Research Summary: Blockchain Technology: Data Privacy Issues and Potential Mitigation Strategies

TL;DR

• The authors consider how blockchain technology conflicts with some of the provisions of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
• To mitigate compliance risks enthusiasts should consider using private or consortium blockchains for compliance.
• Users should avoid or limit personal data stored in blockchain.

Core Research Question

What challenges for blockchain technology users are posed by complying with the GDPR and CCPA?

Citation

P. Shah, D. Forester, C. Raspe, and H. Mueller, “Blockchain technology: Data Privacy issues and potential …,” Practical Law. [Online]. Available: https://www.davispolk.com/sites/default/files/blockchain_technology_data_privacy_issues_and_potential_mitigation_strategies_w-021-8235.pdf

Background

• The GDPR and CCPA govern the processing of personal data in the EU and the state of California, United States respectively. These regulations set out certain principles guiding the processing of personal data. Particularly important is the penalty and reputational damage that comes with the breach of the regulations.
• The nature of blockchain technology makes it difficult for users to comply with GDPR in terms of material and territorial scope, meeting requirements of legal bases such as the fulfillment of the contract in Article 6(1b) or balancing the legitimate interest in Article 6(1f), complying with rights of data subjects such as the right to rectification, erasure, access, portability, object to processing, including automated decision making.
• This notion of centralized entities that control both the data they collect, and their service provider relationships contrasts with blockchain technology’s distributed peer-to-peer network architecture.

Summary

• Blockchains “see” the information they process as anonymous because they use public-private key encryption that does not typically tie owner data or other personal information to an on-chain address.
• However, this is regarded as pseudonymization under article 4(5) GDPR because a blockchain method exists for linking individuals back to public keys by analyzing blockchain transactions and other publicly available data. Thus, pseudonymized data is still regarded as personal data that falls within the scope of the regulations.
• GDPR and CPPA foresee a centralized system that entrusts data controllers and processors with obligations and responsibilities with regards to personal data. However, the distributed nature of blockchain makes it difficult to determine who a controller or processor is.
• The territorial application of data is important for determining jurisdiction. However, a blockchain is decentralized and distributed, making it difficult to determine jurisdiction for the application of regulations.
• It is the position of GDPR that where personal data is to be transferred to another country, adequate protection must be ensured or the controller must implement additional safeguards. However, this safeguard will be difficult to implement in a public blockchain.
• Blockchain technology does not support consent as a legal basis for processing personal data since the withdrawal of consent will make later processing unlawful.
• The immutable nature of blockchain does not support the right to deletion and achieving strict technical deletion in blockchain will amount to a hard fork.
• The potential mitigation is to evaluate whether blockchain technology is a good fit for current business and processing objectives, prefer private or permissioned blockchains to enforce stricter usage rules, and to adopt alternative data encryption and destruction approaches.

Method

Qualitative research methods were used, drawing sources from regulations, guidelines, and other researched works to arrive at the conclusion.

Results

The research found that blockchain technology, especially public blockchains, does not comply with data protection regulations. However, as an alternative the research recommended that users should:

• evaluate whether blockchain technology is a good fit for current business and processing objectives,
• evaluate whether they prefer private or permissioned blockchains to enforce stricter usage rules,
• adopt alternative data encryption and destruction approaches.

Discussion and Key Takeaways

Characteristics of Blockchain

• Blockchain technology gained prominence during 2017’s cryptocurrency boom, and has been used in many sectors such as smart contract development, supply chains, supply chain management, asset registers, fintech, real estate, health care and retail. The elements that distinguish it from other technology are:
  • distributed ledger technology
  • consensus mechanisms
  • selection of public versus private participation
  • transaction immutability.

Trends in Data Privacy Law

• GDPR and the CCPA pose a challenge to decentralized technologies like blockchain because they envision a data controller (an entity that determines the means and purpose of processing personal data) and a data processor (an entity that processes data on behalf of data controllers).
  • The nature of blockchain technology makes it difficult for users to comply with GDPR in terms of material and territorial scope, meeting requirements of legal bases such as the fulfillment of a contract or balancing legitimate interest, complying with rights of data subjects such as the right to rectification, access, portability, object to processing, including automated decision making.
  • This notion of centralized entities that control both the data they collect, and their service provider relationships contrasts with blockchain technology’s distributed peer-to-peer network architecture.

Tension Between Blockchain Technology and Common Data Privacy Requirements

• Anonymity, Pseudonymity and Privacy Law Applicability

  • There is a sort of tension between blockchains and data protection on what amounts to personal data. GDPR and CCPA define personal data widely to include any information that directly or indirectly identifies a natural person.
  • Blockchains see information they process as anonymous because they use public-private key encryption that does not typically record public key owner data or other personal information. This contrasts with the definition of personal data which includes pseudonymised information in so far, a method or link exists for re-identification. In blockchain technology, a method exists for linking individuals to public keys by analyzing blockchain transactions and other publicly available data.
    1. Some businesses offer services to identify individuals using their public keys, blockchain transactions and other available data. The public-private key encryption in the blockchain is a pseudonymization technique that lowers risk but does not remove regulatory obligations.

• Data Controller and Data Processor Identification

  • The concept of data controller and processor are key to GDPR and CCPA. However, the distributed nature of blockchain technology makes it hard to determine who the data controller or processor is.
  • In a private or consortium blockchain, it may be easier to determine who they are because of their seeming centralized nature. The central operator or consortium may likely qualify as a controller or joint controller if they have control over the blockchain system and determine the purpose and means for any personal data processing. Other actors like nodes or miners can take the processor role.
  • This may be difficult in a public blockchain because they lack a central operator, each node operates independently at least during the block verification process, which might prompt a conclusion that each node is a joint controller, although authorities and commentators are reluctant to support this conclusion for all nodes.
  • Commission Nationale de l’informatique et des libertes (CNIL), a French data protection authority, attempted to provide guidelines for determining these concepts. The guidelines classified participants as controllers while accessors and miners are not because they do not determine transactions. The guidelines also noted that participants entering personal data on a blockchain for strictly personal purposes are not controllers under the GDPR household exception.
    1. Third parties who act on behalf of participants may become processors and should enter into data processing agreements with the participants.
    2. Miners who are not involved in the object of transactions are not controllers in CNIL’s view but may be processors if they follow the controller’s instructions. This tends to suggest that in certain circumstances miners may not be a data controller or a data processor. The guidance is not clear enough.

• Territorial Considerations

  • An individual’s location and their personal data processing location are important for GDPR and CCPA compliance and enforcement. However, it is difficult to ascertain the jurisdiction of decentralized technology like blockchain and in terms of the applicability of jurisdiction’s laws.
  • Private blockchains more often set restrictions in their governance models and agreements to limit the regulatory scope.

• Cross-border data Transfer

  • The nature of blockchain poses a challenge to transborder data flows. GDPR and currently many data protection laws require that where data is to be transferred outside jurisdiction, the recipient country must ensure an adequate level of protection or the controller must implement additional safeguards such as standard contractual clauses, binding corporate rules, codes of conduct or certification mechanisms.
  • However, these safeguards will be difficult to implement in a public blockchain with an undefined participant group.

• Legitimate reasons for processing personal data

  • Personal data can only be processed on a specific legal basis. Federal sector-specific laws in the US like the GLBA and HIPAA limit the use of certain personal data without an individual’s consent with few exceptions such as uses for treatment, payment, and health care operations.
  • For GDPR the lawful bases for processing must be one or more of these: consent, the performance of a contract, legal obligations, vital interests, public interest or official tasks and legitimate interests.
  • While a blockchain may request consent from their users, compliance with requirements of consent may be difficult. This is because a given consent, among others, should be able to be withdrawn at any time but a blockchain ledger records data in such a way that it is hard to remove, thereby making later processing unlawful. Thus, organizations must carefully consider scenarios like consent withdrawal when determining what data they store in blockchain applications and how they record it.

• Immutability and individuals’ rights

  • Data protection endows individuals with many rights, one of which is the right to delete data and effectively be forgotten. These rights conflict with blockchain technology’s transaction immutability.
  • Blockchains can address data updates by recording additional transactions. However, later transactions do not technically delete data previously stored on the blockchain.
  • Strict technical erasure of blockchain data may be achieved albeit in an effort comparable to a hard fork. This will be very difficult to implement every time an individual seeks to exercise their rights.
  • Erasure may be more feasible in private blockchain governance models with a central operator. But this will greatly impact the celebrated distributed nature of Blockchain.

• Potential mitigation steps

  • Organizations should follow several risk management strategies when considering whether to use blockchain technologies. They should:
    1. Evaluate whether blockchain technology is a good fit for current business and processing objectives.
    2. Evaluate whether they prefer private or permissioned blockchains to enforce stricter usage rules.
    3. Avoid and limit personal data stored on blockchain.
    4. Adopt alternative data encryption and destruction approaches.
    5. Blockchain companies may adopt certificate mechanisms and code of conduct.

Implications and Follow-ups

• The attendant consequence of GDPR is that every person adopting blockchain technologies must comply with its provision to avoid being penalized for a breach of data protection and the reputational damage that may come with it. Therefore, every organization deploying blockchain technology should consider data protection impact assessment to determine the risk of the technology to data subjects, and consider privacy by design as a default if necessary.

Applicability

• Based on the research, blockchain users should consider carrying out data protection impact assessment (DPIA) and privacy by design and privacy by default during the initial period of developing blockchain applications to ensure that the principles of GDPR and CCPA are complied with.

Learnt a whole lot from this summary. Thank you

Thank you for this wonderful summary! Have you seen any sets of practices or protocols that would make it possible to comply with the aforementioned laws without compromising the privacy of the user?

I have not seen myself, however experts in privacy space suggest that private permissioned blockchain is most likely to comply with GDPR and CCPA. It will all depend on the case by case analysis of the facts.

Nice summary of the tensions between blockchain and GDPR & CCPA. I actually only knew GDPR and never heard of CCPA.
I have always wondered if introducing encryption of users information make the blockchain compliant. For example I remember proposals like Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts.

Say there is a service provider (a DeFi app or something) that encrypt users’ data. Since they cannot remove the data that is on the blockchain, are they compliant if they propose users to just delete the corresponding private key?

They won’t be compliant because the encrypted personal data in the blockchain is still being processed. Encryption reduces security risk but doesn’t take aware an information from being personal data since it can be decrypted.

I will recommend pseudonymisation techniques against Encryption.

I realize this will seem naive of me, but we are all now routinely obliged to click buttons accepting or rejecting cookie-collection on web sites. Public blockchain technology surely has as much right to exist as cookies do, as long as it informs users of the consequences.

Many people want to participate in decentralized, peer-to-peer communities. So why can’t public blockchains simply require a “checkbox agreement” during signup that says:

“This community is managed by a public, peer-to-peer blockchain. By joining it you give up certain rights covered by the GDPR and other agreements. These include the right to delete data and the right to be forgotten. If you don’t agree with this stipulation, please join a private or permissioned blockchain more capable of protecting your privacy.”

Data Protection rights as contained in the GDPR are fundamental human rights. See Articles 7 and 8 of Charter of Fundamental Human Rights which further provides under Article 52 that the rights shall not be limited except as outlined by the Charter. Specifically, your excerpt suggests or tends to rely on consent as a legal basis. However, for consent to be valid, it must be freely given, informed, specific, unambiguous and easy to be withdrawn at all time. You can see from the excerpt that consent cannot be said to be freely given. You can check Article 6(1)(a) of GDPR.

I also want to add that blockchain technology has prevented a difficult situation to regulators. Presently, there is no guidance from European Data Protection Board (EDPB) on the best way to achieve compliance but there is serious optimism that it will materialise this year.

can you expand on what the authors mean by Encryption?
Most blockchains usually only use digital signatures and hashing.

I believe the authors were referring to hashing. It is possible they did not bother much about the technical difference between the two.

Thank you for this summary detailing how concepts in blockchain and data privacy converge and diverge. It appears to me that the general intent of privacy laws, including the GDPR, CCPA, NDPR, etc, is to protect personally identifiable information from unauthorized access and use. The paper mentioned pseudonymization as a possible solution, although not sufficient for full compliance.

My question is, would privacy/pseudonymization technologies like ZK-SNARK (Zero-Knowledge, Succinct, Non-Interactive Argument of Knowledge) help in this instance? (Ignore the almost tongue twister). Here’s a simplified non-technical explanation for ZK-SNARK, and here is a technical/mathematical version. Essentially, ZK-SNARK allows a data owner to confirm the existence, accuracy and validity of data without disclosing the data. Would this remove the need for meeting the requirement for deletion since there is ‘nothing’ (personally identifiable information) to delete?

Considering that zero-knowledge proofs (ZKPs) have been in existence since the 1990s, is there a reason the authors did not mention it in their paper as a possible pseudonymization solution?

ZKPs based on the explanation is a tool for pseudonymisation. Pseudonymisation has been acknowledged as one of the best tools for reducing security risk in Data Protection. However, it is still personal data and must comply with GDPR because there is possibility of reidentifying the information. So it can mitigate risk but doesn’t take it away from being personal data.

@Samuel94 I must mention that your topic is interesting.

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) safeguard European and American people’ personal data, respectively. Both legislation require organizations to process data only if they have a legal basis to do so. In the context of GDPR, this implies that data controllers must get express consent from data subjects before processing their data, among other things.

Users of blockchain technology can take several steps to address this issue:

1. Because both regulations grant individuals the right to access their data, any information stored on a blockchain can be accessed by users.

2. Because both laws require businesses to obtain permission before using or processing personal information, businesses must obtain permission from users before using their data on a blockchain.

3. Individuals can opt out of sharing their data with companies using blockchain technology by keeping their information private using encryption methods or ‘self-sovereign’ technology that allows them to control their own digital identity data.

4. Companies can use individual’s data without storing it on a public blockchain by storing it on a permissioned blockchain, which restricts access to only those who have been granted access to the ledger. I hope this finds you well

Thank you @Humphery for your response. First Consent is not the only legal bases for processing personal data under GDPR. There are other bases such as contract, legal obligations, legitimate interest, vital interest and public interest or authority.

Any of these will suffice depending on the circumstances and processing activities.

Now the basic problem Blockchain has with GDPR is that it s immutable nature doesn’t allowe data subject to exercise their right to deletion or withdraw consent.

Thus, it is usually adviced that stakeholders should consider storing personal data off chain or to build private Blockchain that may enable the exercise of these rights

Nice work @Samuel94
Because of the fact that the participants in private blockchain are limited and there is a central authority that can provide and govern protocol itself, applying regulation in a private blockchain is less complicated. However, because there is no centralized authority with the public blockchain, it is quite challenging for the participants in public blockchain.
Members of the laws don’t seem to have given blockchain technology and its distinctive features much thought while creating current data privacy laws and regulations. Blockchain technology uses a peer-to-peer network design to handle data under centralized management.
Data privacy concerns and correctly enforcing regulations have become increasingly important to the success of the business.
Companies sought to establish several contracts linked to the usage of blockchain when they started using this technology. The governance parties will determine whether or not a certain transaction should take place in a blockchain when a set of requirements are met.
As blockchain technology develops, using transactions on the blockchain will become a more powerful strategy for the company. If the suppliers also agree to handle the blockchain transaction, it is advantageous for the customer.
Because the data is dispersed globally, it is challenging to apply blockchain rules to a decentralized platform. Although the General Data Protection Regulation (GDPR) of the EU and the California Consumer Privacy Act of 2018 (the “CCPA”) pose certain regulatory impediments to data privacy, blockchain is still regarded as being very secure. Both the GDPR and the CCPA provide that personal data must always be deleted.

@Cashkid18 Thank you for your response to this post. Data protection and privacy are fundamental human rights issues that must always trump economic interests. The basic principles of data protection are at frictions with the Blockchain. It is not for the law to adapt to economic interests but for the economic interests to adapt to law.

It does not matter whether or not it is private or public blockchain. The best bet is for stakeholders to keep personal data off chain at least for now until a common ground is found.

@Samuel94 This is my response to this interesting research question.

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two important data protection laws that can pose challenges for blockchain technology users. Some of the challenges that these laws present for blockchain technology users include:

1. Ensuring compliance with data protection requirements: Both the GDPR and the CCPA have specific requirements for the protection of personal data, including requirements for obtaining consent from individuals before collecting and processing their personal data. This can be particularly challenging for blockchain technology users, as the decentralized and transparent nature of the blockchain can make it difficult to ensure compliance with these requirements.
2. Managing access to personal data: Both the GDPR and the CCPA give individuals the right to access and control their personal data. This can be challenging for blockchain technology users, as the decentralized nature of the blockchain means that data is stored and processed across a network of computers, making it difficult to manage access to personal data in a centralized way.
3. Dealing with data breaches: Both the GDPR and the CCPA have specific requirements for the reporting and notification of data breaches. This can be challenging for blockchain technology users, as the decentralized nature of the blockchain means that it can be difficult to identify the source of a data breach and to determine the extent of the breach.

Overall, compliance with the GDPR and the CCPA can present significant challenges for blockchain technology users. It is important for organizations using blockchain technology to carefully consider these laws and take steps to ensure compliance with their requirements.

I hope this suffices.