An increasing number of research articles examine the link between blockchain technology and the European Union’s General Data Protection Regulation (GDPR). Considering the plethora of potential applications for blockchain technology, as well as the data privacy and protection requirements of the General Data Protection Regulation (GDPR), it is not unusual that the studies struggle with, and reach varying conclusions on, the question of whether Blockchain and GDPR are friends, enemies, or frenemies.
The distinction between Blockchain and GDPR
Blockchain is a much-discussed technology that, according to some, has the potential to usher in a new era of data storage and code execution, which in turn might encourage the development of new business models and marketplaces.
Of course, the exact effect of the technology is difficult to predict with precision, particularly given that many people remain doubtful of Blockchain’s potential influence. In recent months, there has been a great deal of debate in policy circles, academics, and the commercial sector about the friction between blockchain technology and the General Data Protection Regulation of the European Union (GDPR).
The two most significant sources of conflict between GDPR and Blockchain are due to two main issues.
First and foremost, the GDPR is predicated on the underlying premise that, in connection to each personal data point, there is at least one natural or legal person – the data controller – to whom data subjects may turn to assert their rights under EU data protection legislation. Accordingly, these data controllers are subject to the duties imposed by the GDPR.
On the other hand, blockchains are distributed databases that, in many cases, strive to accomplish decentralization by substituting a single actor with a large number of diverse participants. The absence of agreement on how (joint-) controllership should be defined makes it difficult to allocate duty and accountability.
Secondly, the General Data Protection Regulation (GDPR) is predicated on the assumption that data can be altered or wiped away where necessary to comply with legal requirements, such as those outlined in Articles 16 and 17 of the GDPR.
To maintain data integrity and promote confidence in a network, blockchains, on the other hand, make unilateral alteration of data purposely demanding to make the network more trustworthy. Moreover, the use of blockchains emphasizes the difficulties associated with adhering to the standards of data minimization and purpose restriction in the present state of the data economy.
Are Blockchain and the General Data Protection Regulation incompatible?
When it comes to data security, data privacy, and the rights of users to regulate access to personal data — along with the right to be forgotten — the General Data Protection Regulation (GDPR) draws sharp boundaries. On the other hand, Blockchain was designed as a public ledger in which every member has access to the full Blockchain from the beginning. Furthermore, blockchain transactions, and by extension the data recorded in a blockchain, are immutable. In other words, once a transaction and the related transaction data have been recorded, you cannot delete them.
However, this is a plain view of the Blockchain, which ignores the public features of Blockchain, such as Bitcoin, and the immutability of Blockchain, both of which contradict GDPR requirements. An immutable blockchain does not have to be publicly accessible. While transaction data will be immutable, the use of blockchain applications does not imply that personal data subject to GDPR protection must likewise be kept in the immutable Blockchain.
According to the findings of the NIST research, it is difficult to determine whether blockchain technology itself complies with legal standards, including those of the General Data Protection Regulation (GDPR). GDPR compliance can only be determined by examining each scenario in which it is implemented.
Although the French Data Protection Authority’s study and the European Union Blockchain Observatory and Forum’s report respond differently, it is somewhat unsurprising that both conclude that blockchain technology is subject to the General Data Protection Regulation.
The use of blockchain technology to fulfil GDPR goals
It has been suggested that blockchain technology may be a useful instrument for achieving some of the General Data Protection Regulation (GDPR). Moreover, blockchain technologies are a data governance tool that can promote alternate forms of data management and dissemination while also providing advantages over other alternatives.
It is possible to build blockchains to facilitate data-sharing without a central trusted intermediary. They can provide transparency as to who has accessed data, and blockchain-based smart contracts may moreover automate the exchange of data, thereby lowering transaction costs. The crypto-economic incentive structures of blockchains may also have the ability to alter the existing economics of data sharing, which is now under consideration.
These characteristics may have a broader impact on the present data economy in areas such as supporting data markets by enabling the inter-institutional exchange of data, which may aid the development of artificial intelligence in the European Union. On the other hand, one may also use these same characteristics to assist some of the GDPR’s aims, such as giving data subjects more control over the personal data that directly or indirectly belongs to them.
In addition, data subject rights, such as the right of access (Article 15 GDPR) and the right to data portability (Article 20 GDPR), give data subjects control over what others do with their data as well as what they can do with that personal data themselves, can be seen as supporting this reasoning.
Blockchain vs GDPR: Disagreements against similarities
At first look, the GDPR and blockchain technology seem to be opposed approaches. However, when taking a broader view, there are several areas where GDPR and Blockchain are complementary.
Points of Disagreement
It should be no surprise that the General Data Protection Regulation (GDPR) is causing so much concern among the blockchain community. While the GDPR was intended to be platform-neutral, the criteria for data erasure and data modification seem to directly contradict the way blockchain technology operates on a technical level.
The GDPR rules on many key aspects are directly contradicted by blockchain technology in several ways. First, take a look at the most important characteristics of this technology. Blockchain is based on a decentralized and immutable distributed ledger system, known as a distributed ledger system. It is meant to be a permanent and tamper-proof record independent of any governing body and is not subject to their control.
There is no way to modify or erase any of the information stored on the Blockchain, including personal information on data subjects. As a result, if Blockchain were to be utilized as a form of database to trade with personal data, it would violate the General Data Protection Regulation (GDPR).
Blockchain and decentralized ledger technology
The dispute between GDPR and blockchain-based methods to data privacy is founded on two fundamentally divergent views about how to effectively safeguard personal data. Blockchain argues that improved encryption and distributed ledger methods of storage and protection, which are decentralized and unchangeable, are the most effective means of protecting personal information. It is designed to be a permanent, tamper-proof record independent of any governing authority and is thus not under the jurisdiction of that authority.
These properties of Blockchain are opposed to those of centralized data management systems. There is a clear controller of data, which is what authorities had in mind when they drafted the General Data Protection Regulation (GDPR). In their opinion, centralized, government-led authority is vital for safeguarding consumers and their information from the abuses of private players, notably the new huge data-driven technology giants such as Google and Facebook, amongst other things.
Nodes or no one as a data controller
The function of data controllers is another source of contention. While the General Data Protection Regulation (GDPR) places a great deal of responsibility on data controllers in centralized companies, which are relatively straightforward to establish, Blockchain is a different situation. As a result, it is very difficult to determine who fits inside the GDPR specified responsibilities and who is really in charge of the data in a decentralized blockchain context.
The term “node” refers to everyone who connects to a peer-to-peer network and executes the software that makes up a distributed ledger system. To put it simply, a node is a device linked to a blockchain network that contributes to the network’s operation by keeping a copy of the Blockchain. The nodes process data without the nodes having complete control over the system.
However, once a block has been included in the chain, there is no power to alter or correct the block. Because it is decentralized after their data has passed through the application and onto the Blockchain, the blockchain firm that allowed you to place that data onto the Blockchain no longer has control over that data.
This stance, therefore, begs the issue of who is the data controller if the blockchain corporation is not the one. Under essence, any individual who connects to a network, and hence every node, might be regarded as a data controller in certain circumstances. Thanks to their private key, they have complete control over what happens to their data and who has access to it.
The difficulty is that, in contrast to centralized controllers, nodes and data subjects on a blockchain cannot comply with GDPR standards since they have minimal control over the information kept on the ledger.
The right to be forgotten is the most significant area of contention between Blockchain and the General Data Protection Regulation (GDPR). It is required under the General Data Protection Regulation (GDPR) that any personal data of EU nationals maintained inside a company may be amended or erased at the request of the individual to whom the data relates.
In blockchain technology, the immutable character of the decentralized ledger, which ensures the ultimate integrity of all data across the chain in terms of both security and accuracy, is a fundamental concept that one must understand.
According to the “immutability of records” premise of blockchain technology, any data stored inside blockchain transactions is almost hard to edit or wipe to comply with GDPR standards. So they’ll be there for a long time. Instead of the right to be forgotten on Blockchain, the right to never forget is a more radical concept.
Any modification would jeopardize the whole system since blockchains are a collection of following blocks, and a single faulty block would negatively influence the entire system’s equivalency. Basically, “breaking the chain” would render the whole Blockchain non-functional. To alter this data, one must make a new transaction.
Nevertheless, it is a weird coincidence that although blockchain technology is in direct conflict with – and hence incompatible with – GDPR laws on a technical level, when seen from a principle-based perspective, GDPR and Blockchain have many shared aims.
An in-depth examination of the Blockchain’s underlying principles and technologies indicates how the technology enhances the key components of data privacy and security stated in the General Data Protection Regulation (GDPR). EU policymakers and blockchain experts alike would do well to remember that Blockchain and the General Data Protection Regulation (GDPR) are attempting to accomplish the same goal. As a result, data provenance, transparency, privacy, and security are all improved thanks to blockchain technology. It is merely that blockchain technology approaches these concerns differently than GDPR does.
Individual command and control
Individual control over personal information, as well as data minimization, are two concepts that everybody shares. Blockchain technology is utilized to create digital identity solutions; it provides people with unprecedented control over how their data is shared and used by other parties.
Anonymity is another important guideline to adhere to. Blockchains have the power to provide anonymity to their users. Anyone who is transacting on the network will be able to view the information; in permissioned networks, even those transacting on the network may be limited from accessing information about other participants.
The private keys are used to provide access, whilst the public key facilitates inter-user transactions by serving as an address that is not associated with any personally identifiable information. This implies that no personal information is made available even though a blockchain is publicly accessible.
For individuals who have access to a blockchain, all transactions are easily observable and transparent to those who do not. Even while the Blockchain employs encryption to maintain confidentiality, the ledger itself remains open to the public. Given the network and data’s high level of tamper resistance and decentralized structure, blockchains are, in principle, less susceptible to unauthorized change than traditional single-instance databases.
Furthermore, by decentralizing transaction processing, distributed ledger systems eliminate the weaknesses typically exploited in centralized data repositories, allowing for more secure transactions. Blockchain is revolutionary with its capacity to store information across a range of platforms while maintaining high levels of privacy and security. While a blockchain ledger does not allow for identifying a single point of failure, it makes single-breach failures very impossible.
It is important to remember that, as two sides of the same private data coin, the combination of GDPR and Blockchain can enhance how businesses gather, store, and handle private information. With the advent of blockchain technology, we now have new opportunities to further increase data ownership, transparency, and trust between organizations.