Conciliating Blockchain and GDPR
Posted 8th June 2018 by Jane Williams
Aurélie Bayle is a Data Protection Officer at be-ys: a role she considers to be at the heart of the new legal framework for any company.
Before GDPR came into effect on 25th May 2018, she was working towards global compliance, which involved completing all the steps given by the Article 29 Data Protection Working Party, an advisory board made up of a representative from the data authority of each EU Member State, the European Data Protection Supervisor, and the European Commission. Her duties have included auditing the structures and processes, preparing the data protection impact assessments, checking the compliance of processing activities, analysing the risks of the processing in the medical area, preparing new processes and policies about data protection, and asking data processors about their own compliance.
Aurélie hosted a roundtable at the Blockchain in Healthcare Congress, revolving around the topic of GDPR, specifically how we can conciliate blockchain and the right to be forgotten. The group, comprising of project managers, researchers, and students, discussed three hypothesises of compliance between blockchain applications and GDPR:
- Avoiding the record of personal data into the blockchain: the right to be forgotten is enforced by removing the link between the blockchain and the private data in the mapping function.
- Using the Zero Knowledge Proof algorithm. By now, the data is viewed as “pseudo-anonymised” and not definitely anonymised, so it’s still under the GDPR scope.
- Organising your crypto algorithm with 3 keys: a user key, an intermediate key and a persistence key. The key store guarantees the implementation of this right.
One of the key debates within the roundtable focused on one important question: what is the data protection authority’s position on blockchain in the EU? The participants wanted to know if the French Data Protection Authority (CNIL) gave some guidelines or advice about their interpretation and point of view about blockchain ecosystem facing the GDPR. Some of the participants thought that the blockchain will never be compliant because of its structure, and others wanted to discuss the different ways that the legislation was being handled.
Companies have had two years to apply for GDPR, but some are very late. In the blockchain ecosystem, it’s much more complicated because of its structure and people are very curious about it.
Many project managers at the roundtable discussion wanted to find other solutions managing the right to be forgotten and see how other projects were trying to comply with the regulation. They also presented their interpretations of the new legislation and wanted to debate them.
We caught up with Aurélie to discuss GDPR further and how (or if) it will conflict with the blockchain’s system.
Could you provide a brief overview of the new GDPR legislation?
There are six key factors in the GDPR legislation:
- The global scope: there’s a new extended jurisdiction of the regulation, applied to all companies processing the data belonging to data subjects living in the EU, regardless of the company’s implementation.
- Huge fines: in case of very serious breach or infringement, the maximum fine can be imposed up to 4% of the global annual turnover (or €20 million).
- Strong consent: all the conditions about consent have been strengthened to give more power to the data subjects to ensure that they are aware of the processing and their consequences and to allow them to withdraw the data as simply as they have given it.
- Data subject new or stronger rights: we can think about the breach notification, the expanded right to access, the new right to be forgotten, and data portability.
- Privacy by design and by default: privacy by design is not new but it’s the first time that it becomes part of a regulation. With that principle, the data controller, designing a project of processing, must implement technical and organisational measures to ensure the respect of the GDPR requirements before the processing. After the designing comes the privacy by default.
- Finally, the role of Data Protection Officer, which is a new function created by the regulation. It is a key role in the compliance and accountability of companies.
Why does the new GDPR legislation pose challenges for Blockchain?
The GDPR was debated and written from 2012 to 2016 and we should acknowledge that the blockchain technology was not a priority in the policymakers’ minds. Instead, they were focused on cloud services and social networks. The GDPR regulations were established for centralised structures and schemes, whereas Blockchain is the opposite, known as a decentralised and immutable technology. The data put in a blockchain cannot be deleted, and the protagonists are hard to identify, so all the challenge is to find solutions, or interpretation – according to the challenge – to make this new ledger compliant with the regulation.
Due to its decentralised system, can a blockchain contain personal data?
In a blockchain system, transactions are initiated with a combination of private and public key, the last one being seen on the public ledger can lead to identifying the participant if that public key is used several times. Thus, a public key can be considered as personal data, by analogy with a decision of the European Court of Justice about the IP address (2014). In addition, personal data could be included in a transaction with a hash, thus considered pseudonymised data, which triggers GDPR’s application too. Theoretically, the blockchain ecosystem should be under the scope of the GDPR, but consequently raises the question to know “who” has to be compliant.
Who controls the data in a blockchain system?
In a public blockchain, based on a decentralised architecture where all the peer-to-peer networks can add transactions without any control or authorisation of a central authority, everyone could be considered a controller because of their actions. At the same time, they should also be viewed as a processor because of the copy held in the computer.
The situation seems easier in case of private schemes, where the administrator is clearly identified. The blockchain is a new structure and architecture and is not anticipated by the classic scheme considered in the GDPR. In the ‘ﬁat’ world, there is always an identiﬁed data controller, who is also considered as a ‘central authority’, but in a blockchain public scheme, the absence of central authority is fundamental.
In a nutshell, the blockchain technology as a protocol cannot qualify as a data controller or processor. The responsibility is “transferred” to the people orbiting around the blockchain and is considered to be a “third party service”. Any actor (developer, miner, or simple reader), considered as a network third party, will be in charge of compliance with data protection laws. This can involve all the exchanges proposing wallets (and who must comply with the recent KYC regulations) and all the project managers creating or using blockchain as a service.
Find out more about personal data and the right to be forgotten by reading this article from Aurélie Bayle here.
Leave a Reply