4 minute read
Blockchain and the Right to be Forgotten
Carlos Eduardo Pereira Treasurer of the International Board of ELSA 2020/2021
In this article, I ponder about the future of data management and how we are going to balance technological systems with law regulations. However, this is an open and extensive topic, so I’m going to focus on one specific personal right, the right to erasure, related and adjusted with one technological step, the blockchain system. Regarding the European Union’s General Data Protection Regulation (“GDPR”), this was a significant advance in fixing a new legal framework for data protection and its related rights. This is a European regulation with the goal of protecting personal rights and fixing limits in the use of the data processing of those essential rights, accomplishing the status of an international human right in respect to access to information. This was implemented specifically in article 17A, the so-called ‘right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014. Article 17 mentioned the right to erasure establishes that: “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”. The article scope fixes the chance of European citizens to request the deletion of the processed data when it is not necessary for relation to its purposes, or when the consent was withdrawn by the data subject. On the other hand, constitutes an obligation for the data receiver to erasure this data. Meanwhile, together with this new European legal context to data protection, the automation systems are increasing their capacity of storage data in every device and IT system. More and more, technology will continue to have a decisive role to save and processing data. The blockchain is an example of a technological concept of recording information, operating mainly in the financial system as a fintech instrument. Consisting in operating a digital ledger, in which transactions are organised and added to this participant’s ledger. This system has an origin in the financial markets, specifically following the bitcoin structure, having a certain autonomy from the cryptocurrencies system, securing and processing blocks of data with the support of cryptography. The first element to take into consideration in this relation between law and technical enforceability is transparency. Blockchain technology is defined to understand its structure. Every blockchain user is assigned a public address that in no way identifies them. This information is completely open, data subjects can view these holdings and transactions at will. Also defining the roles of each participant, establishing an entity mentioned as the controller and processor, or if it will be implemented a joint controllership. Related to this, is the consent management related to Blockchain users, in which we are intended to understand if it accomplishes mainly informative requirements requested by the article 7º /2 in the GDPR “shall be presented in a manner which is clearly distinguishable
from the other matters, in an intelligible and easily accessible form, using clear and plain language”. Also, giving the chance of being withdrawn by the data subject anytime. An important element to highlight is the immutability of the information processed and stored in the system achieved towards cryptographic hashes, which gives the chance of the data not being changed. Plus, assuming that these blocks of information cannot be updated or deleted, this creates an uncommon system for the management of data, by the reason of a scheme called CRAB, which stands for creating, read, append, and burning. Append means the replacement of the update operation, a new block to the blockchain, the ‘world state’1 is changed. So, the terms and conditions of using this system demand us to never put any data that requires the ability to be subsequently modified or deleted. Some positions defend that this data if encrypted without storing the encryption key, can be considered as erasure, personal data can be stored on a blockchain, following the structure, even though it is not proper deletion of data. But, in another way, some other opinions are defending that a good solution would be to only store personal encrypted, hashed personal data on the blockchain and if a data erasure request is accepted, reliably throwing away the encryption keys to make the data anonymous and not recoverable. This is the nearest situation to achieve the full deletion. According to this interpretation, these mechanisms ensure the security of the stored data accomplishing a requirement of the GDPR. By way of comparison, it is like having a safe box with a valuable object inside, but we don't open it and take out what's inside, we simply keep the safe box closed forever without a clue about the code. It doesn’t destroy the information; it just destroys the access. Concluding, my final operational advice is to not insert personal data in these specific technological instruments.