What will GDPR do to the blockchain
GDPR = General Data Protection Regulation
Posted by Hicham ALAOUI RIZQ on 09 Nov, 2020
What is GDPR
GDPR is the new European legal framework that gives European citizens the power of controlling the use of their data in their hands. That means any IT company that stores or processes EU citizen's data, whether this company organization or its servers are located within the EU or abroad, must comply with the terms of the new law.
Take the example of foreign companies such as Facebook or Apple who have to adhere to the law because they have European users.
Terms of the GDPR
In short terms, GDPR ensures that EU users of any online service, know who collects their personal data and what happens with it.
Terminology surrounding GDPR
Data controllers are terminology given by the GDPR to IT companies who store your data. And those who analyze it are called Data Processors. Generally, Data processors = Data controllers. But it could be different companies. However, it is the data controller who takes the responsibility to comply with the GDPR.
Personal data are the only data that the GDPR law applies for, but hold on. What do we mean by personal data?
Personal data means, any information relating to an identified or identifiable natural person. Ok! that means probably a person's name, gender, or age but how about a person's computer IP address, would it be qualified as personal data? These are just random numbers that we can not link to a person. Yes, you are correct but with the help of a service provider, this matter becomes super easy, to directly link these random numbers of a person's computer IP address to his actual identity.
The same story applies to someone's bitcoin wallet, It is well qualified as personal data by the GDPR.
Maybe you are curious why a random bitcoin wallet address string would link an actual person. Well, there are more extensive methods to reveal the actual identity of a bitcoin wallet holder, but take the example where this person buys some bitcoin with his credit card from an online exchange! Now you Got it?
Well, How about an anonymous transaction on the blockchain. Is it also qualified as personal data?. Yes! Let me tell you why. If you have never heard about KYC, this is the right time to understand what is it. KYC stands for "know your customers". It is a law that enforces companies to identify their customers carefully based on any transaction or any services given to them.
With That being said, any transaction on the blockchain is not anonymous. and it is qualified as personal data.
The GDPR articles that are problematic to the blockchain
Article 16: the right to rectification
This article states clearly that the user had the total right to correct data that someone has on you. Not only change inexact data, but you can also add new data if you feel that the current one is incomplete.
Adding new data to any blockchain is an easy task, but changing the data is impossible.
Article 17: the right to be forgotten
With the fact that, we can not delete data from the blockchain, Any Eu citizen could not exercise the right to be forgotten. That means, the blockchain can not comply with the GDPR. Therefore, We can not store personal data on the blockchain.
Article 18: the right to restrict processing
This article prevents IT companies to do something with your data, unless, these data are inaccurate or unlawfully collected. In the case of the blockchain, as it is well known, most of blockchains are completely open, that means anyone could take a copy of your data and do anything they want with it.
What can be done to make blockchain comply with the GDPR
Intuitive straight solutions would be to change the GDPR since the people who tailored this law at that time were not aware of the blockchain. Or simply make such immutable blockchains illegal. Let me tell you both of these solutions can not be applied.
First of all, the GDPR came into force to protect users' privacy on the web. On the other hand. No central authority on earth could make blockchain usage forbidden or prohibited due to the decentralization and self-sovereignty of this technology and its massive adoption around the globe. So what is the solution to make blockchain complies with the GDPR.
The first possible solution is to encrypt personal data before storing it into the blockchain, which is the case. In this scenario, only the people who have the encryption key can do something with your data. If you request to delete that data, all you have to do is destroy the key and in the theory, the encrypted data become useless. This sounds good but encrypted data is still reversible especially with the usage of strong fast computers. Not such a good solution after all.
How about the usage of permission blockchain rather than the public one, We can comply by doing this with article 18 of the GDPR, the right of who can process or do something with your data. How about the right to change or delete data that can not be achieved even with the permissioned blockchain due to the immutability property of any sort of blockchain. Not a reel solution again
A reel solution would be to store the data off-chain, which means outside of the blockchain. Let's say in a secure server, where we have access to read and delete data. Then we can store only the reference to that data in the blockchain like a fingerprint. We use a hash function to create a fingerprint for the actual data.
Because a hash only works in one way, meaning you can create a hash of any data, but you can not take that hash and take it back to that data. All this seems nice to implement because we can exercise our right to be forgotten by only removing the actual data from our server, and in this case, the hash becomes useless since it refers to no data. Again, this solution isn't perfect since the blockchain is decentralized, and by moving to use central servers, you partially centralize the system again.
Finally, the creative solution that was discussed and implemented by the Zcash blockchain is the Zero knowledge proof where anyone can proof that something is true without revealing the actual data. In case of cryptocurrency, you can prove that a transaction happened without disclosing how much money you transferred or to whom.
To understand this by a simple example, A second bank who has no knowledge about your payroll. With using this concept they could decide whether you are eligible for a loan without necessarily knowing you salary. This way is useful for people to reveal absolute minimum data about themselves without having to show way more unnecessary data.
With Zero knowledge proof, you can prove to the bank agent that you earn sufficient money to be eligible for a loan without necessary the need to show him you salary.
Zero knowledge proof is one of the solutions that can make the blockchain compatible with the GDPR
Who is the responsible data controller in case of blockchain
The GDPR law states that the data controller, is responsible for obeying the law. The data controller is subject to a hefty fines which goes until 4% of the global revenue if not. Ok, but hold on! who is held responsible in case of the blockchain.
Is it the people who creates the protocols and write the code, or the people who verify the transactions or simply anyone who participates on the network! We can not blame anyone here, because, people who wrote the code they only develop the tool, neither the people who validate blocks since they might not know if the data they are approving is personal. How about the one who participate on the network!. Same for them, since they have no control of what others store on the blockchain.
The immutability of the blockchain, makes GDPR compliance difficult, We have seen some undesirable solutions that peel the core concept of decentralization of the blockchain, furthermore, we saw, some new concept like the zero knowledge proof that seems to make blockchain conform to the law.
What we are sure about is that, we will see some changes in either the law or the way blockchains work, Likely the KYC will play an important role in these changes.