GDPR – one year on: data protection and blockchain

It is more than a year now since the introduction of Europe’s new data privacy regime, the GDPR. After a flurry of activity leading up to and following the launch date in May 2018, GDPR fell out of the headlines. Recent high profile penalty announcements running into the hundreds of millions have again highlighted the dangers of failure to comply. We consider some of the issues that are keeping business leaders and privacy regulators awake at night.

In this article we consider GDPR and blockchain.

We increasingly see blockchain technology in use across diverse areas of business activity, from health records to supply chain management. There is a lot of hype around the technology, which tends to rise and fall with the fortunes of cryptocurrencies like Bitcoin. But it does offer real advantages in non-currency contexts that many businesses would like to exploit. The immutable record of transactions, and the absence in many cases of a central record keeper open up opportunities for disruption across many data-rich activities.

Blockchain, though, faces its own set of problems in terms of data protection. Where personal information of any kind is recorded, that information should be treated as subject to privacy law in the same way as in any other data processing context. The identity of individual participants, and information about them, needs to be appropriately protected. Nigel Houlden, head of technology policy at the UK’s data privacy watchdog, the Information Commissioner’s Office has discussed “nightmares” about the future relationship between blockchain and some of GDPR’s core principles.

Becoming anonymous

You might wonder why data privacy is even an issue if, as with many types of blockchain, information disclosing the “real world” identity of an individual is not recorded, or identifying information about individuals is encrypted or hashed. But privacy law requires a greater degree of anonymisation than simply replacing a name with an identifier. For example, where a public key is associated with a series of transactions, and could be connected with an individual using other information, the public key will be regarded as identifying an individual. Pseudonymisation, involving replacing a direct identifier with another identifier, is seen as a useful security measure, but not full anonymisation.

Hash functions, that turn a piece of information into a fixed length code, are irreversible. However, it may be possible to effectively reverse them using bulk throughput of all possible input values, or pre-computed tables.

Detailed advice from European regulators on anonymisation techniques explores various methods used to protect privacy and highlights their weaknesses. Developers should be aware of three important data privacy concepts:

  • Singling out – where individuals can be reidentified from an unique attribute
  • Linkability – using cross-references between datasets to identify an individual
  • Inference -  deriving information about an individual through inference

Of course, while blockchain is often discussed as a single technology, it is used in a variety of different forms. The data protection analysis will vary depending on the features of the technology you are looking at. Blockchain structures like that supporting Bitcoin, for example, with its open, permission-less format may be corrosive to data privacy rights in a way that later generations of blockchain are not. We will focus on two widespread features of blockchain technology that may clash with privacy law. These are the unchangeable nature of the record and the distribution of the ledger across many different participants.

Immutable record

Blockchains are, by design, resistant to modification of the data recorded. In fact, this is one of the technology’s core advantages because it gives participants confidence in the truth of the record. However, this can conflict with privacy law. The GDPR includes a number of obligations requiring data to be altered or deleted. For example:

Data minimisation – under GDPR only data that is relevant and necessary for the defined purpose should be collected and processed.

Storage limitation – data should only be kept for as long as is necessary for the purposes for which it was collected.

Right to rectification - individuals can require incorrect data about them to be rectified.

Right to be forgotten – individuals have the right to ask for erasure of data about them.

The immutable record offered by a blockchain apparently makes fulfilment of these obligations impossible. However, it may be possible to adopt technical solutions to address these problems. For example, methods that erase elements enabling verification, or that delete a keyed hash function’s secret key could be used to make a particular section of the stored data inaccessible. While techniques like these do not delete information from the blockchain, they may be enough to satisfy regulators that it is effectively removed. Where information needs to be rectified, the correct information would have to be introduced to replace incorrect information that has been made inaccessible.

The distributed nature of the ledger

A common feature across blockchain technologies is distribution of the transaction record so that it is stored among many participants. Often a copy of the ledger is held by every participant. This builds user trust but it also leads to privacy law issues.

More

How can the conflicts between blockchain and privacy law be resolved?

Given the privacy issues that can arise through use of blockchain technology, the CNIL asks organisations to consider whether it is really necessary for the application they have in mind.

Privacy regulators are understandably wary about the use of blockchain to store personal information. But stifling the technology as a whole is certainly not their objective. Creative and well-designed approaches to privacy are likely to be welcomed. UK regulator the ICO has a programme to promote privacy in new technologies. The ICO’s Sandbox programme supports innovation through engagement and a safe harbour. It offers:

“the opportunity to engage with us; draw upon our expertise and advice on mitigating risks and ‘data protection by design’, whilst ensuring that appropriate protections and safeguards are in place.”

The Sandbox programme is currently in a beta testing phase.

The main take away point is preparation. Building in pro-privacy structures from the outset will be easier than trying to correct problems later on.

Finally, it is worth noting that blockchain technology may itself be able to enable privacy in new ways. Applications of blockchain that may permit greater control of an individual’s personal data might include a method for encoding the person’s data permissions into a blockchain-protected record. This could enable the person’s consent to different categories of use are readily applied across different platforms.

More

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
Sites
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R

Visitors

Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Staff

Mills & Reeve system for employees.