners are the ones that validate and group transactions into blocks. There isn’t a clear consensus, but we believe nodes are not data controllers. Even though they have some control over how data is processed, they don’t decide the purpose of the transactions, which is a key part of being a data controller. For this reason, both nodes and miners are unlikely to be considered data controllers.

Fundamental Data Processing Principles VS GDPR

GDPR principles like fairness, transparency, integrity, and confidentiality generally don’t present issues in DLT and will not be discussed in detail here. Instead, we’ll focus on other principles that may pose challenges. Compliance with the accountability principle depends on how well the other GDPR principles and requirements are followed.

• Lawfulness. Personal data can only be processed if there’s a legal reason for it. If that reason no longer applies, the processing must stop. For example, a person can withdraw their consent or object to the use of their data. However, once personal data is added to a blockchain, it continues to be processed as long as the blockchain exists. Without a way to stop this processing, it becomes difficult to fully comply with the principle of lawfulness.
• Purpose Limitation. When collecting personal data, the reasons for doing so must be clear and specific, and any future use of that data must align with the original purpose [5]. When personal data is added to a blockchain, it remains on the ledger and continues to be processed through the consensus algorithm, even beyond the initial transaction. This raises the question of whether this ongoing use still fits the original purpose. For example, if we say the purpose is “maintaining a network for direct information exchange without intermediaries and ensuring the consensus algorithm works,” this is too broad and may not meet the GDPR’s requirement for specific and clear purposes. The CJEU would likely see it as too vague. The European Parliament also requires blockchain data controllers to clearly inform individuals that their data will continue to be processed beyond the first transaction. Each case needs to be carefully reviewed to make sure this continued processing follows other GDPR rules, like the right to delete data. If it doesn’t, simply informing people about how blockchain works may not be enough to comply with GDPR [6].
• Data Minimisation, Storage Limitation and Accuracy. Personal data should only be kept for as long as it’s needed for the purpose it was collected, and data controllers should only use the data that is necessary, keeping it accurate and allowing for corrections. However, on a blockchain, it’s almost impossible to change or delete data, meaning outdated information could stay there permanently. While blockchain’s unchangeable nature improves security, it conflicts with GDPR rights like deleting or correcting data. Because blockchain is decentralised, and every node typically stores a full copy of the data, personal data gets replicated many times. This makes it harder to follow rules like using only necessary data, limiting how long it’s stored, and ensuring its accuracy.

Data Subjects’ Rights

In this article, we place our focus on rights to complete, rectify, or delete personal data, as well as to object to its processing. Blockchains are designed as “append-only” ledgers, meaning once data is added, it’s difficult to change or delete it, much like writing in a permanent notebook. Even if it were technically possible to erase or correct data, it would be extremely complex to ensure all nodes in the network apply those changes.

The right to object means that a data controller must stop processing the data unless there is a strong, legitimate reason to continue that outweighs the individual’s rights. Could maintaining the integrity of blockchain records count as such a legitimate reason? While ongoing data processing is vital for blockchain to function, the rights of individuals may take precedence over the needs of the system and other blockchain participants.

For instance, in 2018, it was discovered that child pornography had been embedded in Bitcoin’s ledger [7]. This presents a clear challenge: in cases involving sensitive personal data, it would be difficult for any controller to argue that the rights of the victims should be considered less important than the interests of the controller and other ledger users to maintain a blockchain. Anyway, we believe that this matter will soon be addressed in the respective regulatory guidance, shedding light on this significant issue.

Solutions

In conclusion, the European Union Blockchain Observatory and Forum put it well: “There is no such thing as a GDPR-compliant blockchain technology. There are only GDPR-compliant use cases and applications.” [8] While blockchain and GDPR can work together, there are no widely accepted solutions approved by the European Data Protection Board (EDPB) or the CJEU yet. Keep in mind that the solutions below may not work for every case. They should be carefully reviewed and customized to fit your business needs.

• Hashing and Storage of Personal Data “Off-Chain”. This approach is based on two key ideas: a hash makes the original personal data impossible to access and deleting the original data makes the hash useless, even if other information on the blockchain exists. If someone requests their data to be erased, you can delete the off-chain data, leaving behind a meaningless hash on-chain. This method is supported by recommendations from CNIL, giving it some legal credibility.
• Encryption. This approach suggests that all personal data on the blockchain should be encrypted. In this case, destroying the decryption key would equal deleting the data. Another option is to let the person whose data is on the blockchain take responsibility for securing their private key. However, if that key is compromised, the data becomes vulnerable and cannot be deleted.
• Zero-Knowledge Proof (ZKP). This approach lets someone prove that something is true without showing any details behind it. Here are a few examples of how this works:
  • Proof of Identity. Through ZKPs, a person (‘prover’) submits their information to a computer algorithm for validation. If it’s correct, another party (the ‘verifier’) is notified that the prover’s identity is valid, but they don’t see the actual information — just the confirmation.
  • Proof of Password. Zero-knowledge password proof (ZKPP) can also prove that someone knows a password without revealing it. For example, an app can verify that a person knows the password without storing or processing it. Similarly, a payment app can check that an account has enough balance without seeing the exact amount.
  • Proof of Membership. Zero-Knowledge Set Membership (ZKSM) allows someone to show they belong to a group without revealing exactly which group. For example, in the case of Dutch bank ING, ZKSM enables the bank to verify that a client resides within the EU without disclosing the exact country. This is helpful for projects that need to block users from restricted regions without sharing unnecessary details.
• Linkable Digital Multi-Signature (LDMS). This method is a complex solution that uses cryptographic tools and requires expert knowledge. It’s based on the Proof-of-Space system from SpaceMint cryptocurrency. Each blockchain block has three encrypted parts: proof, signature, and transaction subblocks. To delete a transaction, a special LDMS with one-time addresses is used. There are two ways for the sender of a transaction to request deletion:
  • Identity-Based Deletion. The sender reveals their identity, creating two signatures that other users on the blockchain verify. Once confirmed, the public key is revealed, allowing the deletion to happen.
  • Content-Based Deletion. The sender reveals the transaction content, triggering a process called a Pedersen commitment scheme, one of the algorithms used in the Confidential Ring Transaction Protocol. Other users verify if the value is correct, and if it is, the transaction can be deleted.

Roughly speaking, when a transaction is deleted, its details are replaced with a signature, and this change is shared across the network. However, there are some issues: all transactions in a block must come from the same sender, which may not work in every case. Also, if the transaction contains personal information, revealing the sender’s identity or transaction details could expose sensitive data.

[1] - French Data Protection Agency, Commission Nationale Informatique & Libertés

[2] -The CHIL: Solutions for a responsible use of the blockchain in the context of personal data

[3] - The Court of Justice of the European Union (CJEU) judgement in C-131/12 (Google Spain), par. 34

[4] - European Data Protection Board, Guidelines 07/2020 on the concepts of controller and processor in the GDPR (September 2, 2020)

[5] - Article 29 Working Party, Opinion 03/2013 on purpose limitation (WP 203) 00569/13/EN, 3

[6] - European Parliamentary Research Service Study: Blockchain and the General Data Protection Regulation. Can distributed ledgers be squared with European data protection law?

[7] - Samuel Gibbs, ‘Child Abuse Imagery Found within Bitcoin’s Blockchain’ (The Guardian, 20 March 2018) accessed 21 October 2019

[8] - EU Blockchain Observatory and Forum’s report in October 2018