The Bittersweet Relationship Between Blockchain and GDPR

With the GDPR now in full effect, improving upon the currently bittersweet regulatory relationship between Brussels and blockchain networks is critical. Thanks to its unique structural advantages and decentralized framework, blockchain technology is a true enabler of innovation worldwide, but this makes its pragmatic regulation an especially tricky task. While advising the European Commision and the Bundestag as a contributor to the German Blockchain Association, and in particular co-authoring the position paper on Blockchain, Privacy and the GDPR, I have seen firsthand just how important it is to achieve the right level of understanding between regulators and innovators – as well as the potential consequences of misunderstanding the process. When it comes to GDPR compliance, the blockchain is as much an asset as it is an obstacle on the path to supporting online privacy.

Blockchain: Technology Unchained

Blockchain is as the name suggests; a chain of blocks of transactions, linked together through a secure code that ensures its integrity. Within these public networks, no single party is in control. The network is distributed, the important tasks are financially incentivized and there is no off switch. All players in the network are equal. Such an environment enables disintermediation, bypassing middlemen, and a true peer to peer economy.

This is in stark contrast to say, email, where there is a clear institutional middleman in the form of a host (Google, Yahoo, etc) and one is not really sending as much as they are duplicating information. When a user emails another user a photograph, for example, they are copying something from one place to another, but it also remains on the original computer.

Although this is fine for sending images and text, it is obviously problematic when sending a payment: you would duplicate money, which defeats its purpose. Blockchain registers transactions differently. With bitcoin, for example, peer-to-peer transactions can be proposed by anyone. Miners (those verifying and including the transactions for a reward) ensure that the sender has the funds and permissions, followed by proposing inclusion in a new block. Indeed all blockchain entities exist inside an environment where transactions are authenticated through a network of nodes that ensure each action correlates with a history of previous transactions. It is not any particular individual, but math and clear rules that regulate the blockchain.

When Things get Bitter

Though this is great for cryptocurrencies, the distributed nature is not helpful when trying to establish responsibilities as ‘clearly’ defined by the GDPR. That is, if person or institution is responsible for protecting data after it is collected, and who will be responsible to comply with subject requests. Additionally, the incentive structure that keeps blockchain networks running can be at odds with how regulators look at personal privacy. Regulators are used to dealing with institutions that assume a central responsibility in their activity. Blockchain, on the other hand, self-regulates with a decentralized approach.

If Facebook, for example, experiences a data breach, they are regarded as responsible under the GDPR for losing that data because they are the party that collected it. If there is a data breach in a peer-to-peer network, however, it’s not immediately clear who is legally responsible. This is already a problem with cryptocurrencies, and as more and more services (not to mention the swaths of personal data that accompany them) increase their reliance on blockchain technology, answers to these and other questions are only going to become more important.

Regulatory Challenges

When you have peer to peer transactions occurring over a long span of time, a regulator is met with the daunting challenge of assigning responsibility for data security on a network rather than an institution – a major headache. Blockchain’s own self-regulating, highly-networked incentive structure has to be better understood by legal authorities if the GDPR is to be properly implemented within the constraints and capabilities of the technology in its current form. Regulate poorly and you’ll stifle growth. Regulate wisely, and the capacity for both higher privacy standards and more dynamic markets are vast. Before that can happen, however, there are more risks to consider.

Since data passes through many nodes on the blockchain, identifying whether or not encrypted information is indeed personal data is easier said than done – requiring a delicate interpretation of when exactly a user is consenting to share their information, and with whom. While encryption algorithms may be safe today, they may be broken into tomorrow, so one should generally not rely on storing personal data in encrypted form on a public blockchain. History has proven that it is only a matter of time before an encryption mechanism is broken, usually through advancements in technology, with only one really old and inefficient exception. And thanks to the advancements in quantum-computing this may now accelerate.

Sweetening the Deal

Though the nature of blockchain technology poses a series of unique challenges in terms of how it can effectively comply with the GDPR’s privacy mandates, it can’t be understated to what degree the technology is also a huge asset in ensuring individual privacy as well. If done effectively, proper oversight of blockchain technology won’t just help us meet our current regulatory requirements for privacy, but surpass it.

Blockchain can also provide a secure proof of historical events, which can be helpful for registers. In the case of the GDPR, this can be a great way to register users who consent to share their data with a third party. A number of providers have implemented this already and provide a highly secure way to prove that consent was collected at a specific point in time.

Self-Sovereign Identity on Blockchain

Another example is the self-sovereign identity. Blockchain can store verifiable proofs of information that eliminate the need for a hefty background check – a miracle for public record keeping. Imagine government authorities and reputable private institutions being able to verify one simple fact, such as your identity, on a blockchain rather than using traditional methods. Through multiple proofs from different instances, you will be able to prove a certain fact, such your age, or even more privacy-friendly: prove that you are over a certain age, without having to reveal much else.

Binding Network Rules?

Blockchain may also come to need its own established rules of engagement if these tools are to be put to full use. With the German Blockchain Association’s privacy working group, we are exploring the possibility of introducing ‘Binding Network Rules’, analog to ‘Binding Corporate Rules’. These are binding and internationally enforceable rules that can govern international data transfers, the internal relationships and the rights and responsibilities of participants. This can help blockchain networks build a stronger legal structure around how they operate and establish conditions for using an entire network. Such a structure would limit the required bureaucracy to enforce such rules and would enable blockchain technology to make a real impact on privacy through decentralization, rather than bending to the often draconian needs of heavy-handed central authority.

There are many obstacles that blockchain networks currently pose to pragmatic enforcement of the GDPR.  But those obstacles can be more than offset by the opportunities that these decentralised peer-to-peer networks create. With the right mix of informed regulatory action and innovative practices, business progress need not come at the cost of supporting individual privacy – or vice versa.

To learn more about data privacy and the GDPR, follow us on Twitter.