By Henry Chueh*
In the past few weeks you will have received an email dump from various businesses’ privacy policies. This relates to a new regulation known as the General Data Protection Regulation (GDPR).
The GDPR is a European Union regulation signed in April 2016 that took effect on May 25. It tightens Europe’s already strict laws on what companies can do with people’s data. It also forces companies to justify what they are doing with their customers’ data.
What is considered personal data under GDPR? According to the European Commission, “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address.”
Why is GDPR a concern for non-EU countries? Because many businesses collect and use EU resident data. These businesses may also use companies that are based in the EU for services and processing data. The regulation forces companies like Facebook or Google to review their data security and data collection processes. For data brokers like Equifax, this will likely have a significant impact on their business model.
The penalties for failing to comply with GDPR are fines of up to €20 million or 4% of annual turnover - whichever is larger.
For consumers, we will likely see more pop up requests, with less pre-ticked boxes. Companies will need to ask you to opt in, giving them permission to use your data, rather than opt out. Even then, there is also a data minimisation requirement, meaning that only necessary personal details are collected for their intended purposes.
So how does this affect blockchain?
There are two aspects of GDPR that pertain to blockchain; data security and the “right to be forgotten”.
With data security, the GDPR requires pseudonymisation when personal data is stored. Pseudonymisation is the process of “transforming data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information”. Basically, data is replaced with pseudonyms and unless you have the key, it is difficult to reidentify the original contents.
In this, blockchain can assist with data security. Transactions on the blockchain are tied to cryptographic hashes. The origin of the data is encrypted and only be accessible through a hash key. A cryptographic hash function can be imagined as a black box that takes an input and spits out a string of completely uncorrelated string of letters and numbers.
Cryptographic hash functions are designed to be one-way functions, meaning that you cannot deduce the input by just looking at the output. For Bitcoin, transactions are hashed using the SHA256 function. As an example:
“Hello” as an input in SHA256 function will produce an output of: “185F8DB32271FE25F561A6FC938B2E264306EC304EDA518007D1764826381969”
Even though “Helllo” has a minor difference, it will produce an output of:
From a data security point of view, blockchain meets the definition of GDPR, as hashing is a form of pseudonymisation.
It is the second aspect of the “right to be forgotten” that is in direct conflict. In essence, the “right to be forgotten” will forcefully require companies to erase data under certain conditions. These conditions are interpreted as the following:
- Data not necessary for collecting / processing purpose anymore
- Data subject withdraws consent or explicit consent
- Data subject objects to process and no overriding legitimate grounds
- Unlawful process of data occurred
- Erasure needed for legal compliance
- Data of children, collected via information society services
The conditions stated are reasonable. However, one key aspect of blockchain is immutability. Once something has been put on a blockchain, it cannot be removed or altered. Therefore, if blockchain were to be used to transact with personal data, it would be by default in violation of GDPR. Companies that use blockchain will need to adapt to GDPR.
One possible solution is to store the personal information “off chain”, in a separate database, that can be linked to the blockchain via cryptography keys. This separate database is centrally controlled and the onus is on the authority to comply with GDPR. While not ideal, as a centrally controlled database it is counterintuitive to the purpose of blockchain. A compromise may be needed to meet this regulation.
Overall, this regulation is positive. With the emergence of machine learning, artificial intelligence and facial recognition, your digital personal information can leave you extremely vulnerable. Information like your online behaviour, browsing preferences, travelling routes, photos can be sold on to the open or dark web and be used against your permission. Hence, companies will need to ensure they maintain their data hygiene.
Blockchain can assist but by no means is it a silver bullet.
*Henry Chueh researches blockchain and cryptocurrencies in his spare time. He has seven years' experience in the financial services sector, specifically insurance.