Working with Blockchain in the Era of GDPR and Personal Data Protection
Summary: In this article, Illia Shenhelia, a CIPP/E and CIPM certified privacy expert, highlights the pitfalls blockchain projects might encounter when dealing with personal data, as well as solutions to avoid substantial fines for breaching European legislation
Authors:
Illia Shenhelia
Associate partner
Sergey Ostrovskiy
Partner
Blockchain and GDPR have become some of the most talked-about topics in the tech community in recent years. Privacy on the blockchain also often comes up, so an article on this subject was inevitable.
This material was prompted by reports from the French data protection authority (CNIL) and the European organization "EU Blockchain Observatory & Forum."
Definitions To Understand
We will try not to delve too deeply into legal intricacies, but it's necessary to recall three key terms:
Personal Data:
Any information that directly or indirectly identifies an individual. Depending on the context, this could be a name, address, employment data, email, or IP address. Interestingly, even a public key, if combined with other information that helps identify a person, can be considered personal data according to GDPR.
Data Subject:
Any individual in the EU whose personal data is processed. For convenience, we will refer to the data subjects as
Data Processing:
Any operations performed on personal data, including collection, usage, and transfer.
Who Does GDPR Apply To?
If a company is an EU resident, it must comply with GDPR when processing personal data, regardless of where the data is actually processed.
For companies registered outside the European Union, the Regulation applies to them only if they process the personal data of subjects located within the Union, on the condition that such companies offer their goods/services or monitor the behavior of subjects in the EU.
The same rules apply to individuals, but only if the processing of personal data is related to professional or commercial activity (i.e., it's not done for strictly personal reasons).
It's crucial to note that the above is a brief summary of general rules, without considering nuances and exceptions that might be available for a given project.
Who is Responsible in the Case of Blockchain?
In personal data operations, the Regulation defines two key roles – controllers and processors of personal data:
Controller:
A person who determines how and why personal data is collected and processed.
From a blockchain perspective, the controller can be considered a user who enters personal data into the blockchain. This is because such a user independently decides to use the blockchain as a means of processing data.
Processor:
A person who performs any operations with personal data on the controller's instructions and in their interest.
In terms of blockchain, a processor can be seen as a miner who confirms a transaction with data in the network, as well as the owner of a smart contract that processes personal data.
Subjects' Rights
The Regulation provides subjects with a broad set of rights, some of which can easily be implemented on the blockchain, such as the "right to access" and the "right to transfer." Unfortunately, it's not so simple with other rights.
For example, a subject has the right to demand the deletion or modification of their data, or even to forbid its processing, which contradicts the principles of blockchain operation. The task becomes technically impossible if the data is entered into a public blockchain, like the Bitcoin network.
Smart Contracts
GDPR guarantees subjects the right to human intervention in data processing that is automated, for instance, when a subject believes that algorithms are incorrectly working with data. Moreover, the subject has the right to express their viewpoint and contest the decisions made.
Smart contracts, which are an integral part of some blockchains (the most famous being Ethereum), may violate these rights, as full automation excludes the possibility of human intervention in the operation of the contract or the amendment of data.
Data Transfer Outside the EU
Data transfer outside the European Union is only permitted to countries with an adequate level of personal data protection. For data transfer to other countries, such as Ukraine, additional protection measures are required for each data recipient, such as concluding a personal data processing agreement with Standard Contractual Clauses.
In the case of a public blockchain, fulfilling these requirements is impossible. For a private blockchain, the simplest solution to this problem might be to restrict network access to individuals who are not in the EU or one of the countries with an adequate level of data protection. Otherwise, entering data into the blockchain will likely violate GDPR requirements.
The "51% Attack"
This point is quite obvious but still worth mentioning. All possible measures must be taken to avoid a potential "51% attack," as in such cases, personal data can be altered or deleted by malicious actors.
Data Retention Period
According to the principle of limited retention, personal data must not be stored for longer than is necessary for the purposes for which they are processed. In other words, you cannot store data just for the sake of it. For example, if you collected data to fulfill a contract, after the contract has ended or the minimum storage period specified by law has expired, the data must be deleted or anonymized.
Consequently, when processing personal data using blockchain technology , there must be a real possibility for their subsequent deletion or anonymization.
Legal Basis for Data Processing
It’s essential not to forget that processing personal data requires a sufficient legal basis. Processing data without a basis is prohibited. The most common grounds for data processing include the subject's consent, contract performance, or the controller's legitimate interest. The latter allows the controller to process data without the subject's consent if the controller believes that their legitimate interest in processing outweighs the fundamental rights and freedoms of the subject (this basis requires a preliminary legal analysis).
Recommendations
As with any case of personal data processing, the company must independently define a specific set of actions that will allow it to be 'GDPR compliant.' And, of course, it's crucial to address all potential risks with a privacy specialist.
The main recommendation is not to enter personal data into a public blockchain. While a private blockchain, with the correct approach, can still comply with the Regulation's requirements, a public blockchain is technically incompatible with GDPR mandates. This view is also shared by the state regulators of European Union countries.
Unless absolutely necessary, avoid entering personal data into the blockchain, at least not in its "pure" form. Instead, consider one of the following solutions:
Commitment scheme: Data is entered into the blockchain as a commitment, which cannot be read without a key.
Hashing: Personal data is hashed, and only the hash, verifying the data's accuracy and existence, is entered into the blockchain.
Encryption: Data is entered into the blockchain in encrypted form and cannot be read without a key.
Data anonymization: GDPR does not apply to anonymized data, making it an excellent solution for blockchain projects. It's important to note that anonymization must meet high standards.
In the case of hashing, deleting the external data source renders the hash meaningless. For commitment and encryption, data deletion is equated with the deletion of the key that allows reading the data recorded in the network.
When developing a smart contract that will process personal data, it's recommended to incorporate the possibility of intervention in its operation, at least regarding personal data.
Furthermore, to minimize risks in working with personal data, protocols like 'zero-knowledge proof' and 'secure multi-party computation' can be used. These protocols allow the verification of data accuracy without granting access to the data itself.
