Thursday 01 March 2018

Blockchain and the GDPR: one almighty collision

Blockchain and the GDPR: one almighty collision BuzzParadise, CC licence

Do you like Blockchain? Who doesn't, right? Companies are falling over themselves to Blockchain All The Things, with companies adding "Blockchain" to their names multiplying in value in one fell swoop. There is one problem with Blockchain, however, that hasn't gained much attention until now: the EU's General Data Protection Regulations, or GDPR.

Let's put Blockchain to the side for one second, and focus on GDPR. Many of you will have heard of it, and consultancies are queueing up to offer GDPR advice at cost.

It has two key planks. The first is that it provides legal protection to European citizens, in terms of how their data is used and by whom. The second is the handling of that data and where it is exported to - and how. This is the complex and costly bit for companies, as many are considering moving their hosting and cloud services from the US to within the EU in order to comply with the GDPR's export directives. (This plank is also quite complex, as while the GDPR is EU law, the export "footprint" is the larger area of the EEA).

Now that the introduction is out of the way, let's get to skip to Article 17 of the Regulation:


The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).


This is the "right to be forgotten" which companies, particularly social media services, have long fought against, and has caused considerable social unease. This right finally becomes a law, and is completely neutral as to which technologies or services it applies to.

There's one problem.


If you share personal data within a Blockchain, then it's retained there ad infinitum. The only way to get rid of it is fork the chain, and to weed out the data which the user has requested to delete. That's potentially fine if it's one record, but if you're storing hundreds of thousands of customer records - which is what Blockchain is supposedly for, as a simplistic example - then there's a problem. When you multiply that problem across every node in a decentralised network, it mutates from a problem to a full-blown nightmare. The managerial and technical overhead will be immense, and you'll end up with more forks than your grandmother's cutlery drawer.

As John Mathews of Bitnation told David Meyer:


"From a blockchain point of view, the GDPR is already out of date. Regulation plays catch-up with technology. The GDPR was written on the assumption that you have centralized services controlling access rights to the user's data, which is the opposite of what a permissionless blockchain does."


Private Blockchains are theoretically immunised from this problem, but public Blockchains are not. 

While this in no way constitutes legal advice, perhaps Article 17's paragraph 1A gives public Blockchain a loophole. For the deletion to be enforced, data "...are no longer necessary in relation to the purposes for which they were collected or otherwise processed". But, in a Blockchain, all of the data from the chain's inception is necessary, in order for the trustless consensus to be continued. In a sense, GDPR-ised personal data in a Blockchain is like each brick in Jenga; it only works when everything integral to it exists, but then falls down if something is unnecessarily taken out.

There's almost certainly a fudge coming up to rectify this problem. In the meantime, consultancies offering both GDPR and Blockchain advice to clients will need to connect the dots before they end up looking very stupid.

Twitter, Facebook
Terms & Conditions, Privacy, Cookies