How Does ‘The Right To Be Erased’ Exist With An Immutable Ledger? Why GDPR Exists In the wake of the ‘Cambridge Analytica Scandal,’ the EU decided to review its privacy laws upon the discovery that user confidential information was misused. As a result, the General Data Protection Regulation (GDPR) came into effect on May 25, 2018. GDPR Glossary To comprehend the language used in the new law, we have to understand the main terminologies: ● An identifiable person is any natural person that can either be directly or indirectly recognized by their name, identification number, an online identifier, location data, or one or more factors related to their social, economic, cultural, physical, genetic, or psychological identity. ● Personal data is any information related to an identified or unidentifiable natural person. ● Processing refers to any activity or set of actions performed on personal data. They include collection, storage, recording, disclosure by transmission or dissemination, utilization, ruination or erasure. ● Data controller is the subject that gives directions on how personal data will be manipulated and processed. ● Data processor is the subject that processes personal data on behalf of the data controller. GDPR regulates the processing of personal data of EU citizens by a data controller or processor, regardless of their location. The law also applies to controllers or processors that are established outside the Union, as long as those firms handle the personal data of EU citizens. A controversial GDPR Article According to Article 17, an identifiable person or EU citizen has the right to request the controller to erase all their data without unnecessary delay. Once someone makes the request or demand, the controller has to delete the personal data immediately. This contentious rule also refers to ‘the right to be forgotten.’ The law is controversial because its application on blockchain technology is impractical. While it may work well with other controllers, such as social media sites and online bank portals, it is not compatible with Distributed Ledger Technology (DLT). What Makes Blockchain So Special? For the controller to erase the data completely, the data processor has to store and process the information from a central location. Unfortunately, blockchain technology keeps and manipulates data at different places. The blockchain is an example of a distributed ledger. Distributed ledgers use computers belonging to individual persons or nodes to register, share, and coordinate transactions in their personalized electronic ledgers instead of storing data at one place. To be specific, a blockchain is a data composition that allows a network of self-conscious peers to share a continuously developing list of records or blocks joined and fixed together by cryptography. The state of a blockchain is defined by the emergent consensus – which is a terminology that describes how thousands of independent computers reach an agreement about the latest condition of a distributed ledger.
Since personal data is stored and processed from thousands of computers across different locations in blockchain technology, it becomes difficult to completely erase the information of one identifiable person because the data scatter in bits across different controllers and processors. Can ‘The Right to Be Forgotten’ Really Coexist With An Immutable Ledger? In the current state, they cannot exist in perfect harmony because of one term. According to the GDPR, personal data is any information that can associate directly or indirectly with a natural living person. The term ‘indirect association’ should not be in the law. The identity of the people who initiate transactions on DLT usually hides through a process called pseudonymization. This technique improves privacy by replacing the person’s confidential data with artificial identifiers. Since the pseudonymized data is virtually unrecognizable, it cannot link directly to a specific person. For that reason, it should not be categorized as personal data. However, the GDPR considers anonymized information as personal data since it can link directly to a specific person. At this point, GDPR and blockchain are incompatible. Additionally, a single identifiable person cannot control the pseudonymization of personal data in a blockchain; therefore, it is hard to identify the controller. Since ‘The Right to Be Forgotten’ can only be applied where there is a known controller, the law has no bearing on the immutable or unchangeable ledger. How GDPR and Blockchain Can Exist Alongside Each Other If Blockchain developers can find a way to get rid of personal data without allowing some re-identification, they can avoid the controversy associated with pseudonymization as an encryption method. Currently, the GDPR recognizes pseudonymized information as personal data because the process fails to erase all identifying information. Anonymization only masks the original data. Alternatively, the EU can modify the law by stating that anonymized information is not personal data. Despite the concerns, nobody has ever been able to decrypt data on the blockchain. Why It May Take Long To Find a Solution Even if it was somehow possible to find an encryption method that masks data without leaving any traces, the implementation of these changes may take a long time. First, the leading developers have to agree to execute the new modifications jointly. Second, the miners have to update their machines and conform to new privacy regulations. Finally, the users have to test the new system and give their feedback. The entire process can take months or years, depending on the response of the participants. Room for Hope Since both GDPR and Blockchain technology was started for the same purpose – to safeguard the privacy of their users, it is only a matter of time before the two become compatible.
-Adam Jiwan is Co-Founder, Chairman and CEO of Spring Labs