Will blockchain run afoul of GDPR? (Yes and no)

The immutable nature of blockchain networks could break Europe's new GDPR rules. But when implemented properly, the distributed ledger technology could also be part of the solution for compliance.

European Union [EU] flag and binary code

As the EU prepares to roll out new data protection regulations this month, concerns are emerging that they could dissuade businesses from rolling out blockchain-based projects because the online transaction technology might innately break the new rules.

The EU's General Data Protection Regulation (GDPR) targets citizens' personally identifiable information (PII), providing transparency around its use and giving people the right to restrict its use or request it be deleted all together.

While GDPR never mentions PII, the new rules describing "personal data" are synonymous with it: "Any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data." In short, it means any data that can be tied back to person's identity.

Blockchain, which has taken the business world by storm, is an online electronic distributed ledger technology that can create an immutable record for recording a history of transactions; therefore, if blockchain were to be used as a type of database to transact with PII, it would by default run afoul of GDPR rules. Blockchain ledgers can be added to, but information on the network cannot be modified or deleted. It's a write-once, append-many technology.

How blockchain could run afoul of GDPR

Gerry Stegmaier, a partner in the IP, Tech & Data Group of Washington-based law firm Reed Smith, said blockchain's greatest attribute – its characteristic as an unchangeable record that creates trust and a perfect auditing trail – could also be its biggest downfall from a rules perspective.

"Regulators are unlikely to accept the argument that somehow blockchain is exempt from GDPR strictures because a defining feature of distributed ledgers is the impossibility of deleting data, such that it cannot be deployed in a way that enables data deletion," Stegmaier said in an email. "Those kinds of arguments haven't resonated well with regulators."

In general, technology development, for better or worse, has not been at the forefront of data protection policy development in Europe, Stegmaier added. Few regulators have technologists on staff, "and even fewer are technologists themselves."

Others, however, argue that blockchain is not innately at odds with data privacy protection and can actually offer some of the industry's best available data protection methodologies.

Gennaro Cuomo, an IBM fellow and vice president of the company's Blockchain Technologies unit, explained that not all blockchain technology is created equal.

"For broad business and government use, enterprise blockchain technology is now available that solves four fundamental requirements: accountability, privacy, scalability and security," Cuomo said in an email.

In February, Cuomo testified before a congressional subcommittee on blockchain as a transformational building block for many types of business and government communication; he emphasized that bitcoin and other forms of cryptocurrency are but one use of blockchain, just as social media is but one use of the internet.

How blockchain can support GDPR

The company released a white paper that explains blockchain can support GDPR. However, the company notes, personal data should never be stored on the blockchain, and a lot of people don't understand that and continue to do it for all sorts of use cases.

IBM runs a blockchain cloud service and consulting business, which is being used by international corporations to share digital records – everything from cross-border payments to tracking cargo shipments and supply chain management.

blockchain maersk ibm Maersk

A blockchain-based, distributed electronic ledger could save the shipping industry billions of dollars a year by replacing the current EDI and paper-based system for tracking cargo and attaining approval from customs and port authorities.

There are two forms of blockchain: public and private (or permissioned). Bitcoin and other cryptocurrencies use public blockchains, meaning there is no central authority and anyone can see the information on the electronic ledgers. The ledgers, however, also offer anonymity for users because the financial transactions are tied to hashes, meaning the origin of the data is encrypted and only accessible through a hash key. Those keys belong only to the users and the financial institution backing the transactions. If a user were to lose his or her key, they also would lose access to their data and bitcoins.

Businesses are mainly interested in private or permissioned blockchains, where a central authority governs who is authorized to partake in the electronic ledger.

While blockchain technology allows for information to be stored in the same way it might be in a database, information can also be stored "off chain" in a separate database and linked to the blockchain via private and public cryptographic keys.

The emerging standard industry approach is to avoid having personal data directly on a blockchain, store any such data in editable databases and then only have a one-way hash of that data stored on the blockchain itself.

Keeping blockchain and personal data apart

In a report released last month, Forrester Research said blockchain is ideal for meeting new government data privacy requirements and serving as a trusted repository for identification purposes.

"Personally-identifiable information should never, ever be stored on a blockchain-based network," said Martha Bennett, a principal analyst at Forrester Research and co-author of the report. "Companies linking PII to on-chain records need to have mechanisms in place that allow that link to be broken irrevocably."

So, for example, if somebody exercises their "right to be forgotten," not only will database records have to be deleted but a business blockchain administrator will also need to ensure that any "on-chain" records become meaningless.

Deleting hash keys tied to information is known as cryptographic data deletion because while the data may still exist, spread across offline databases, it cannot be reassembled without the correct cryptographic keys. In a sense, it becomes gibberish.

Blockchain-based systems can also be part of the solution to new GDPR rules, Bennett argued. For example, the systems can be used to track consent as well as the fulfillment of deletion requests.

The GDPR is a new data protection framework that applies to nations in the EU; it gives citizens more control over how their personal data is used and imposes strict rules on entities hosting and "processing" this personally identifiable information anywhere in the world. (Because so many U.S.-based companies also have operations in Europe, they too are rushing to comply with the changes.)

Just as in a public blockchain, permissioned blockchains have the ability to offer anonymity: only those transacting on the network can see the information; and, even those on the network can be restricted from seeing other's participant's information.

"In an enterprise-ready blockchain, participants are known and are identified by membership keys," Cuomo said. "The data can be trusted because transactions committed to the ledger are immutable – such that they cannot be removed or changed by the actions of a single party. With this accountability, the network is auditable, allowing members to follow and adhere to existing government regulations like HIPAA and GDPR."

Blockchain and PII

Far from restricting blockchain's use, the Congressional Blockchain Caucus is working to collect information on blockchain projects that could help individuals securely establish their identity, enable online payments – such as tax payments – and revamp supply chains.

IBM is a founding member of the Sovrin Foundation, a nonprofit organization now developing the Sovrin Network, which could enable anyone to globally exchange pre-verified data with any entity also on the network. With blockchain, identity theft and fraud can be significantly reduced while the effectiveness of government-mandated Know-Your-Customer and Anti-Money Laundering rules is enhanced, the Sovrin Foundation claims.

Online credentials would be akin to information a person might have with them: a driver's license, a bank debit card or a company ID.

Instead of a physical card, however, the IDs in digital wallets would be encrypted and link back to the institutions that created them, such as a bank, a government or even an employer. Through the blockchain, those entities could automatically verify  information to a requestor without providing any other details.

For example, a bank could request a customer verify they earn more than $50,000 a year for the purpose of a home loan; the customer's employer who is part of the blockchain network, could then verify their employee makes at least that amount without releasing their exact salary. The entire transaction would be run by a blockchain business automation tool known as a smart contract.

Applying the GDPR to blockchain technology is going to be a nuanced process as the nature of the many existing and emerging blockchains themselves are quite nuanced, according to Judd Bagley, a spokesman for Evernym, a company that develops self-sovereign identity applications that run on the Sovrin network.

"For example, some blockchains accept and immutably maintain personal information and others do not. Certainly, those that are open to being written to by anybody – such as the permissionless bitcoin blockchain – could potentially have anything added to them with no mechanism in place for removal," Bagley said.

Blockchains built with privacy and GDPR compliance in mind, however, have a clear advantage. The Sovrin ledger, for example, doesn't store personal data. Instead, Sovrin acts like a directory of pointers to an individual's data, stored in more traditional, centralized databases, and takes additional steps to implement the GDPR's privacy by design and default principles.

"The Sovrin approach is actually a dream for GDPR compliance for other reasons," Bagley said.

Copyright © 2018 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon