The General Data Protection Regulation (GDPR) is a regulation setting the rules for the collection and processing of personal information of European Union citizens. It was adopted by the European Parliament on 4th April 2016 and came into effect on 25th May 2018.
The GDPR applies only to processing of “personal data” which is defined as, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The intention of the regulation is to expand the individuals’ rights, related to the collection and use of their data, including rights to ask the data collector what information it has about them, and what it does with the information. Collecting personal information is subject to the individual’s revocable consent. Most notably, the individual has the right to demand correction, file a complaint, object to processing, or require the deletion of their personal data, known as the “Right to be forgotten”.
New Kid On The Block
When the GDPR was presented by the European Commission for the first time in 2012, blockchain technologies were still not as widely popular and clearly, they weren’t the focus of the regulation.
The open public blockchain, like Bitcoin, is a database replicated on multiple computers at the same time. This database is not managed by a central authority; instead, everyone in the network gets a copy of the same whole database and can make additions to it. To enter the database, any new addition has to be confirmed by the other participants on the network, providing a consensus on the current state of the ledger. The transactions on such a blockchain are permanent (immutable) public records, broadcasted to the entire network.
Blockchain-based systems have the potential to provide better protection to personal data than traditional data storage systems deemed GDPR compliant (keeping personal data on paper documents in plastic files locked “securely” in a drawer!?). Some of the blockchain technology features, such as pseudonymisation of personal information and the decentralized model of the network, give better protection against attacks and make the data less susceptible to abuse in comparison to the centrally controlled data model. I myself would much rather rely on the blockchain network to keep my data than surrender control to human “corporate officers”.
However, if the letter of the regulation is followed strictly, such open public blockchains have a number of issues related to GDPR requirements:
The Bitcoin protocol and public blockchains, in general, contain information that is not really anonymous. Rather, it is pseudonymous, and therefore considered personal data, and it is not impossible to trace a bitcoin address to an identifiable natural person.
The logic and terminology of GDPR, with the concept of “data subject”, “data controller” and “data processor”, seem difficult to apply to blockchains. There is a lack of clarity as to who is who on the blockchain and what are their obligations according to GDPR.
But the most problematic point of public blockchains with regard to GDPR is the requirement that the data object has “The right to be forgotten”, meaning that any individual has the right to request that their personal data be erased from the record. Deleting or modifying data on the blockchain is next to impossible, as the data has already been broadcasted to all network participants. In addition, a deletion of a record would change the hash of the respective block containing the data and invalidate all the consequent blocks.
Wait, There Might Be a Solution…
Just recently at two Workshops on Blockchains and GDPR held on April 8th at the University of Geneva and WSIS, Jörn Erbguth, a blockchain and data protection consultant and lecturer formulated five ways for the public blockchains to cope with GDPR:
Do not put any personal data (at all) on a blockchain.
Use Privacy Enhancing Technology and ensure that no personal data can be derived from the blockchain.
Obtain a justification that is permanent.
Let users put the data on a public blockchain themselves.
Build specialised blockchains that forget.
The Workaround: Distributed Ledger Technology
While these principles are not easy to apply to open public blockchains, the Distributed Ledger Technology (DLT) may provide a workaround. DLT shares the main features of the blockchain — it is a decentralised database, where each participant replicates and saves the same identical copy of the information. There is no central authority maintaining the ledger. However, it is more flexible and allows designs that are better suited to comply with the requirements of GDPR:
While anybody can join the open public blockchain, the DLT allows solutions where the access to the network is by permission. The roles and responsibilities of the parties on such a network are easier to define and there is better accountability with regard to data protection.
A DLT architecture could be designed so that transaction data is not broadcast to the entire network; instead, only involved parties may receive it on a “need to know’ basis. Such an approach allows for less data multiplication compared to the global broadcast model.
The consensus mechanism in DLT could be based on transaction validation by certain participants, instead of the entire network. Data propagation is reduced, providing a more secure environment. The block mining mechanism, which makes deletion of data impossible, is avoided.
Corda Services — Developed with GDPR in Mind
One application of the Distributed Ledger Technology (DLT) which is particularly flexible and well-positioned to address the requirements of GDPR is R3’s Corda.
It is a global network with some notable differences from the open public blockchain:
The access to the Corda network is permissioned.
Transaction information on Corda flows is from point to point, and the consensus is based on transaction validation by network participants called notaries, avoiding the “Proof of work”, or block mining, employed in the original blockchains.
It is an open source project, where anybody can make a business network and apply their own design, taking responsibility for GDPR compliance.
To facilitate the application of the platform, the Corda developers have deployed the Corda Network — a publicly available network of nodes operated by network participants. It is intended to support many subnetworks of nodes, with their own coordinating parties and rules for membership and use. Much like the Internet, the Corda Network provides the backbone services for interconnectivity and high-speed transaction flow.
The Corda network services have been designed to comply with data privacy and GDPR:
The Doorman service collects information from users and operators joining the business network, including personal data such as a contact name, phone number or email address. The data is stored on a private, secure database, and not broadcast to the network. If a party is off-boarded from the network, any personal data belonging to that party will be deleted, subject to record detention rules and provided there is no business reason to store it. By setting up this procedure, Corda complies with the GDPR requirement of the data subject’s “Right to be forgotten” and of data erasure.
The Network Map Service enables the participants to find and communicate with one another over the network. No personal data is shared among network participants as part of this service.
The Notary service provides the network consensus and guarantees the uniqueness and finality of each transaction. Currently, the Corda Network Foundation only provides non-validating notaries who only see a subset of a transaction to determine its ordering and uniqueness. No personal data is processed or stored by the service.
Corda Has a Set of Procedures in Case of a Data Breach
The Corda Network Foundation operator will notify impacted parties in case of personal data breaches within 72 hours after having become aware of a breach.
A supervisory authority will be notified if there is any risk to the rights and freedoms of natural persons.
The operator will notify the Corda Network Foundation Board immediately.
While Corda makes all effort to provide data privacy and to protect personal data, users also have the responsibility to protect themselves. It is in the user’s best interest to discuss with their blockchain solution provider any privacy concerns and to contribute to making the solution GDPR compliant.
INDUSTRIA — A Trusted Corda Developer of GDPR Compliant Solutions
As an R3 partner, INDUSTRIA is well positioned to take full advantage of the unique data protection capabilities of the Corda architecture. Our team of certified Corda developers creates GDPR compliant blockchain and DLT solutions for enterprises, marketplaces, and ecosystems. Our products are in accordance with the needs of the financial and other sectors, retaining focus on data privacy and protection of sensitive data.
N.B. Special thanks to Jörn Erbguth for the valuable contribution!