Ardi Kolah – How GDPR effects Blockchain
Some commentators think the future of data processing is blockchain. Ardi Kolah LL.M, Executive Fellow, Henley Business School, privacy consultant and data blogger questions this perceived wisdom and explores whether blockchain really does give organizations superhuman powers when it comes to processing data or is blockchain an interim distributive technology?
The integrity and protection of personal data is a massive business continuity, risk and technology issue for companies around the world in sectors such as healthcare and banking.
And there’s also a double-whammy.
Organizations must comply with higher global standards in data protection, privacy and security brought about by the General Data Protection Regulation (GDPR) and other comparable data protection laws and regulations starting to emerge in other countries such as Brazil, California, Dubai, India and Singapore.
A simple explanation of blockchain
Blockchain is a distributed database that exists on multiple computers (or nodes) all at the same time. This can be public or private (or permissioned) blockchains.
The chain is constantly expanding in length as new sets of recordings or ‘blocks’ are added to it by users in the blockchain.
Each block contains a date/timestamp as well as a cryptographic image/link to the previous block, so they form an unbroken link in a long chain of transactions within a single blockchain.
The database of these recordings and transactions isn’t managed by a single point of control but everyone in the network of computers gets a copy of the whole database.
This ‘open source’ and transparent form of data processing means that old blocks are preserved in perpetuity and new blocks are added to the ledger. The nature of the blockchain means it can’t be reversed or tampered with, thereby protecting the integrity of the data contained in it.
All blocks are encrypted in a special way, so all users can have access to all the data but only a user who owns a special cryptographic key is able to add a new record to a particular chain. As long as you remain the only person who knows the key, no one can manipulate your transactions.
In addition, cryptography is used to guarantee synchronisation of copies of the blockchain on each node in the network, thereby dramatically reducing the possibility of fraudulent transactions and theft of such data.
From a medical perspective, there are some obvious attractions in using blockchain technology. Every patient record is a block which has a label stating the date and time when the record was entered.
The medical history is extremely important for diagnosis and treatment purposes, so neither the doctor nor the patient should be able to modify the records already made.
However, the clinician will have a private key that allows them to make new records when they next see the patient and the patient owns a public key that allows them to access the records anytime.
According to the proponents of blockchain technology, this makes patient data both accessible and secure and therefore compliant with the GDPR. In this way, blockchain technology can give each and every person the power to control their own personal data.
Outside of medical use, blockchain technology can create trust in the transaction between strangers which is often missing in the online infrastructure of the Internet where fraud and identity theft are now at record levels.
How does blockchain apply to basic buying and selling of stuff on the internet?
Today, consumers pretty much share data through a decentralised interactive platform — the Internet.
But when it comes to buying and selling stuff on the Internet, we are usually stuck making use of the same old services provided by centralised organisations (such as banks). Even the online payment process Pay-Pal requires integration with a traditional bank account or credit card, so it’s really not that revolutionary.
On the other hand, proponents of blockchain argue that the technology offers the opportunity to get rid of this ‘extra link’ in the transaction process. Blockchain can protect the integrity and security of the transaction in three important ways:
- registration of the sale/purchase
- verification of the identities of the seller and purchaser in the transaction
- security around the payment for the purchase.
As transactions are completed directly between the parties with no intermediary such as a bank getting in the way, then it should be a lot faster coupled with the added benefits of transparency, traceability and security.
What are the downsides to using blockchain technology?
There are several legal grey areas that will be encountered when using blockchain technology for the processing of personal data and the Data Controller or Data Processor may not be compliant with the GDPR as a result of using blockchain technology as it stands at present.
Who is the Data Controller and Data Processor?
The GDPR envisages the traditional relationship model of the Data Controller, Data Processor and Data Subject. It spells out the rights and freedoms, duties and responsibilities of the Data Controller and the Data Processor as well as the enhanced data protection rights of the Data Subject.
However, blockchain technology doesn’t neatly fit within this traditional view of personal data processing.
For example, in a centralised network, it’s much easier to identify who is the Data Controller and who is the Data Processor and the Data Subject.
But in a decentralised network, it may not be clear as to which party is responsible for making decisions as to the purposes and means for processing personal data or whether a Joint Data Controller relationship arises as a result.
This is an obvious source of confusion but it also raises questions around legal liabilities for the parties involved in the processing of personal data.
Under the GDPR, the Data Controller and the Data Processor must comply with the requirements for mitigating risk, keeping detailed records and carrying out data protection impact assessments (DPIAs) in cases where there’s ‘high’ or ‘very high’ risk in the processing of personal data, in order to avoid being sanctioned and fined under the GDPR.
And they may also find they need to appoint a Data Protection Officer (DPO) unless they’ve already done so.
International data transfers
Under the GDPR, international data transfers are only permitted under strict conditions that protect the rights and freedoms of the Data Subject and require legal mechanisms as to how such transfers are achieved.
The basic principle is that personal data can’t leave the EU/EEA in absence of these protections.
Under the GDPR, Data Controllers are responsible for personal data processed by third parties (Data Processors) , creating particular problems when personal data is processed on computers outside of a region that signed up to the GDPR or has a privacy framework that’s incompatible with the GDPR.
The most obvious problem when using a public blockchain is identifying who hosts a node as there’s no traditional Data Controller. Under a conventional blockchain, it’s almost impossible to have any control over the location of computers that form the network. Effectively, this kills the use of blockchain for making international data transfers as it won’t be compliant with the GDPR.
Right of erasure
Given that blockchain technology relies on a distributed ledger system that’s decentralized and immutable and is intended to be a permanent and tamper-proof record that sits outside the control of any one party, it falls foul over the right of erasure (otherwise known as ‘the right to be forgotten’).
The reason is that the individual can’t exercise this legal right in circumstances where the personal data must be deleted. You can find out more about the legal rights of data in any of the Ardi Kolah GDPR Book Collection
This appears, for the moment, to consign blockchain as an interim technology.
Even if you subscribe to the argument that all personal data on a blockchain is hashed – meaning that the personal data is transformed in a way that it can’t be reverse engineered to its original state – the GDPR still applies!
Some commentators have tried to argue that such data is no longer personal data and therefore outside the scope of the GDPR.
However, Article 29 Data Protection Working Party (now the European Data Protection Board) in its published guidance on anonymization partially concluded that hashing may still leave some small possibility of a successful brute force attack – where the hacker tries an extremely large number of guesses in the hope of eventually guessing correctly, thereby exposing hashed personal data in a blockchain.
Final thoughts from Ardi Kolah
In conclusion, there’s a blockchain paradox – it’s a technology that can protect the integrity and security of data, but it doesn’t as yet provide a way in which the rights and freedoms of an individual to amend, erase, temporarily suspend or transfer their personal data to a third party exists because of the way in which the technology works.
And there are also other legal barriers in the way of using blockchain to process personal data, such as the international transfer of that data outside of the EU/EEA.
So, from this respect, it’s still an interim distributive technology.
Ardi Kolah is a GDPR speaker and advocate for privacy and data processing.