EU GDPR as a Major Risk for Blockchain Applications
Blockchain is one of today’s most promising technologies. It is best known for its application in cryptocurrencies such as Bitcoin and Ethereum, and many expect it to revolutionize software applications in almost any industry. Yet, there is one thing hardly anybody seems to consider, even though it might be a show-stopping risk for many blockchain applications out there: the European Union’s General Data Protection Regulation (GDPR).
People Should Be Concerned—Yet, They Don’t Seem to Bother
The problem of blockchain being on a collision course with the GDPR has been raised by both experts and media already months before the GDPR became binding on May 25, 2018. So far, however, I have not heard much buzz about this problem from within the tech community or the certification industry, to which I am both closely related to in my job. This lack of awareness and concern was surprising for me, and I began to wonder why so few people seemed to see the risks.
This lack of awareness and concern was surprising for me, and I began to wonder why so few people seemed to see the risks.
One of the first experts to shed light on the inherent conflict between the GDPR and blockchain technology was Michèle Finck, who is a senior research fellow at the Max Planck Institute for Innovation and Competition and a lecturer in EU law at Keble College, University of Oxford. She first described the problem in her paper Blockchains and Data Protection in the European Union (Nov 30, 2017) and later summarized her key findings in an article published on the Oxford Business Law Blog (Feb 13, 2018).
Of course, you can’t expect a critical mass to read academic articles on legal topics, but Michèle Finck was not the only one to address this issue. Andries van Humbeeck wrote about The Blockchain-GDPR Paradox on medium.com (Nov 21, 2018), and once David Meyer had given us his view on the problem in an article published on iapp.org (Feb 27, 2018), the topic finally started to gain momentum and was picked up by The Next Web (TNW) and other media too.
So, why does almost nobody seem to care? Although the GDPR is binding since May 25, 2018, the majority of people still has little knowledge about it and tends to be rather confused about how it will change the way we (have to) handle data. The same is true for blockchain technology. So, it is quite understandable that only few people make the link between them. I first did not see it either, despite both having read the GDPR (Regulation (EU) 2016/679) and having a good general understanding of blockchain technology.
The Conflict between Blockchain and the GDPR
Let me set the scene for you. The GDPR is the European Union’s attempt to strengthen the rights to data protection and privacy, and give EU residents more control over how their personal data is being handled and used. This includes, to name but two, the right to be forgotten, which allows data subjects to request the deletion of their personal data, and the guiding principle of data minimization, which obliges data controllers to not store personal data longer than required or justifiable. If you are not familiar with the scope of the GDPR and its terminology, this comprehensible summary will serve you as a great starting point.
A blockchain, on the other hand, is essentially an append-only database. Unlike conventional, centralized database systems, blockchains are maintained by a consesus building algorithm with data being stored and replicated to multiple nodes in a distributed computer network. Often, the data is stored in encrypted (hashed) form and can only be accessed with a matching key. This makes blockchain systems virtually tamper-proof and thus attractive for business critical applications where the reliability of the stored information is one of the top concerns. Practical use cases would be, e.g., supply chain traceability systems or the storage and provision of audit and certification data. If you would like to learn more about how blockchains work, the blockchain series on this blog will provide you with everything you need to know. For the purpose of this article, however, we do not need to delve deeper into the technical nature of this technology.
In fact, with all I have said so far, you know everything to see the conflict between Blockchain and the GDPR. Do you see it?
IS GDPR a Show-Stopper for Blockchain Applications?
With blockchain being an append-only database, data stored on it can neither be altered nor deleted. Thus, blockchain is diametrically opposed to the GDPR’s guiding principle of data minimization and the right to be forgotten. This is also true for encrypted data, says Michèle Finck (2018), for it being „well-established that data that has been encrypted or hashed still qualifies as personal data under EU law as it is merely pseudonymized, not irreversibly anonymised. (…) As a consequence, the cryptographically modified data stored on a distributed ledger, in addition to public keys, are subject to the GDPR.“
The GDPR puts the rights to the protection of personal data above everything else, regardless of the technology used. Critics lament that it has been designed with conventional storage technologies in mind, ignoring the way modern technologies work. Lamenting will not change the fact, though, that „blockchain technology cannot be used for the processing of personal data“, as Jan Phillip Albrecht, rapporteur behind the GDPR in the European Parliament, insists (quoted from Meyer, 2018).
That is a major setback for Europe’s vibrant blockchain scene and, as things stand at the moment, a show-stopper for all blockchain applications involving personal data of EU residents.
Lamenting will not change the fact (…) that „blockchain technology cannot be used for the processing of personal data“.
A Workaround for Using Blockchain in the Context of GDPR
So, what does this mean in practice and is there really no workaround? Let me answer this by getting back to the above-mentioned examples of supply chain, audit, and certification data. Most of the information we typically want to see in supply chain, audit, and certification data does not qualify as personal data and is, thus, not affected by the GDPR. It can be stored in a blockchain-based system without restrictions, allowing for all the advantages that come with this technology.
In order to use blockchain technology for the handling of those data, however, a workaround solution would be needed in most of the cases. Why? Because supply chain, audit, and certification data are typically stored in combination with all kinds of personal data such as the contact information of clients, suppliers, auditors, certification officers, etc., which must not be stored on a blockchain.
A solution to this problem would be the combination of blockchain with conventional databases. While critical non-personal data could be stored on a tamper-proof blockchain, the relevant personal data could be hosted and linked (e.g., via hashes) in a conventional database with the ability to modify or delete it as needed.
The drawback of such a setup is the increased system complexity. Also, with blockchain still being an immature technology, system performance could become an issue depending on the scope, the specific setup of the system and the loads it needs to handle. In this regard, conventional systems can have an edge over blockchain due to their robustness.
While critical non-personal data could be stored on a tamper-proof blockchain, the relevant personal data could be hosted and linked (e.g., via hashes) in a conventional database with the ability to modify or delete it as needed.
At the end of the day, the decision whether or not to opt for a blockchain-based (or hybrid) system is influenced by a lot more factors than just the legal boundaries of the GDPR. System performance, feasability (in a certain context), and a realistic assessment of the expected advantages and disadvantages compared to a conventional system count at least as much.
At the end of the day, the decision whether or not to opt for a blockchain-based (or hybrid) system is influenced by a lot more factors than just the legal boundaries of the GDPR.
GDPR restricts how we can use blockchain technology to refine and rethink our existing IT ecosystems, and we certainly need to take the boundaries it sets into account when designing blockchain-based systems. However, GDPR is by no means a complete show-stopper for the development of blockchain-based business applications.
With this being said, I think it is also important to point out that many people expect blockchain to solve problems they face, which are not even caused or related to the software solutions they use today. If, for the sake of illustration, suppliers deliberately enter wrong data into a conventional supply chain solution, the switch to a blockchain-based solution will not change their behavior or increase the quality of your data. Therefore, I consider a realistic and comprehensive assessment of the advantages and disadvantages of blockchain in a concrete scenario to be most critical. This assessment would also have to include the GDPR.