Blockchain GDPR EU Photo Credit: mrmuhh/Shutterstock.com

 

With the deadline for those serving EU customers to prepare for the General Data Protection Regulation (GDPR) finally here, companies are tightening up information governance structures, sending out new privacy policy updates to consumers, and preparing for the regulation's mandate that individual consumers be able to request the return and erasure of their personal data from big companies.

Blockchain technology companies, however, are worried they may not be able to do enough to comply with their GDPR obligations. Not because they don't want to, but because they can't.

Because of the way that blockchain technology is structured, the GDPR poses what some have called the “blockchain-GDPR Paradox”: In an effort to protect consumer control of information, the GDPR requires that organizations erase any personal information. However, in an effort to protect consumer control of information, blockchain is structured to retain information indefinitely.

“It's an issue that has many lawyers and other people who work in the blockchain space crashing their heads,” Bess Hinson, senior associate at Morris, Manning, & Martin, told Legaltech News.

“One of the problems is that the GDPR was developed based on this assumption that we can identify the data controller, the person who collected the personal data, and that person would remain in control of the data,” Hinson explained, adding that the regulation's authors had an eye toward cloud service providers, who can manage data through contractual provisions when working with third-party groups.

“Blockchain is not built under those assumptions. It becomes much more difficult under the regulation under those assumptions in terms of how to govern and control where the data is to whom it's transferred and who can access it,” Hinson noted.

At Odds With Innovation

Blockchain identity solutions are secured through a hard-coded ledger system of data copied and distributed across multiple nodes, making them essentially impervious to tampering. Blockchain-based identity projects, like the Sovrin Foundation, have attempted to use this structure to allow individual people to verify their own personal information, and be more selective in the data they choose to share with companies.

Part of the contradiction around GDPR and blockchain, Baker & Hostetler partner Laura Jehl explained, is that both seem to have the same ultimate goal. Blockchain-based identity solutions, where blockchain's ledger infrastructure retains personal information, ”are intending to do a lot of the same things that GDPR aspires to, which is give individual control over their data,” Jehl explained.

Nevertheless, blockchain technologists are left scratching their heads as to how to appropriately comply with some of GDPR's specific mandates. A recent study from cloud data management company Veritas Technologies found that nearly 40 percent of U.K. consumers plan to take advantage of GDPR's “right to be forgotten” policy within six months of the regulation's May 25 effect date. The industry most likely to be subjected to these requests, according to the report, is financial services, with 56 percent of those polled indicating that they intend to retrieve personal data from these organizations.

Stripping that data out and handing it back isn't particularly feasible for blockchain-based companies. “That doesn't work on a blockchain because it's immutable. The whole point is that it's immutable,” Jehl noted.

However, as written, the GDPR does not specifically define “erasure” of data, meaning that blockchain technologists have a little more leeway to develop compliant solutions. Anonymized personal data theoretically wouldn't be covered under GDPR, but pseudonymization, where a hash or encrypted pointer acts as a reference to personal data (but remains inaccessible to blockchain operators), is a little iffier. 

“One way to think about it is that it has to be truly anonymized, at least as to the blockchain's creator. They have to not be able to reidentify it,” she said.

Under GDPR, data “controllers” are subject to the regulation's obligations, a designation that remains somewhat unclear where blockchain is concerned. “In an open blockchain”—that is, a blockchain operated without any specific permissioning—“every individual that adds data to that blockchain could be considered a data controller,” Hinson said.

Maarten Stassen, Brussels-based senior counsel at Crowell & Moring, noted that individual blockchain operators need to consider the role they play with respect to data housed in the blockchain they operate. “Depending on the type of blockchain, you need to check whether the user is the data subject, the individual protected, or the controller,” he noted.

Some organizations operate blockchains somewhat like a physical storage unit, allowing people to store encrypted information on the blockchain without themselves holding decryption keys. “If they're not the controllers, they don't have to comply with the obligations, you can control it how you want to, on the back end of it,” Jehl noted.

Other blockchain organizations have considered other variants, like creating private, off-chain storage for blockchain that is secured through only just a few nodes, which would keep anyone outside of those channels blind to the information kept there.

While these solutions may be viable now, Jehl pointed out that blockchain companies may not be able to rely on them indefinitely. Forthcoming technological advances like quantum computing may allow cyberattackers to decrypt currently unbreakable encryption in the future, which could make pseudonymised data re-identifiable. “It's good now, but for how long?” she noted of the strategy.

Regulatory Reconciliation

Though attorneys see a viable legal argument for each of these solutions, few know exactly what to expect for blockchain organizations after the May 25 deadline for GDPR. As it stands, some blockchain infrastructure is purely just incompatible with the regulation as written. “For open blockchain, your compliance is likely not possible in the immediate time frame coming up on the enforcement deadline,” Hinson said.

While the European Union is clearly not keen on being left out of the potential technological revolution promised by blockchain technology, Jehl doesn't expect that regulators will be making any special case amendments to the regulation right off the bat. “I don't think they're in the mood to carve out exceptions in GDPR right this second,” Jehl said.

For the time being, cracking down on personal information living in blockchain infrastructure seems to be a low priority for regulators. “I don't think blockchain will be targeted in the initial months, or the first year. I think resources will be devoted elsewhere,” Hinson said.

“The challenge they have in the deadline is to work with all the legacy systems. The IT person is always being asked not to lose any information, but systems are not set up to delete information,” Stassen agreed.

Some of the risk to blockchain companies, Stassen noted, is not in blockchain technology itself, but in the legacy systems it may be connected to: “It's very easy for these new technologies to fall in scope. The awkward thing is that the new technology is more likely to be in scope because of the old technology that's linked to it.”

Further down the line, Jehl expects that blockchain will likely grow adjacent to the regulation. “It really is an emerging technology. The direction it will emerge will be guided by GDPR,” she said.

Blockchain operators, Jehl believes, see the opportunities to align their technology with the GDPR's ultimate goals. ”They're much more focused on the opportunities to use blockchain to do what GDPR wants, which is data minimization and only sharing data you wish to share and you control,” she said.