For a couple of months, the topic of Blockchain and GDPR laws compliance has been the talk of the town especially among circles of Blockchain related businesses. On one hand, the skeptics believe it is impossible for an immutable technology and GDPR to co-exist while on the other hand, optimists think there is a way around it. One of the biggest bottlenecks that most Blockchain businesses have been grappling with is the provision by the GDPR on the ‘right to erasure’.
What do the GDPR laws say about erasure?
So far, Article 17 of the GDPR does not give a clear definition of the word erasure. The regulator, however, demands businesses to erase the “personal data of individuals when they request to be forgotten.” To put it simply, GDPR requires that companies make it easy to withdraw consent as easy as it is to give it.
The right to be forgotten (also known as the right to erasure) gives EU citizens a capacity to halt any third party data processing of their data.
The implementation of the EU GDPR is designed to prevent cases such as the 87 million people who got affected by the Facebook data privacy scandal. As a result of the scandal, Facebook is now facing a fine of over half a million USD from Britain’s Information regulator. The GDPR has also set up hard penalties for companies that violate its laws. As a penalty, organizations that breach the GDPR provisions are set to be fined a “4 percent annual global turnover or 20 million pounds.”
As you can see, the issue of compliance to GDPR for Blockchain-related companies with customers in Europe is pretty serious with a hard set of requirements to be fulfilled. That is why experts have been searching to find loopholes in Blockchain that can allow for complete erasure of data.
How does Blockchain work?
Keep in mind that one of the key features of Blockchain technology is immutability. This means that once data is entered into a block, it cannot be edited or deleted. The entire architecture of how Blockchain works make compliance to GDPR a complicated matter.
We can define Blockchain as a distributed network of computers that maintain and update a single ledger. To ensure that all the computers on the network are updating the ledger with the right information, all the computers on the network need to come up with agreeable laws and consensus protocols that give instructions on who will update the ledger and when.
Bitcoin, for instance, uses a protocol called Proof of Work that requires computers interested in updating the ledger to compete by solving complex puzzles. The computers that solve the puzzle in the shortest period will get the opportunity to update the ledger. Once data is updated to the ledger, it cannot be reversed. The only possible way to reverse or edit the data is if more than 50 percent of the computers on the network agree to change the records. Since the network is distributed, getting all nodes to agree once again is difficult.
Therefore, editing or deleting data on a Blockchain is not entirely impossible however it is very difficult especially with a Proof of Work consensus protocol like Bitcoin. The reason for this is so that it would cost more in terms of electricity and resources just to change one block on the chain thus getting rid of all incentives to alter the data in the blocks.
Solutions to enable compliance to GDPR
With this in mind, companies that use Blockchain technology to store personal data will find it extremely difficult to comply with regulations that require that data be made easy to erase. GDPR laws, after all, insist that any personally identifiable data should fall under Article 17. However, a couple of solutions have been suggested.
Forking the Blockchain
This is a process that allows the business entity to create a new Blockchain out of the existing one. This can help delete the personal data that was previously stored on the previous Blockchain. To reduce the computational effort that is normally required to achieve this, the organization can switch from a PoW consensus to a less demanding consensus protocol like PoS consensus.
Storing data off-chain
While forking a Blockchain can seem like a viable option, the entire process defeats the purpose of using it in the first place. If the organization has the power to fork the chain any time a request to delete data is made, then the user whose data is recorded on the network has no real control over the data as required by GDPR guidelines. To solve this, a hash (digital thumbprint) can be created and stored on the immutable Blockchain, while the actual document containing the personal identification data is stored off the chain. Although this solution also seems viable, it would once again present a new problem of too much centralization where users depend entirely on the trustworthiness of the central entity.
Deleting encryption keys
Lastly, let’s look at a solution that encryption experts suggest as the most viable alternative. Accounts on a Blockchain network are protected by encryption keys. Without these keys, it would be impossible to have access to any of the data stored on the Blockchain. Experts suggest that an easy way to delete data is to destroy the encryptions keys that would thus render the personally identifiable data in the clients account inaccessible. Yes, the data would still exist in the network, but without the keys, no one would have access to it. However, one of GDPR’s stipulations requires that all references to an individual’s data need to be erased. Therefore, the jury is still out on whether GDPR officials can accept this as data erasure.
Blockchain and GDPR
Whichever way you put it, there is still a lot of clarification required to clear out the confusion between GDPR’s stipulations and Blockchain’s capabilities. Until GDPR is amended or hybrid Blockchain projects such as the Hyperledger by the Linux Foundation are fully developed for an enterprise, more businesses will have to approach the matter with caution.