GDPR – one year on: data protection and blockchain

22 JULY 2019

| 3 min read

It is more than a year now since the introduction of Europe’s new data privacy regime, the GDPR. After a flurry of activity leading up to and following the launch date in May 2018, GDPR fell out of the headlines. Recent high profile penalty announcements running into the hundreds of millions have again highlighted the dangers of failure to comply. We consider some of the issues that are keeping business leaders and privacy regulators awake at night.

In this article we consider GDPR and blockchain.

We increasingly see blockchain technology in use across diverse areas of business activity, from health records to supply chain management. There is a lot of hype around the technology, which tends to rise and fall with the fortunes of cryptocurrencies like Bitcoin. But it does offer real advantages in non-currency contexts that many businesses would like to exploit. The immutable record of transactions, and the absence in many cases of a central record keeper open up opportunities for disruption across many data-rich activities.

Blockchain, though, faces its own set of problems in terms of data protection. Where personal information of any kind is recorded, that information should be treated as subject to privacy law in the same way as in any other data processing context. The identity of individual participants, and information about them, needs to be appropriately protected. Nigel Houlden, head of technology policy at the UK’s data privacy watchdog, the Information Commissioner’s Office has discussed “nightmares” about the future relationship between blockchain and some of GDPR’s core principles.

Becoming anonymous

You might wonder why data privacy is even an issue if, as with many types of blockchain, information disclosing the “real world” identity of an individual is not recorded, or identifying information about individuals is encrypted or hashed. But privacy law requires a greater degree of anonymisation than simply replacing a name with an identifier. For example, where a public key is associated with a series of transactions, and could be connected with an individual using other information, the public key will be regarded as identifying an individual. Pseudonymisation, involving replacing a direct identifier with another identifier, is seen as a useful security measure, but not full anonymisation.

Hash functions, that turn a piece of information into a fixed length code, are irreversible. However, it may be possible to effectively reverse them using bulk throughput of all possible input values, or pre-computed tables.

Detailed advice from European regulators on anonymisation techniques explores various methods used to protect privacy and highlights their weaknesses. Developers should be aware of three important data privacy concepts:

Singling out – where individuals can be reidentified from an unique attribute
Linkability – using cross-references between datasets to identify an individual
Inference - deriving information about an individual through inference

Of course, while blockchain is often discussed as a single technology, it is used in a variety of different forms. The data protection analysis will vary depending on the features of the technology you are looking at. Blockchain structures like that supporting Bitcoin, for example, with its open, permission-less format may be corrosive to data privacy rights in a way that later generations of blockchain are not. We will focus on two widespread features of blockchain technology that may clash with privacy law. These are the unchangeable nature of the record and the distribution of the ledger across many different participants.

Immutable record

Blockchains are, by design, resistant to modification of the data recorded. In fact, this is one of the technology’s core advantages because it gives participants confidence in the truth of the record. However, this can conflict with privacy law. The GDPR includes a number of obligations requiring data to be altered or deleted. For example:

Data minimisation – under GDPR only data that is relevant and necessary for the defined purpose should be collected and processed.

Storage limitation – data should only be kept for as long as is necessary for the purposes for which it was collected.

Right to rectification - individuals can require incorrect data about them to be rectified.

Right to be forgotten – individuals have the right to ask for erasure of data about them.

The immutable record offered by a blockchain apparently makes fulfilment of these obligations impossible. However, it may be possible to adopt technical solutions to address these problems. For example, methods that erase elements enabling verification, or that delete a keyed hash function’s secret key could be used to make a particular section of the stored data inaccessible. While techniques like these do not delete information from the blockchain, they may be enough to satisfy regulators that it is effectively removed. Where information needs to be rectified, the correct information would have to be introduced to replace incorrect information that has been made inaccessible.

The distributed nature of the ledger

A common feature across blockchain technologies is distribution of the transaction record so that it is stored among many participants. Often a copy of the ledger is held by every participant. This builds user trust but it also leads to privacy law issues.

Controllers and processors

The GDPR requires individuals or organisations that are dealing with personal data to be classed as controllers (those deciding what data is collected and what is done with it) and processors (those carrying out processing activity on behalf of a controller). Although controllers carry the main compliance burden, both groups have to comply with their own set of obligations. Processors, for example, must not deal with personal data they hold except as instructed by the controller. And contracts between controllers and processors must be under a contract with specified safeguards as to cyber security etc.

Where two separate organisations each have a role in how data is collected and processed, they will be treated as joint controllers and will have to decide how the roles and responsibilities are to be allocated between them.

Applying the controller/processor analysis to a blockchain can be very difficult. French data protection regulator, the CNIL, has expressed its view that blockchain participants, unless they are individuals acting in a personal capacity, will normally be regarded as data controllers. Establishing GDPR-ready contracts between all of the participants in a public blockchain may not be possible. So methods that minimise the amount of personal data that is included, and use encryption methods to make it difficult to identify individuals from their public keys should be adopted.

Participants in a new technology should be aware that they may incur data privacy obligations even when they are at one remove from the individuals whose data are involved. The CNIL gives the example of smart contract developers providing a solution to an insurer that covers passengers for flight delay. The developer providing automatic reimbursement following a delayed trip could be regarded as processors, and so fall under the requirements of the GDPR in the way they provide their services.

Where a new project involves a number of participants, it will normally make sense to determine at the outset which of them is to take on the roles and responsibilities of the data controller. This will include providing a point of contact for the public, for example.
International transfer

Transfers of personal data outside of the European Economic Area are not allowed unless GDPR rules are followed. Transfers may be made to countries benefiting from an adequacy decision, meaning that their domestic privacy law has been assessed and found to offer sufficient protection, or to other countries where specific arrangements are followed. These include model contractual clauses between the sender and recipient of the information, and binding corporate rules for transfers intra-group.

The use of a public blockchain will make it very difficult to comply with these requirements, and so approaches that keep personal data separate should be considered. Permissioned blockchains are likely to be a better option in order to implement data privacy safeguards on cross-border transfer.

How can the conflicts between blockchain and privacy law be resolved?

Given the privacy issues that can arise through use of blockchain technology, the CNIL asks organisations to consider whether it is really necessary for the application they have in mind.

Privacy regulators are understandably wary about the use of blockchain to store personal information. But stifling the technology as a whole is certainly not their objective. Creative and well-designed approaches to privacy are likely to be welcomed. UK regulator the ICO has a programme to promote privacy in new technologies. The ICO’s Sandbox programme supports innovation through engagement and a safe harbour. It offers:

“the opportunity to engage with us; draw upon our expertise and advice on mitigating risks and ‘data protection by design’, whilst ensuring that appropriate protections and safeguards are in place.”

The Sandbox programme is currently in a beta testing phase.

The main take away point is preparation. Building in pro-privacy structures from the outset will be easier than trying to correct problems later on.

Finally, it is worth noting that blockchain technology may itself be able to enable privacy in new ways. Applications of blockchain that may permit greater control of an individual’s personal data might include a method for encoding the person’s data permissions into a blockchain-protected record. This could enable the person’s consent to different categories of use are readily applied across different platforms.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Contact

Paul Knight

Partner
Paul Knight

Partner
- +(44)(0)161 234 8702
- +(44)(0)7552 165880
- Contact Paul
  
  Contact Paul Knight
  
  * = required
  
  First name *
  
  Please enter your first name
  
  Last name *
  
  Please enter your last name
  
  Organisation
  
  Email address *
  
  Please enter your email address Please enter a valid email address
  
  Phone number
  
  Your message *
  
  Please add your message
  
  Send enquiry
  
  Mills & Reeve will use the information you provide in this form in accordance with our privacy policy. We may from time to time send you general updates by email or post that we think you will find of interest. This includes notification of upcoming event and updates or alerts containing relevant legal news. You can update your preferences at any time and will be able to easily unsubscribe from anything that you do not wish to receive.
  
  check
  
  Thank you
  
  Thank you for your enquiry. We will be in touch shortly.
  
  Close
  
  Reset form
  
  Close overlay
- Manchester

GDPR – one year on: data protection and blockchain

Becoming anonymous

Immutable record

The distributed nature of the ledger

How can the conflicts between blockchain and privacy law be resolved?

Our content explained

Further reading

Paul Knight

Contact Paul Knight

Visitors

Existing clients

Staff