Bitcoin, Privacy and the GDPR Compliance Conundrum
Bitcoin and Central Bank Digital Currencies (CBDC) are making headlines more than ever as today the Bank of England and the Treasury has launched its consultative document on its own CBDC. They are behind others, as China and the European Union are already well on their way with their investigations. El Salvador has already made Bitcoin official legal tender. However, many privacy campaigners (including China) are unhappy with the Bitcoin Privacy Conundrum. To understand the privacy conundrum, you need to understand open blockchain networks.
Crypto currency such as Bitcoin uses the Blockchain architecture and Blockchain uses peer to peer technology and is a system of recording information in a way that makes it impossible to hack or cheat the system.
Transaction involving Public Blockchain Networks like the one Bitcoin uses, raise several concerns around control of compliance issues, as control is devolved or decentralised to the participants on the network. Bitcoin does not have a central authority, has no central server, no central storage and the ledger is public.
Blockchain basics
The Bitcoin Blockchain technology uses a decentralised approach to verifying and synchronising financial transaction. Blockchains are designed to omit a trusted decentralised financial intermediatory (Defi). The data is distributed between many parties to achieve resilience and processed and stored in a decentralised way. Nodes on the network participate in the verification of the block.
The “hash” encryption key that blockchain uses gives a digital fingerprint of the data. Hashing is the process of passing data through a formula or algorithm that produces a fixed size result. Imagine that result as a very large number of a fixed size.
Crucially the GDPR Working Party 29 opined on the topic of hashed data and said it was pseudonymised and therefore personal data and subject to GDPR. Note that Bitcoin, owners are not explicitly identified but they are tied to their Bitcoin address (pseudonymising the data).
Criminal Activity and identity
Criminals in the past have exploited the use of pseudonymised data to hide, creating the first conundrum for GDPR. A debate arose around the point to determine if a natural living person can always be identified. Article 4 (1) of the GDPR tells us that personal data is any information that identifies a data subject directly or indirectly. It follows that if we could identify these criminals easily why are so many still using Bitcoin as a way of paying ransoms?
To answer this question, we must look to the new Technologies. We now have companies who specialise in identifying individuals using Bitcoin and they are employed by national governments to trace criminals. So, it looks like the determination that the Bitcoin Hash is personal data albeit pseudonymised will stay as individuals can and have been identified using tracing technology.
For example, it is well publicised that companies like Chainalysis have traced Bitcoin transactions to individuals and assisted the US Government in getting the Russian Broker Suex sanctioned and banned for moving crypto currency from illicit sources. Suex has received millions from those involved with ransomware, scammers and dark web operators. The Chainalysis software tracked down the movements mostly in Bitcoin, Ether and Tether. They can certainly be tracked more easily if a bitcoin exchange is used as the exchanges have a record of your personal identity.
BitCoin Ledgers
Bitcoin transactions are not private. Ledgers make them public on a public network and are "append only “which means data can be added but only removed in extraordinary circumstances. Anyone can follow the transactions on wallets provided they know the public key. Therefore, everyone in the network can view the data and the ledger.
It is not possible to change the data due to the design. Transactions on the blockchain are immutable because the whole point is that you cannot change the transaction for security reasons.
These blocks operate with persistent storage in that they can never be destroyed, and they are secure because they cannot be changed.
GDPR Principles & Rights and Bitcoin
Pseudonymised data is categorised as personal data under GDPR. So where do Bitcoin privacy campaigners have objections?
The right of erasure in a blockchain (Art 17) is impossible if we have eternal persistent storage.
The right to correct data (Art 16) is not possible due to the immutable nature of the transactions where security is enforced.
The right to suppress processing or object to processing (Art 18 and Art 19) is equally not possible.
International Transfer safeguards considerations are not met in a transparent way (Art 44-50)
The principal of purpose limitation is void as there is no control over who processes your data.
It is very difficult to identify who the controller of the data is in a block chain that consists of several transactions (Art 24-43). There is no control of the data in the block as it is shared between everyone on the nodes. Does that make them all controllers? This point on who the Controller is has caused much debate which I won’t elaborate on for the sake of brevity.
Data retention polices are not available with persistent storage and with no controller to service the data subject rights it’s hard to see how we can align with GDPR. Hence, we have the Bitcoin/GDPR conundrum.
Improved Governance
Data Protection by Design and Default needs to be planned into the new Blockchain use-cases for blockchain technology to align with Data Protection legislation. Some new initiatives are hiding user personal information “off block” and only allowing permissioned access using trusted parties and linked via a user private hash key.
However, using a permissioned blockchain off block still presents problems as data transparency is reduced as you cannot see who is holding the block. This would still present a problem for know your client (KYC) and Anti Money Laundering (AML) regulations and contribute to increased criminal activity. Also using this approach still creates pseudonymised data and therefore personal data and thus the GDPR still applies as its personal data.
Technologies that claim to link the new Defi blockchain approach and the old centralised monetary systems can solve the KYC and AML problems by introducing the regulations before it gets to the Defi network. Bitcoin exchanges can also help with this problem. However most new approaches seam to make bland unsubstantiated assertions that they are GDPR compliant without justifying how they are compliant. It is difficult to see how this can be reconciled with compliance using blockchain.
These new developments are evolving at a staggering rate and the jury is still out to see whether any new use cases can solve the problems and align with the data protection principles.
To consult with me on this topic. Please email barryjmccormack@rocketmail.com
Comments