Is total privacy GDPR compliant? Zcash report shows how “Privacy by Design” handling of personal data gets us close.

Tuesday February 5th, 2019 by Silvan Jongerius

Last week, Forbes examined the promise of privacy in P4 protocol in the article (“Zcash Out To Prove Privacy Is Key To Crypto Adoption With GDPR-Complying Use Cases” by Darryn Pollock). Pollock’s article included a link to TechGDPR’s Zcash GDPR assessment. In addition to the article in Forbes, ZCash has published its own statement, as has its spin-off company, Least Authority. Now is a great time for TechGDPR to provide a summary of our conclusions to add to the discourse.

On Confidentiality

Before getting into the details, I first want to emphasize that TechGDPR works with a wide variety of clients, and we approach our specialized consulting for each client with the utmost confidentiality–unless, that is, a client states otherwise. Zcash is among our clients that have taken steps to publicly discuss this GDPR-compliant assessment. It is with permission of both Zcash and Least Authority that TechGDPR released our report.

Zcash GDPR assessment on the P4 protocol

In October 2018, TechGDPR conducted a GDPR compliance assessment of the P4 protocol specification on behalf of the Zcash Company and Least Authority. This assessment reflects important conversations among regulators, compliance advisors, and implementers of blockchain and other cutting edge technologies in the context of the GDPR and other privacy-protecting regulations.

Data gathered while utilizing the P4 protocol is mostly anonymous, and only a few types of data could potentially be flagged as personal, and therefore in scope of the GDPR. The risk of identifying natural persons through the use of Least Authority’s S4 storage service is significantly mitigated by the use of zero knowledge proofs in Zcash’s shielded transactions. Other regulations, such as financial regulations, anti-money laundering regulations, and know-your-customer regulations, may be triggered by anonymous online services. And although new regulations around the world are attempting to make services providers responsible for their users’ content, Zcash has been favorably received by financial regulators.

TechGDPR’s Findings

The assessment conducted by TechGDPR (PDF available here) asserts that implementation of P4 does not likely raise any major issues regarding GDPR compliance, apart from the consideration whether or not to allow customers to use S4 for data processing under GDPR, and how to effectively prevent this (see finding #11: “Possible role of data processor”). A few matters require highlighting as they may become an issue in the future as the usage of the service changes (finding #2: “File deletion, garbage collection”), or the interpretation of the GDPR evolves further (findings #1: “Logging IP Address” and #3:”Consequences of maintaining a full node”). The biggest concerns are related to the processing of data within S4, not within P4. The P4 protocol itself only presents concerns if subscribers insist on paying from transparent addresses.

TechGDPR also concluded that as long as Zcash transactions cannot be linked back to a natural person, because they are private or because no link between the t-address and the user exists, the transaction within Zcash and payment information itself should be considered anonymous and therefore out of scope of the GDPR.

In our opinion, the P4 service allows for as close to anonymous usage as you can get with current technology, with important caveats regarding user practices and user volume. The full benefits of P4 can only be realized if the user is extremely cautious with how they use it, as is the case with most privacy-preserving solutions today. Least Authority has tried to make it harder for users to make mistakes (i.e., by requiring Tor), however, it is still possible to gather some information through leaked metadata or trivial mistakes by the user that may, over time, be enough to link the usage back to a person. As the user base grows, maintaining anonymity will become easier to establish a relationship between specific users and their data or metadata will become increasingly difficult.

Privacy-enhancing technology, including P4, is not perfect. It is difficult to use, and requires perfect handling by both the user and Least Authority. Still, technologies like P4 go a long way toward challenging the advertising-surveillance model of the modern internet, and illustrate how blockchain-based technologies could show a new way forward.

Zcash looks forward

A statement released on Friday by Zcash declared, “We are at the beginning of what promises to be a longer journey toward privacy-by-design in the realm of blockchain technology.”

Total anonymity may not be possible, but the policies outlined in the GDPR show legitimate demand and P4 demonstrates that we can get pretty close.

Tags: , ,

Silvan Jongerius

Managing Partner

Silvan Jongerius is managing partner at TechGDPR, and main author of the Zcash GDPR compliance assessment.

How to use legitimate interest under the GDPR?
January 29th, 2021

The impact of the GDPR on Big Data
December 1st, 2020

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
Uncategorized (2)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
CJEU ruling
Cold calling
Data transfers
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
International transfers
medical data
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
January 2021 (1)
December 2020 (1)
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.