Research Summary: Blockchain Technology: Data Privacy Issues and Potential Mitigation Strategies

TL;DR

  • The authors consider how blockchain technology conflicts with some of the provisions of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
  • To mitigate compliance risks enthusiasts should consider using private or consortium blockchains for compliance.
  • Users should avoid or limit personal data stored in blockchain.

Core Research Question

What challenges for blockchain technology users are posed by complying with the GDPR and CCPA?

Citation

P. Shah, D. Forester, C. Raspe, and H. Mueller, “Blockchain technology: Data Privacy issues and potential …,” Practical Law. [Online]. Available: https://www.davispolk.com/sites/default/files/blockchain_technology_data_privacy_issues_and_potential_mitigation_strategies_w-021-8235.pdf

Background

  • The GDPR and CCPA govern the processing of personal data in the EU and the state of California, United States respectively. These regulations set out certain principles guiding the processing of personal data. Particularly important is the penalty and reputational damage that comes with the breach of the regulations.
  • The nature of blockchain technology makes it difficult for users to comply with GDPR in terms of material and territorial scope, meeting requirements of legal bases such as the fulfillment of the contract in Article 6(1b) or balancing the legitimate interest in Article 6(1f), complying with rights of data subjects such as the right to rectification, erasure, access, portability, object to processing, including automated decision making.
  • This notion of centralized entities that control both the data they collect, and their service provider relationships contrasts with blockchain technology’s distributed peer-to-peer network architecture.

Summary

  • Blockchains “see” the information they process as anonymous because they use public-private key encryption that does not typically tie owner data or other personal information to an on-chain address.
  • However, this is regarded as pseudonymization under article 4(5) GDPR because a blockchain method exists for linking individuals back to public keys by analyzing blockchain transactions and other publicly available data. Thus, pseudonymized data is still regarded as personal data that falls within the scope of the regulations.
  • GDPR and CPPA foresee a centralized system that entrusts data controllers and processors with obligations and responsibilities with regards to personal data. However, the distributed nature of blockchain makes it difficult to determine who a controller or processor is.
  • The territorial application of data is important for determining jurisdiction. However, a blockchain is decentralized and distributed, making it difficult to determine jurisdiction for the application of regulations.
  • It is the position of GDPR that where personal data is to be transferred to another country, adequate protection must be ensured or the controller must implement additional safeguards. However, this safeguard will be difficult to implement in a public blockchain.
  • Blockchain technology does not support consent as a legal basis for processing personal data since the withdrawal of consent will make later processing unlawful.
  • The immutable nature of blockchain does not support the right to deletion and achieving strict technical deletion in blockchain will amount to a hard fork.
  • The potential mitigation is to evaluate whether blockchain technology is a good fit for current business and processing objectives, prefer private or permissioned blockchains to enforce stricter usage rules, and to adopt alternative data encryption and destruction approaches.

Method

Qualitative research methods were used, drawing sources from regulations, guidelines, and other researched works to arrive at the conclusion.

Results

The research found that blockchain technology, especially public blockchains, does not comply with data protection regulations. However, as an alternative the research recommended that users should:

  • evaluate whether blockchain technology is a good fit for current business and processing objectives,
  • evaluate whether they prefer private or permissioned blockchains to enforce stricter usage rules,
  • adopt alternative data encryption and destruction approaches.

Discussion and Key Takeaways

Characteristics of Blockchain

  • Blockchain technology gained prominence during 2017’s cryptocurrency boom, and has been used in many sectors such as smart contract development, supply chains, supply chain management, asset registers, fintech, real estate, health care and retail. The elements that distinguish it from other technology are:
    • distributed ledger technology
    • consensus mechanisms
    • selection of public versus private participation
    • transaction immutability.

Trends in Data Privacy Law

  • GDPR and the CCPA pose a challenge to decentralized technologies like blockchain because they envision a data controller (an entity that determines the means and purpose of processing personal data) and a data processor (an entity that processes data on behalf of data controllers).
    • The nature of blockchain technology makes it difficult for users to comply with GDPR in terms of material and territorial scope, meeting requirements of legal bases such as the fulfillment of a contract or balancing legitimate interest, complying with rights of data subjects such as the right to rectification, access, portability, object to processing, including automated decision making.
    • This notion of centralized entities that control both the data they collect, and their service provider relationships contrasts with blockchain technology’s distributed peer-to-peer network architecture.

Tension Between Blockchain Technology and Common Data Privacy Requirements

  • Anonymity, Pseudonymity and Privacy Law Applicability

    • There is a sort of tension between blockchains and data protection on what amounts to personal data. GDPR and CCPA define personal data widely to include any information that directly or indirectly identifies a natural person.
    • Blockchains see information they process as anonymous because they use public-private key encryption that does not typically record public key owner data or other personal information. This contrasts with the definition of personal data which includes pseudonymised information in so far, a method or link exists for re-identification. In blockchain technology, a method exists for linking individuals to public keys by analyzing blockchain transactions and other publicly available data.
      1. Some businesses offer services to identify individuals using their public keys, blockchain transactions and other available data. The public-private key encryption in the blockchain is a pseudonymization technique that lowers risk but does not remove regulatory obligations.
  • Data Controller and Data Processor Identification

    • The concept of data controller and processor are key to GDPR and CCPA. However, the distributed nature of blockchain technology makes it hard to determine who the data controller or processor is.
    • In a private or consortium blockchain, it may be easier to determine who they are because of their seeming centralized nature. The central operator or consortium may likely qualify as a controller or joint controller if they have control over the blockchain system and determine the purpose and means for any personal data processing. Other actors like nodes or miners can take the processor role.
    • This may be difficult in a public blockchain because they lack a central operator, each node operates independently at least during the block verification process, which might prompt a conclusion that each node is a joint controller, although authorities and commentators are reluctant to support this conclusion for all nodes.
    • Commission Nationale de l’informatique et des libertes (CNIL), a French data protection authority, attempted to provide guidelines for determining these concepts. The guidelines classified participants as controllers while accessors and miners are not because they do not determine transactions. The guidelines also noted that participants entering personal data on a blockchain for strictly personal purposes are not controllers under the GDPR household exception.
      1. Third parties who act on behalf of participants may become processors and should enter into data processing agreements with the participants.
      2. Miners who are not involved in the object of transactions are not controllers in CNIL’s view but may be processors if they follow the controller’s instructions. This tends to suggest that in certain circumstances miners may not be a data controller or a data processor. The guidance is not clear enough.
  • Territorial Considerations

    • An individual’s location and their personal data processing location are important for GDPR and CCPA compliance and enforcement. However, it is difficult to ascertain the jurisdiction of decentralized technology like blockchain and in terms of the applicability of jurisdiction’s laws.
    • Private blockchains more often set restrictions in their governance models and agreements to limit the regulatory scope.
  • Cross-border data Transfer

    • The nature of blockchain poses a challenge to transborder data flows. GDPR and currently many data protection laws require that where data is to be transferred outside jurisdiction, the recipient country must ensure an adequate level of protection or the controller must implement additional safeguards such as standard contractual clauses, binding corporate rules, codes of conduct or certification mechanisms.
    • However, these safeguards will be difficult to implement in a public blockchain with an undefined participant group.
  • Legitimate reasons for processing personal data

    • Personal data can only be processed on a specific legal basis. Federal sector-specific laws in the US like the GLBA and HIPAA limit the use of certain personal data without an individual’s consent with few exceptions such as uses for treatment, payment, and health care operations.
    • For GDPR the lawful bases for processing must be one or more of these: consent, the performance of a contract, legal obligations, vital interests, public interest or official tasks and legitimate interests.
    • While a blockchain may request consent from their users, compliance with requirements of consent may be difficult. This is because a given consent, among others, should be able to be withdrawn at any time but a blockchain ledger records data in such a way that it is hard to remove, thereby making later processing unlawful. Thus, organizations must carefully consider scenarios like consent withdrawal when determining what data they store in blockchain applications and how they record it.
  • Immutability and individuals’ rights

    • Data protection endows individuals with many rights, one of which is the right to delete data and effectively be forgotten. These rights conflict with blockchain technology’s transaction immutability.
    • Blockchains can address data updates by recording additional transactions. However, later transactions do not technically delete data previously stored on the blockchain.
    • Strict technical erasure of blockchain data may be achieved albeit in an effort comparable to a hard fork. This will be very difficult to implement every time an individual seeks to exercise their rights.
    • Erasure may be more feasible in private blockchain governance models with a central operator. But this will greatly impact the celebrated distributed nature of Blockchain.
  • Potential mitigation steps

    • Organizations should follow several risk management strategies when considering whether to use blockchain technologies. They should:
      1. Evaluate whether blockchain technology is a good fit for current business and processing objectives.
      2. Evaluate whether they prefer private or permissioned blockchains to enforce stricter usage rules.
      3. Avoid and limit personal data stored on blockchain.
      4. Adopt alternative data encryption and destruction approaches.
      5. Blockchain companies may adopt certificate mechanisms and code of conduct.

Implications and Follow-ups

  • The attendant consequence of GDPR is that every person adopting blockchain technologies must comply with its provision to avoid being penalized for a breach of data protection and the reputational damage that may come with it. Therefore, every organization deploying blockchain technology should consider data protection impact assessment to determine the risk of the technology to data subjects, and consider privacy by design as a default if necessary.

Applicability

  • Based on the research, blockchain users should consider carrying out data protection impact assessment (DPIA) and privacy by design and privacy by default during the initial period of developing blockchain applications to ensure that the principles of GDPR and CCPA are complied with.
6 Likes

Learnt a whole lot from this summary. Thank you

2 Likes

Thank you for this wonderful summary! Have you seen any sets of practices or protocols that would make it possible to comply with the aforementioned laws without compromising the privacy of the user?

1 Like

I have not seen myself, however experts in privacy space suggest that private permissioned blockchain is most likely to comply with GDPR and CCPA. It will all depend on the case by case analysis of the facts.

2 Likes

Nice summary of the tensions between blockchain and GDPR & CCPA. I actually only knew GDPR and never heard of CCPA.
I have always wondered if introducing encryption of users information make the blockchain compliant. For example I remember proposals like Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts.

Say there is a service provider (a DeFi app or something) that encrypt users’ data. Since they cannot remove the data that is on the blockchain, are they compliant if they propose users to just delete the corresponding private key?

2 Likes

They won’t be compliant because the encrypted personal data in the blockchain is still being processed. Encryption reduces security risk but doesn’t take aware an information from being personal data since it can be decrypted.

I will recommend pseudonymisation techniques against Encryption.

2 Likes

I realize this will seem naive of me, but we are all now routinely obliged to click buttons accepting or rejecting cookie-collection on web sites. Public blockchain technology surely has as much right to exist as cookies do, as long as it informs users of the consequences.

Many people want to participate in decentralized, peer-to-peer communities. So why can’t public blockchains simply require a “checkbox agreement” during signup that says:

"This community is managed by a public, peer-to-peer blockchain. By joining it you give up certain rights covered by the GDPR and other agreements. These include the right to delete data and the right to be forgotten. If you don’t agree with this stipulation, please join a private or permissioned blockchain more capable of protecting your privacy."

1 Like

Data Protection rights as contained in the GDPR are fundamental human rights. See Articles 7 and 8 of Charter of Fundamental Human Rights which further provides under Article 52 that the rights shall not be limited except as outlined by the Charter. Specifically, your excerpt suggests or tends to rely on consent as a legal basis. However, for consent to be valid, it must be freely given, informed, specific, unambiguous and easy to be withdrawn at all time. You can see from the excerpt that consent cannot be said to be freely given. You can check Article 6(1)(a) of GDPR.

I also want to add that blockchain technology has prevented a difficult situation to regulators. Presently, there is no guidance from European Data Protection Board (EDPB) on the best way to achieve compliance but there is serious optimism that it will materialise this year.

can you expand on what the authors mean by Encryption?
Most blockchains usually only use digital signatures and hashing.

I believe the authors were referring to hashing. It is possible they did not bother much about the technical difference between the two.