GDPR and Blockchain: Is the New EU Data Protection Regulation a Threat or an Incentive?
The General Data Protection Regulation (GDPR), a sweeping and stringent European Union (EU) wide legal framework for personal data privacy, became effective on May 25. Ready or not, this framework is going to drastically transform the business of any digital venture. The International Association of Privacy Professionals (IAPP) forecast that at least 75,000 privacy jobs will be created as a result, and that Fortune's Global 500 companies will spend close to $8 bln in order to ensure they are compliant with the GDPR. But what does this mean for the blockchain?
The GDPR’s goals are: to create a uniform data regulation framework within Europe, and to strengthen individuals’ control over the storage and use of their personal data. It was adopted in 2016, and after a two-year transition period, is now in force.
Obligations and rights
The GDPR introduces new procedural and organizational obligations for "data processors" - including corporate as well as public entities, and gives more rights to “data subjects” - the term it uses for individuals.
Public and private organizations, when left to themselves, tend to accumulate data even before knowing what they will do with it, sort of "gold rush" in personal data acquisition. The GDPR goes against this habit by specifying that data processors should not collect data beyond what is directly useful to their immediate interaction with consumers. In effect, the data harvest should be “adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed” (Article 39 of the GDPR).
Besides setting out what is or isn’t allowed, the GDPR also specifies organizational guidelines that data processors will need to adopt from now on. For instance, their technological architecture will have, by default, to erase consumer data after using it - "privacy by design".
Secondly, any entity considered to be a “data nexus” will be required to have a Data Protection Officer (DPO) responsible for managing compliance with the GDPR. This DPO will be under the legal obligation to alert the supervisory authority whenever a risk to data subject's privacy arises (Article 33).
Data subjects, on the other hand, will be better informed on how their private data is stored and processed (Article 15). They will, for instance, have the right to ask for a copy of the information companies held about them. Furthermore, data processors have to inform the data subjects in details about the processing of the data, and how it is shared or acquired.
Besides transparency, the GDPR provides citizens more control on how their data is used. Article 17 lists conditions under which they will be able to request the deletion of their data from business databases, or the so called "right of erasure".
As Sarah Gordon and Aliya Ram remarked in the Financial Times however, "ultimately, the impact of GDPR will depend on whether individuals decide to exercise the greater powers the rules give them". When is the last time you refused your consent to Facebook’s privacy policy?
A loaded gun with global reach
The GDPR imposes extremely hefty fees for companies not abiding by it. Furthermore, its reach goes far beyond the EU.
For companies, a visit from the data protection auditor might become even more scary than a visit from the tax inspector. An intentional, or repeated, non-compliance with the principles laid out by the GDPR will lead to a fine up to €20 mln or up to 4 percent of the annual worldwide turnover of the offender - whichever is greater. Rather than just relying on companies' DPOs to ring the alarm bell, regular data protection audits are also going to be carried out.
Even though, strictly speaking, it only protects data subject within the EU, the GDPR's reach is, in practice, global. For a start, data processors located outside the EU that handle the personal information of EU residents will have to abide by it.
Also, the EU innovates in that it now ties data flows to trade flows: any country wanting to sign a trade deal with the EU will have to sign up to respecting GDPR. In the past decade, the USA has become the world economic police, fining banks huge amounts for not complying with its anti money laundering regulations. With the GDPR, will the EU become the world's data protection champion?
Is blockchain escaping the GDPR?
The GDPR was first proposed by the European Commission in 2012, with an initial focus on cloud services and social networks, at a time when blockchain was not a known word. Cloud services and social networks, at least in the pre-blockchain world, are organized mostly centrally: many data subjects interact with a unique server entity - the data processor/controller. Central management creates an easy single attack point for regulators. But how will the GDPR affect decentralized protocols such as public blockchains?
It is clear that, given the thin line between pseudonymity and identification, the blockchain stores some potentially personal data – starting with one’s transaction history. It could as such fall into the scope of the GDPR.
At first glance, one might think there is a direct contradiction between GDPR and public blockchains. For instance, among the many principles set out in the GDPR, the "right to erasure" appears to be particularly at odds with the immutable nature that, in common parlance, is at the core of the blockchain technology. Assuming for a moment this contradiction holds, this begs the question: who are the accountable data processors in a purely decentralized blockchain system?
All in all, articulating the logic of the GDPR and the blockchain, using the “data processor”/ “data subject” divide, seems difficult. No doubt a strenuous legal debate lies ahead.
Blockchain with GDPR?
Nevertheless, the blockchain shares many goals with the GDPR. Both aim at decentralizing data control, and tempering the power inequality between centralized service providers - in part by suppressing these, in the blockchain mythos - and end users. While the original Bitcoin specification didn’t guarantee anonymity, many technological innovations, ranging from elementary tumblers to zk-SNARK applications, brought us closer to this ideal. This type of anonymity is probably not what the regulator is after however - are there solutions suggested by the blockchain which would be more easily accepted by the regulator?
One particularly promising research avenue is the combination of trusted hardware and blockchains. On public blockchains, all data is replicated and shared across all machines in the network. This makes transaction data deletion, and privacy, a nightmare for users. Recent research has begun looking into how “trusted computing enclaves", such as Intel SGX, could provide secure and confidential data storage and privacy.
Combining trusted computing with public blockchains means that the privacy of data can be protected from outside threats, and stored off-chain, with the blockchain acting as the final judge for who can access that data or not. Because smart contracts mean no longer having to trust centralized service providers, data rights can be managed exclusively via the blockchain and trusted hardware, by users; returning control and privacy of their data back to them. Several projects currently pursue this idea, in the hope it could transform the blockchain from a GDPR nightmare to a fairytale.
One such attempt is a joint effort of Imperial College London and Cornell University. Teechain, is a project which uses trusted hardware to enable secure and efficient off-chain transactions for a public blockchain. It takes an interesting step towards asking whether or not transaction privacy can be found on all public blockchains, not just those that provide anonymity by default. An alternative project, which also led to live demonstrations, is the collaboration between iExec and Intel initiated within the Enterprise Ethereum Alliance (EEA).
Are your favorite blockchain projects taking the necessary steps to adapt to this privacy law earthquake? If not, maybe it is time to implement products with “privacy by design” at their core. As always, constraints will breed creativity.
The article was co-written with Joshua Lind, a Ph.D. Candidate in Computing Science