In this article we consider GDPR and blockchain.
We increasingly see blockchain technology in use across diverse areas of business activity, from health records to supply chain management. There is a lot of hype around the technology, which tends to rise and fall with the fortunes of cryptocurrencies like Bitcoin. But it does offer real advantages in non-currency contexts that many businesses would like to exploit. The immutable record of transactions, and the absence in many cases of a central record keeper open up opportunities for disruption across many data-rich activities.
Blockchain, though, faces its own set of problems in terms of data protection. Where personal information of any kind is recorded, that information should be treated as subject to privacy law in the same way as in any other data processing context. The identity of individual participants, and information about them, needs to be appropriately protected. Nigel Houlden, head of technology policy at the UK’s data privacy watchdog, the Information Commissioner’s Office has discussed “nightmares” about the future relationship between blockchain and some of GDPR’s core principles.
You might wonder why data privacy is even an issue if, as with many types of blockchain, information disclosing the “real world” identity of an individual is not recorded, or identifying information about individuals is encrypted or hashed. But privacy law requires a greater degree of anonymisation than simply replacing a name with an identifier. For example, where a public key is associated with a series of transactions, and could be connected with an individual using other information, the public key will be regarded as identifying an individual. Pseudonymisation, involving replacing a direct identifier with another identifier, is seen as a useful security measure, but not full anonymisation.
Hash functions, that turn a piece of information into a fixed length code, are irreversible. However, it may be possible to effectively reverse them using bulk throughput of all possible input values, or pre-computed tables.
Detailed advice from European regulators on anonymisation techniques explores various methods used to protect privacy and highlights their weaknesses. Developers should be aware of three important data privacy concepts:
- Singling out – where individuals can be reidentified from an unique attribute
- Linkability – using cross-references between datasets to identify an individual
- Inference - deriving information about an individual through inference
Of course, while blockchain is often discussed as a single technology, it is used in a variety of different forms. The data protection analysis will vary depending on the features of the technology you are looking at. Blockchain structures like that supporting Bitcoin, for example, with its open, permission-less format may be corrosive to data privacy rights in a way that later generations of blockchain are not. We will focus on two widespread features of blockchain technology that may clash with privacy law. These are the unchangeable nature of the record and the distribution of the ledger across many different participants.
Blockchains are, by design, resistant to modification of the data recorded. In fact, this is one of the technology’s core advantages because it gives participants confidence in the truth of the record. However, this can conflict with privacy law. The GDPR includes a number of obligations requiring data to be altered or deleted. For example:
Data minimisation – under GDPR only data that is relevant and necessary for the defined purpose should be collected and processed.
Storage limitation – data should only be kept for as long as is necessary for the purposes for which it was collected.
Right to rectification - individuals can require incorrect data about them to be rectified.
Right to be forgotten – individuals have the right to ask for erasure of data about them.