Every second, 60 data records are lost or stolen; that's over five million records per day. Data breaches have become so commonplace that only the most egregious ones make headlines. In response to continual catastrophic data loss, regulatory authorities around the world have mandated further protections on the collection and use of personal data.

The European Union, through the General Data Protection Regulation (the GDPR, see p.14 ), is currently implementing one of the most comprehensive and aggressive efforts to protect personal data. Some argue, however, that such regulations are unnecessary and already outdated, as blockchain technology offers a solution to the systemic breach environment. It is uncertain, however, if blockchains can be compliant with the GDPR.

BLOCKCHAINS

Blockchains are a type of distributed ledger, where data is stored across a network of computers and cryptographically packaged through encryption and hashing.

Once a package of data is added to the blockchain and hashed, it cannot be altered or removed, making it completely tamper resistant. In addition, because data stored on the blockchain is not centrally held by one user but is instead distributed across a network, it is nearly impossible for the data to be lost. The distributed database is available to anyone with a computer and internet access who has downloaded the (usually) open source software.

Another hallmark feature of blockchain technology is its self-auditing mechanism, whereby it reconciles any anomalies. This ensures that information on the blockchain is current and accurate. As a result, a blockchain-fuelled database is private, secure and always up-to-date. Blockchain technology fundamentally preserves and guarantees the integrity of data, making it an obvious technological fit for a data protection application.

The GDPR, however, presents a variety of challenges for utilising blockchain technology for storing personal data. Under the GDPR, personal identifiable information (PII, or personal data), is defined as "any information relating to an identified or identifiable natural person," regardless of whether such identification of the person is made directly or indirectly. To protect PII, the GDPR implements certain legal grounds (involving consent, a legal duty or public service obligation) surrounding obtaining personal information, breach notification, right of access, right of erasure, data portability, privacy by design and data protection officers.

Two of these requirements make it inherently challenging to use blockchain technology for storing personal data.

RIGHT OF ERASURE

Under the right of erasure, the GDPR first requires the entity to automatically stop storage of personal data once there is no longer a strict need to store it.

Then, the right of erasure requires that any entity that gathers or stores PII must put in place appropriate mechanisms to erase PII if the individual requests it. In addition, an individual is entitled to have his or her data erased automatically by the entity holding the data after the expiration of relevant statutory periods of limitation potentially quite distinct from one country to another.

This requirement fundamentally conflicts with how data is packaged and stored on the blockchain, as data cannot be deleted once added to the blockchain. After all, allowing data to be removed would undermine some of blockchain's key features: enabling deletion on the blockchain opens the door for potential tampering.

Current erasure features on the blockchain are either impractical or unlikely to satisfy regulators. Some have proposed that whenever an individual wants their data removed, a hard fork is performed. A hard fork establishes different rules on the blockchain so that the previous blocks of data are no longer accepted as current. Hard forks are significant events on a blockchain-based database, making it impractical to have a hard fork every time an individual wants their data removed. Even if it became easier to perform, a hard fork does not remove an individual's data, but just makes it appear as out-of-date.

Others have proposed "burning" the key that allows the data to be accessible to a user. To do this, an unsolvable, completely random, public key is used for someone's PII when they want their data removed, consequently, no one would be able to access that person's PII. It is uncertain that this solution would be GDPR-compliant, however, since the individual's data is again still stored on the blockchain, albeit inaccessible.

PRIVACY BY DESIGN

A second GDPR requirement—privacy by design—presents another hurdle. This requires entities to structure and design their systems by making the user's privacy a central element. Blockchain technology is a pseudonymised process, however, whereby the encryption and hashing features of blockchain technology do not anonymise the user (authors' emphasis). As a result, a user of a blockchain database could be traced and tracked, making it possible to connect a user to a specific person or organisation.

Current solutions require the user to adopt privacy enabling technology, but, placing the burden of anonymity on the user might conflict with the privacy by design requirement of the GDPR, since the privacy features should be imbedded within the system, and not placed on the user. That said, if the blockchain software is paired by the developer with privacy technology, that might suffice.

Blockchains right now are mostly opt-in, with the participant choosing to have his/her data stored in this fashion. They are also distributed across unaffiliated participants, generally with no central authority or controlling entity. While these do not completely cure GDPR issues, they are factors to consider in the analysis.

GDPR COMPLIANCE

Although there are roadblocks to GDPR compliance, there remain blockchain applications and workarounds that provide all the features of the blockchain while remaining compliant with the GDPR.

One is commonly referred to as "credential management". A regulatory authority—typically a governmental entity—stores all PII and then provides a credential on the blockchain that does not contain any PII. A third party that needs to verify or request PII can access the credential and confirm PII without the requestor or regulatory authority actually disclosing any PII.

For example, a car loan creditor needs various PII e.g., age, driver's license information, citizenship, etc., so it makes requests in verification form by prompting polar questions, e.g., is the applicant over the age of 18? etc, and the credential simply relays yes or no responses to the request. As a result, the creditor obtains the necessary information while not obtaining any PII. Since no PII is shared on the blockchain, the challenges of GDPR compliance are avoided.

Storing a credential provided by a regulatory authority on the blockchain ensures that the information has not been forged. It allows the regulatory authority and even the individual of the PII to know who is requesting the credential and provides a real-time update mechanism so all information is current.

Although this scenario could enter into the scope of certain exceptions under the right of erasure, e.g., the grounds of legal duty or public interest, this application is not without other problems. All PII would be consolidated with the regulatory authority, making it a high-value target for hackers. Users and requesters also need to trust the regulatory authority; without trust, the credential has little value.

This credential management application could relatedly be performed using a "zero-knowledge proof", which would remove the need to have a regulatory authority be part of the application. A zero-knowledge proof is essentially a way a user can prove information without revealing the information itself. To be effective, the a zero-knowledge proof must be complete, sound (a false statement with not convince a verifier), and no knowledge is transferred from the statement except the knowledge that the statement is true.

A zero-knowledge proof could be utilised through the credential management application but, instead of including a regulatory authority, it would simply be an individual who has the PII and a requestor who would like to verify information. The individual would essentially provide their own credential, which would contain zero- knowledge statements for their PII. The requestor would access the credential to verify the information, and the zero- knowledge statements would prove the validity of the information.

Storing the zero-knowledge credential on the blockchain would ensure data integrity, provide information on data access and provide real-time information. And since the credential would not contain any PII, and thus no PII would be disclosed or stored on the blockchain, this application would be GDPR-compliant.

Utilising zero-knowledge proofs on the blockchain would also remove the issues associated with including a regulatory authority. PII would be entirely decentralised as it would remain with the individual; and any insecurity over trust in the credential would be eliminated due to the zero-knowledge proof. Although challenging to implement, such an application has the potential to provide a blockchain-fuelled database that verifies PII while being GDPR-compliant.

Making The Blockcahin Work In A Data Protected World

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.