ZKP can help resolve blockchain tensions with GDPR
Europe adopted a new law called GDPR in 2018. It gives EU citizens control over who collects their personal data and how it is handled. The pop-ups on websites seeking permission to collect and access your data are a result of the compliance needs imposed by law. Businesses globally (if they interact with EU citizens) are subject to GDPR rules with heavy fines for non-compliance. GDPR definitions were clear on data protection until blockchain went mainstream, and a few use cases are challenging the boundaries of technology and regulation.
Companies that store your data are called controllers, and those who work with your data are called data processors. The data controller is usually also a data processor, but they can be different entities. The controller is the entity responsible for GDPR compliance and if the personal data of EU citizens is involved, including for non-EU companies (e.g. Microsoft, Meta, etc.).
GDPR definitions of personal data
GDPR definitions of personal data are complicated. Other types of data are easier to define (eg age, gender, race, etc.) given that they link these attributes directly to a person. However, numbers such as phone numbers, IP addresses, Bitcoin wallet addresses and credit card numbers, which can be indirectly linked to individuals via companies such as telephone services, crypto exchanges or banks, are also considered personal by the GDPR.
It covers all information relating to an identified or identifiable natural person – which makes the line between pseudonymity and identification very thin. Blockchains store personal data such as transaction history, making them subject to GDPR.
Issues: GDPR vs blockchains
Data on blockchains is immutable and distributed without centralized authority. However, they conflict with privacy and GDPR. There are three specific sections of the GDPR in conflict with blockchains.
Article 16 (right to correct data)
This covers the right to correct data someone has about you (you can change the inaccurate data and add missing data). Adding data to blockchains is easy, but the inherent immutability attribute of blockchains makes it impossible to change data.
Article 17 (the right to be forgotten)
The same problem with blockchain immutability creates problems with not being able to delete your data from the chain, making GDPR compliance impossible. Blockchains forget nothing.
Article 18 (preventing data use by companies)
If data is collected incorrectly or illegally, GDPR allows you to prevent companies from using that data. Most blockchains cannot use your data for any purpose, which also means they may not process the data according to GDPR rules either, which makes things challenging.
Selection of suboptimal solutions
Join the community where you can transform the future. Cointelegraph Innovation Circle brings blockchain technology leaders together to connect, collaborate and publish. Apply today
A number of options have been proposed to discuss these issues; some were impractical, commercially unviable or rejected the benefits of using public blockchains.
Encryption
Encrypting personal data before storing it on the blockchain was an option that was proposed in the early days. This means that only the person or device with the decryption key can do anything with the data. The person or entity with the keys has absolute power to add, change and delete data, creating a “trust” problem. Others have argued against this solution, saying that it is only a matter of time before encryptions can be broken, revealing this data as computing power becomes faster and cheaper.
Permissioned or private blockchains
Anyone can see the data stored on public blockchains and add to it; private blockchains are access controlled and limited to a few parties. This can help comply with Article 18 and who can process the data, but it still has the immutable characteristics of blockchains that cannot comply with Articles 16 and 17.
Hashing and off-chain
Storing personal data off-chain with read-write access, for example with a secure server, and storing a reference to that data as a pointer is a common solution used for blockchain use cases that do not involve GDPR or personal data. This pointer is created by creating a digital fingerprint of the data using a one-way hash function and storing it on the chain. A hash can verify the integrity of the files on the centralized server, ensuring that no one has tampered with it. Second, hashing is one way you can make a hash of a piece of data, but you can’t take this hash and recreate the original data.
The right to be forgotten can be exercised by removing the actual data from the server, rendering the hash useless and pointing to nothing. While this solution is accepted and works for most blockchain use cases where personal data is not involved, it presents challenges where personal data comes into play (eg marketing, DeFi, loyalty, etc.).
According to the GDPR, even if a hash appears to be a string of random characters, it qualifies as personal data as it is linked to the data on the server. The hash solution is also not perfect because blockchains are supposed to be decentralized and this adds a centralization vector.
Optimal solutions
Zero-knowledge proofs (ZKP)
ZKP technologies allow evidence without revealing the underlying data. On blockchains, one can verify a cryptocurrency transaction without revealing the amount or destination of the transfer. The Zcash protocol uses this. ZKP enables minimal transfer and storage of personal data at the same time as GDPR compliance.
Hybrid blockchain
The patterns of cloud adoption reveal that blockchain may be moving towards a hybrid configuration. This means that the private data remains closed and the public data is open. These implementations come at a higher cost and still require a privacy layer such as ZKP, but satisfy GDPR optimally.
Ambiguity about responsibility
Blockchains create legal conundrums as the law states that the data processor (storer of data) is responsible for most legal compliance, but no one entity controls the blockchain. There are different participants on the blockchain.
Everyone cannot be responsible because they do not control what others store on the blockchain. Block validators/creators cannot be held responsible because they may not know whether the data is personal data or not. Protocol developers cannot be held responsible for GDPR compliance since they only produce the tools that are a means.
Given the participants, their roles and GDPR definitions, there is some work to be done.
The information provided here is not legal advice and is not intended to be a substitute for legal advice on any specific matter. For legal advice, you should consult with an attorney regarding your specific situation.
Nitin Kumar is a growth manager and co-founder at zblocks. He is a recognized leader, author, former consulting partner and VC investor.
This article was published through the Cointelegraph Innovation Circle, a researched organization of top executives and experts in the blockchain technology industry who are building the future through the power of connections, collaboration and thought leadership. Opinions expressed do not necessarily reflect those of Cointelegraph.
Learn more about the Cointelegraph Innovation Circle and see if you qualify to join