GDPR has undoubtedly been a good thing. For the consumer, it has increased protection of any collected data (and rightly so) but it has also increased awareness of just how much personal data is actually collected. In terms of business, it has forced companies to look at data collection as an outdated business practice, rather than an advantage, and has made holding it securely a necessary burden, rather than an asset.
However, it has hit some industries harder than others. For example, industries that are based on or focus on blockchain have often found it difficult to adjust and adapt. Why is that? Well, it’s because of one of blockchain’s most valuable tenets: data on a public blockchain can be viewed by anyone and is preserved for time immemorial. This is a problem when it comes to data privacy.
A question of rights
When it comes to new rights in regard to data, GDPR is way up at the top. If we consider the basic rights afforded to data subjects under GDPR, EU citizens can not only access personal information that businesses keep about them, but they can also ask that data to be transferred elsewhere, corrected and – and here’s the kicker – even deleted.
If any of this information is stored on a blockchain however, any changes or deletions of any data would break that chain, hurting the trust in the chain and the availability of the recorded data itself. So, it stands to reason, then, that GDPR’s right to erasure, or right to be forgotten, would present some obstacles when it comes to blockchain-based technologies.
However, there is light at the end of the tunnel.
Compatibility between privacy and open data
These are the words seen in a report by the Global Centre for Enterprise, who believe that a more optimistic approach should be taken by all those who are willing to embrace blockchain technologies. The organisations behind the CGE report – the Digital Supply Chain Institute, along with law firms Slaughter and May and Cravath, Swaine & Moore – say it’s possible to comply with the GDPR by using a private, permissioned and well-governed blockchain that avoids storing personal data.
They also add that if regulators don’t act to address blockchain’s privacy challenges, further technological advances could slow down or even end. This would, of course, be a travesty, when there is so much good that blockchain can be the basis for. In fact, France’s data privacy regulator believes that there is space for blockchain and data privacy to live together, side by side. Even though the GDPR dictates a ‘privacy-by-design’ process from the beginning, which speaks to blockchain perhaps not being compatible with the regulation, the Commission nationale de l’informatique et des libertés, or CNIL, published a report stating that it may well be technically possible to integrate these privacy principles with blockchain technology. Specifically, when it comes to data-erasure requests, it may be possible to delete a keyed hash function’s secret key, making information held on the blockchain continue to be in existence, but for it to no longer be accessible.
But this isn’t the only way.
The only thing to be sure of is to be sure of nothing
Another technological advancement within the blockchain is the concept of Zero-knowledge proofs. This type of cryptography is a method by which one party, x, can prove to another, y, a certain value without conveying any other information. This additional level of cryptography can be complex, but due to its relative youth, there are still multiple ways to implement them.
One example for instance, proving that someone can produce proof that they are above the age of 18, without disclosing their actual age. Whilst zero-knowledge applications have great promise when it comes to ‘privacy-by-design’ and self-sovereign ownership of personal data, there are still a good many subtleties in actually implementing them. For instance, when it comes to personal data, the fact that someone can prove they are over 18 is still disclosing personal data.
The answer to this could be handing the power of information disclosure to those that might use the platform. JPMorgan Chase, for example, has created a version of Ethereum called Quorum with a zero-knowledge security layer. There is also a platform called QURAS, which enables the user to choose whether or not they wish to disclose any information or not. The reasoning behind this is that privacy issues are huge these days, and any cryptocurrency transactions are often exposed to third parties – so it makes sense to hide certain parts of information from the outside world, in order to protect it.
It’s clear that there are a good many applications for blockchain when it comes to protecting data and ensuring trust in supply chains, food, and of course cryptocurrency. However, there is also huge potential for the blockchain to continue its trajectory towards the stars – with privacy in mind. It makes sense to let those who implement and use that same technology to have a say in whether their data is disclosed or not, and for the future, this may well be the best avenue to go down.
Perhaps Lara Croft in the Tomb Raider films said it best – “some things are not meant to be found”. This is especially true of personal data.
Mike Rymanov, CEO, DSX
