Blockchain permissionless networks are now a trillion-dollar business, but this popular use- case of Blockchain is not compliant with GDPR. Whats the problem?
The legal governance tension between GDPR and Blockchain can be best illustrated in a public un-permissioned network where any individual is allowed onto the network. In this type of network, we have a decentralised network of participants with no central controller of data. The GDPR is based upon an underlying assumption that there is a Controller of Data where individuals can enforce their rights under EU data protection law (GDPR Article 5). When Blockchain is running on a public permissionless network, participants are not known to each other, and with many distributed players there is no consensus on who the Joint Controller is. Decentralisation of un-permissioned individuals onto the network is a problem for GDPR. This fact obscures accountability and responsibility, resulting in a lack of enforceability of GDPR.
GDPR -Data needs to be modified
The GDPR is also based upon an assumption that data can be modified to meet legal requirements. The Blockchain ledger is “append only” where data can be added but cannot be removed except in extraordinary circumstances. Article 16 to 22 of the GDPR gives the individual rights over their personal data. For example, Article 17 gives the Right of Erasure, Article 18 the Right to Restrict Processing and Article 22 the Right not to be Subject to Decision made by Automated Processing. However, with Blockchain once a block is verified on the Blockchain, it is regarded as immutable, and it is difficult to reverse because it is computationally impractical. Blockchain modification is purposely onerous as this gives the transaction its trusted status. This fact makes it practically impossible to satisfy data subject rights in this type of network.
The Data Minimisation Problem
As Blockchain is “append only” the chain keeps increasing in size and replicated to many different computers which is a problem for the GDPR principle of data minimisation (Art 5(c)). Data processing of personal data is not meant to continue indefinitely under GDPR.
Blockchain does not use annonymous data
Key to understanding the GDPR conundrum is to understand how the data on a public permissionless Blockchain network is used. Data on this type of Blockchain network ledger is not truly anonymous as it uses pseudonymised data. An individual is de-identified to an extent, but they still can be linked to real life identities with the use of additional information. This is classified as personal data under GDPR (Recital 28). In the EU and UK, when personal data is processed, the GDPR applies. Other countries have similar Data Protection laws. Each actor involved in the transaction involving personal data, whether they be Sender, Receiver, or Miner must demonstrate that they are compliant with GDPR and in this type of network they are not.
Who is the Controller of data?
It’s not just data subject rights that are the problem and a lack of an identifiable Controller of Data. Processors such as miners also have obligations. Appropriate technical and organisational measures to satisfy the privacy of individuals must also be undertaken by Processors. GDPR Article 28 mandates that Controllers of data are obligated to vet Processors and Sub-Processors to ensure they take they appropriate privacy measures. In a decentralised system which is “off-exchange” with a large Blockchain this is hard to achieve, and positive vetting of the sender and receiver does not occur. Another example would concern International Transfers of personal data outside of the EU/UK. These transactions must have defined safeguards which are currently not being performed in the decentralised public Blockchain ledger system (GDPR Article 44).
Design and use-case of Blockchain
It is important to note that Blockchain is a class of technology with many different versions and use-cases which add to the complexity of governance. We have outlined here a popular use-case as it is used by many crypto currencies. The Blockchain architecture can be designed to work; however, the design needs to change. For instance, it’s easier for private and permissioned networks to comply. In a permissioned network as opposed to an un-permissioned network, the participants are known to each other. In this type of network, we have a Data Controller in place, participants can be excluded, and who has access can be controlled. In this type of network, we can design governance controls to treat data in a compliant manner as the Controller of Data has a data management capability and can exercise the requirements of GDPR.
Final thoughts
Blockchain can be designed to avoid the above mentioned pitfalls, however clearly the use-case of the popular public un-permissioned Blockchain network does not work for data governance laws.
If you want to consult with our experts on this issue, please contact barrymc@GDPRLegalConsultants.com
For further reading see the CNIL blog here.
For a primer on blockchain read here
and here
コメント