Making Blockchain Comply with GDPR: The Challenges and Fixes
Immutability meets enforceable privacy
Since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, many in the community wondered how this would affect organizations already using blockchain, as well as the future of the technology itself.
At a recent Hyperledger meetup in Copenhagen, Martin von Haller Grønbæk of Bird & Bird brought up the fundamental challenges surrounding the immutability and transparency around the blockchain technology and GDPR. He also suggested potential solutions to these problems.
“Is GDPR from Venus and blockchain from Mars? We’re talking about two legal set of rules that are fundamentally incompatible.”
—Martin von Haller Grønbæk, Bird & Bird
What are the issues?
Simply put, blockchain is a distributed, immutable digital ledger that records information in blocks, which are then added to a chain of other blocks to create a decentralized network. To add new information in a blockchain network, participants have to verify and reach a consensus, before any data can be added to the blockchain.
In the first place, GDPR applies to the aggregation of personal data by controllers—legal bodies determining the purposes and means of personal data processing in the European Union (EU). However, GDPR also applies to the companies outside the EU which are gathering and aggregating data related to data subjects—identifiable natural persons in the EU. This significantly increases the scope of companies that need to comply to the new law in force.
In the context of blockchain where data is immutable, the main stress points brought on by the GDPR are the following:
- Right of access. Data subjects can obtain confirmation from the controller whether or not their personal data is being processed.
- Right to object. Data subjects can withdraw consent regarding the use of their personal data.
- Right to be forgotten. Data subjects can have their personal data deleted.
- Right to rectification. Data subjects can request without undue delay the correction of inaccurate personal data.
According to Martin, the decentralized nature of blockchain also poses a challenge for the reason that such roles as controllers and processors need to be defined.
“From a GDPR point of view, there are some fundamental challenges. First of all, who’s the data controller when the whole concept is that no one’s in control?”
—Martin von Haller Grønbæk, Bird & Bird
What can be done?
During the presentation, Martin suggested some fixes that could resolve the GDPR compliance issue. Personal data can be made unidentifiable by making participants of blockchain anonymous through digital signatures. Personal information could also be encrypted.
With smart contracts playing a critical role in how transactions in blockchain are processed, the contracts can be used to address such GDPR concerns as:
- Data time limits. Entries in the blockchain could be set to auto delete after a set period of time.
- Data rectification. Entries in the blockchain can be altered through consensus.
Since one of the problems is that of personal data being stored in the blockchain, this data could instead be stored off-chain.
“You can make sure that what’s on the blockchain is not really personal data, but a reference to the off-chain storage where the data is stored.” —Martin von Haller Grønbæk, Bird & Bird
Martin also brought up the idea of creating a blockchain with “semi- or old-fashioned centralized governance.” In this scenario, nodes that are part of the consortium running the blockchain have to agree on a traditional method of governing the network. This includes the assignment of roles that comply with GDPR, such as controllers and processors. Done this way, consensus mechanisms for the GDPR procedures could also be embedded through smart contracts.
“The way to achieve consent of personal information could actually be embedded in smart contracts.” —Martin von Haller Grønbæk, Bird & Bird
Another idea suggested was that of creating an open blockchain where users upload their own personal information, but no one controls or owns their data. In this theoretical scenario, the open blockchain network falls outside the scope of GDPR. The regulation will take effect only if data is extracted for commercial purposes.
With Hyperledger emerging as the standard for enterprise-grade blockchain, it’s not surprising to see developments that already begin to address GDPR concerns. Hyperledger Fabric v1.2, which was released in July 3, 2018, introduces the concept of private data, which enables the creation of GDPR-compliant blockchain solutions. Hyperledger Fabric v1.2 achieves this by limiting access to data through policy logic. Data can also be deleted manually or after a set time period, leaving only a hash of the transaction.
As more and more organizations adopt the blockchain technology, conversations about GDPR will only increase and, at the end of the day, it’s up to blockchain users to comply with the regulation.
The slides by Martin are available here.
Want details? Watch the video!
- Hyperledger Fabric v1.2: What’s New and the Roadmap for 2018
- Brian Behlendorf of Hyperledger: Do POCs, Billions Are Already on Blockchain
- New Hyperledger Use Cases Appear as the Blockchain Community Grows
Related sessions from the meetup
Below are all the sessions from the Copenhagen meetup, starting with an introduction to Hyperledger and then the talk about the three Special Interest Groups (SIGs) focused on blockchain.
Following the session by Martin, Vitaliy Chernov of Altoros talked about the private collections feature—allowing for hiding sensitive data either partially or fully from certain parties—available through Hyperledger Fabric v1.2. He demonstrated how this feature is successfully implemented in a platform developed by Altoros for automating critical processes of over-the-counter trading.
Here are the slides by Vitaliy.