TechGDPR

Is total privacy GDPR compliant? Zcash report shows how “Privacy by Design” handling of personal data gets us close.

Tuesday February 5th, 2019 by Silvan Jongerius

Last week, Forbes examined the promise of privacy in P4 protocol in the article (“Zcash Out To Prove Privacy Is Key To Crypto Adoption With GDPR-Complying Use Cases” by Darryn Pollock). Pollock’s article included a link to TechGDPR’s Zcash GDPR assessment. In addition to the article in Forbes, ZCash has published its own statement, as has its spin-off company, Least Authority. Now is a great time for TechGDPR to provide a summary of our conclusions to add to the discourse.

On Confidentiality

Before getting into the details, I first want to emphasize that TechGDPR works with a wide variety of clients, and we approach our specialized consulting for each client with the utmost confidentiality–unless, that is, a client states otherwise. Zcash is among our clients that have taken steps to publicly discuss this GDPR-compliant assessment. It is with permission of both Zcash and Least Authority that TechGDPR released our report.

Zcash GDPR assessment on the P4 protocol

In October 2018, TechGDPR conducted a GDPR compliance assessment of the P4 protocol specification on behalf of the Zcash Company and Least Authority. This assessment reflects important conversations among regulators, compliance advisors, and implementers of blockchain and other cutting edge technologies in the context of the GDPR and other privacy-protecting regulations.

Data gathered while utilizing the P4 protocol is mostly anonymous, and only a few types of data could potentially be flagged as personal, and therefore in scope of the GDPR. The risk of identifying natural persons through the use of Least Authority’s S4 storage service is significantly mitigated by the use of zero knowledge proofs in Zcash’s shielded transactions. Other regulations, such as financial regulations, anti-money laundering regulations, and know-your-customer regulations, may be triggered by anonymous online services. And although new regulations around the world are attempting to make services providers responsible for their users’ content, Zcash has been favorably received by financial regulators.

TechGDPR’s Findings

The assessment conducted by TechGDPR (PDF available here) asserts that implementation of P4 does not likely raise any major issues regarding GDPR compliance, apart from the consideration whether or not to allow customers to use S4 for data processing under GDPR, and how to effectively prevent this (see finding #11: “Possible role of data processor”). A few matters require highlighting as they may become an issue in the future as the usage of the service changes (finding #2: “File deletion, garbage collection”), or the interpretation of the GDPR evolves further (findings #1: “Logging IP Address” and #3:”Consequences of maintaining a full node”). The biggest concerns are related to the processing of data within S4, not within P4. The P4 protocol itself only presents concerns if subscribers insist on paying from transparent addresses.

TechGDPR also concluded that as long as Zcash transactions cannot be linked back to a natural person, because they are private or because no link between the t-address and the user exists, the transaction within Zcash and payment information itself should be considered anonymous and therefore out of scope of the GDPR.

In our opinion, the P4 service allows for as close to anonymous usage as you can get with current technology, with important caveats regarding user practices and user volume. The full benefits of P4 can only be realized if the user is extremely cautious with how they use it, as is the case with most privacy-preserving solutions today. Least Authority has tried to make it harder for users to make mistakes (i.e., by requiring Tor), however, it is still possible to gather some information through leaked metadata or trivial mistakes by the user that may, over time, be enough to link the usage back to a person. As the user base grows, maintaining anonymity will become easier to establish a relationship between specific users and their data or metadata will become increasingly difficult.

Privacy-enhancing technology, including P4, is not perfect. It is difficult to use, and requires perfect handling by both the user and Least Authority. Still, technologies like P4 go a long way toward challenging the advertising-surveillance model of the modern internet, and illustrate how blockchain-based technologies could show a new way forward.

Zcash looks forward

A statement released on Friday by Zcash declared, “We are at the beginning of what promises to be a longer journey toward privacy-by-design in the realm of blockchain technology.”

Total anonymity may not be possible, but the policies outlined in the GDPR show legitimate demand and P4 demonstrates that we can get pretty close.

Silvan Jongerius

Managing Partner

Silvan Jongerius is managing partner at TechGDPR, and main author of the Zcash GDPR compliance assessment.

Blockchain & DLT under the GDPR explained to the European Commission
June 4th, 2019

One year of GDPR: GDPR enforcement and awareness
May 25th, 2019

Our first open GDPR Canvas workshop
May 21st, 2019

WiFi-Tracking and Retail Analytics under the GDPR
April 8th, 2019

How to develop Artificial Intelligence that is GDPR-friendly
February 28th, 2019

The GDPR + Blockchain: Reflecting back and looking ahead
January 8th, 2019

American Intern Meets the GDPR
December 12th, 2018

GDPR, Blockchain, and the Principles of Privacy by Design
December 3rd, 2018

The Limits of Blockchain Privacy and the GDPR
October 22nd, 2018

Blocks Ascending: The GDPR Checklist for Any Blockchain Project
September 17th, 2018

Artificial Intelligence (3)
Beyond EU (3)
Big Data (2)
Blockchain (9)
Court Cases (1)
Data Subjects (4)
DLT (1)
DPO (2)
European Commission (1)
GDPR Canvas (1)
GDPR Status (1)
IoT (4)
Privacy by Design (5)
Speaking (1)
Startups (1)
WiFi (1)
Workshop (1)
Big Data
GDPR Analysis
GDPR so far
gdpr workshop
gdpr year one
one year gdpr
open workshop
Retail Analytics
WiFi
WiFi-Tracking
June 2019 (1)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (5)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.