How to overcome the challenges EU-GDPR legislation puts up for the blockchain technology?
It has now been one year since the European Union General Data Protection Regulation (hereafter GDPR) came into effect. This regulation aims to strengthen privacy and personal data protection in the EU countries by giving private persons more control over their data. At first view, some GDPR provisions seem in direct conflict with the fundamentals of blockchain technology, and may even be intrinsically incompatible with what the new GDPR rules seek to uphold. For blockchain the most controversial GDPR mandate is the “right to be forgotten” by article 17, giving individuals the right to request that their data be removed from a record. Because of its decentralized character with immutable blockchains, data, however, cannot be deleted (in general). Blockchains are designed to last forever. That puts blockchain in direct opposition to the EU-GDPR, at first glance.
The new European data protection law raises several questions and in particular the compatibility of the GDPR and the essential feature of blockchain, which practically forgets nothing. The possible compatibility concerns both the legal issues and technical challenges.
Legal and/or dogmatic approaches:
The “data subjects” have a right to obtain from the controller confirmation as to whether or not their data is being processed, including the information on recipients to whom the personal data have been or will be disclosed. They also have the right to ask the data controller to correct his or her personal information in case it is inaccurate (the „right to rectification“).
In this respect, there is first a legitimate question about the legal approaches that allow the co-existence of the GDPR and the blockchain.
Article 23 para. 1 GDPR in conjunction with Recital No. 73 – Restriction of the right to be forgotten
According to article 23 para. 1 GDPR the right in article 17 para. 1 may be restricted by way of a legislative measure the scope of the obligations when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard.
Thus, a theoretical approach is advocated in the literature, which refers to a legal analysis of the expression of the right to be forgotten and the possibility of resetting the right to erasure by resorting to protection objectives in Art. 23 para. 1 GDPR (Martini/Weinzierl: Die Blockchain-Technologie und das Recht auf Vergessenwerden, in: NVwZ 2017, 1251 (1255 f.)). The GDPR already allows Member States de lege lata to repeal the right to erasure by resorting to the protection objectives set out in article 23 para. 1. Article 23 para. 1 (e) in conjunction with the recital No. 73 of the GDPR confers on the Member States, in particular, the right to allow derogations from the rights of the interested parties for “keeping public registers for reasons of general public interest”. This opening clause can be used for many state blockchain applications. In comparison to classic server solutions, a blockchain opens up a significantly higher potential for preventing manipulation of the data structure. Insofar as the benefits so obtainable outweigh the personal interests involved, this may justify a restriction of the right of cancellation by the Member States. As a minus to the complete waiver of deletion is next to a blocking of the data into consideration. Although the GDPR already standardizes such a right to restriction of processing in Art. 18. In very few cases, article 18 para. 1 (c) GDPR can help: insofar as the personal data stored in a blockchain are no longer for processing, but only for the establishment, exercise or defense of legal claims of the person concerned are required, the GDPR gives the normative way of blocking. Besides, the Member States have a minimal right of restriction in article 23 para. 1.
Modification of the right to erasure to the right to pseudonymization
This approach is logically due to the possibility of restricting the right to erasure and merely represents the variation of the restriction to the right to erasure (Scholtka/Kneuper: Lokale Energiemärkte auf Basis der Blockchain-Technologie, in: IR 2019, 17 (20)).
Article 4 in conjunction with Recital No. 26
Due to the very young age of the GDPR, there is currently no court case law for this topic. Another legal approach is based on the decision of the Austrian Data Protection Authority (GZ: DSB-D123.270 / 0009-DSB / 2018; 5.12.2018), but in non-blockchain case. It refers primarily to the situation of the practical impossibility of access to the data and can therefore insofar be compared with § 275 para. 1 2nd case German Civil Code (in German: BGB). However, the argumentation line is not entirely convincing. The decision was made in a non-blockchain case, so the transfer of the argumentation line of reasoning to blockchain matters should be restrictive. The main difficulty of this approach is the dependence of the application of article 4 in conjunction with recital 26 on the exact technical situation. There are situations where there is a purely theoretical possibility of deriving personal information from some data in the blockchain. However, with all the resources available, this is not possible. The application of recital 26 as an interpretative aid is not convincing in such cases. It is not the purpose of the GDPR to create other grounds for exclusion in recital 26, which are not mentioned in article 2 para. 1. The GDPR does not know the threshold, whether the technical possibilities exist purely theoretically. Even the theoretical option of removing personal data opens up the material scope of the GDPR by articles 2, 4, and recital 26. In a situation where it is practically possible but complicated to derive some personal information from data in a blockchain, there is legal uncertainty. When considering how difficult it is to derive personal data, there is a particular need for regulation solely for the blockchain-based cases. The issue of importance should be located within the scope of application of GDPR. Here, too, the room for legal uncertainty remains, as there remains a dependency on the correct interpretation of recital 26 by the legal users concerned.
The possible compatibility of the technology with applicable European law poses several technical challenges.
Fork describes a process in which two miners create a block almost simultaneously and send it to the network, causing two different chains to exist in parts of the system for a short time (full systematic explanation by Bechtolf/Vogt: Datenschutz in der Blockchain – Eine Frage der Technik, in: ZD 2018, 66 (70)). In regular operation, one of the two chains gets lost due to the propagation speed and the principle of the longest chain, and the other one becomes invalid. Ultimately, a fork is thus a division of the blockchain. In addition to the accidental emergence of a fork, this can also be explicitly triggered. For this purpose, a new program version is provided by the programmers of the software on which the blockchain is running, which alters the validation process of the blocks. In simple terms, new rules are defined for the validation of blocks. With the old version of the program, these new rules are incompatible, which means that nodes with the older software will invalidate the blocks of the latest software and discard them. The result is the division of the blockchain. Due to the consensus principle of the blockchain and its decentralized structure, such a fork cannot be imposed on the participants of the network by the software programmers, but that each node and each miner can decide for themselves if he installs the new software version or not. For this reason, forks are an excellent challenge for the networks and always involve the risk that in the long run, not a program version prevails, which would lead to a final dichotomy and thus devaluation of the values stored in the blockchain.
Hacking “51% attack”
Another option for the technical approach is the hacking “51% Attack” (full systematic explanation by Bechtolf/Vogt: Datenschutz in der Blockchain – Eine Frage der Technik, in: ZD 2018, 66 (70)). It is an enemy attack on the blockchain, which is made possible by controlling more than half of the network’s mining power. A successful “51% attack” with back-calculated blocks would not lead to a permanent deletion or modification of data once stored in the blockchain.
The development of a subsequently changeable blockchain database
Only an administrator with the right to make changes in the blockchain can achieve the subsequent editability of data entries while maintaining authenticity. The essential advantage of a database based on the blockchain – decentralization, and protection against manipulation – would be lost.
This would allow so-called “root keys” to be created for each transaction, which would ensure that the individual hashs could no longer be linked to each other. It provides the highest level of security and data integrity. Each user thus receives such a key for each transaction, and the hashs cannot be linked. Therefore, the basic idea of the GDPR is correctly adhered to, because the sovereignty over one´s data is held by each blockchain user himself.
Conceptual (mixed) approach
Advanced new blockchain prototype: as it is currently technically impossible to modify data in blocks, the question arises as to whether the structurally new blockchain models cannot solve this problem. The conceptual approach is based on a blockchain prototype, which was presented and patented by the consulting firm Accenture. Under certain circumstances, this prototype enables the subsequent modification of the data in a blockchain. However, this model is based on the model of a permitted blockchain. Thus, in advance, individual administrators should be able to make changes according to agreed rules without breaking or sharing the chain. Modified blocks should have an unchangeable digital “scar” to indicate the change. Blockchain purists reject such changes, saying that in this way one would create nothing but a particularly expensive and inefficient standard database. Despite the blockchain purists´ criticisms, the authors believe that it will be necessary to push ahead with the development of these new models to meet the regulatory requirements (and not just privacy).
Conclusion and outlook
In addition to the problems that blockchain technology creates for privacy law, there is an unimagined potential for its implementation of the privacy protection principle of privacy by design. This principle is now explicitly set out in article 25 GDPR. It standardizes that the person responsible takes appropriate technical and organizational measures to effectively implement data protection principles – such as data minimization – to comply with the requirements of the GDPR and to protect the rights of data subjects.
The first approaches in science show the variety of possible issues that will occupy both law and computer science and technology in the coming years. It is probably only through the decisions of the courts that the first interpretative approaches are developed, which are then applied with the same standards. In line with the current state of jurisprudence and technical literature, the method of resetting the right to erasure, despite the different possibilities of design in the signatory states, is legally founded, especially as the legislature itself creates it.
Regulators should not wait too long in giving clarity on their future approach of blockchain. Long-lasting legal uncertainties around GDPR could signal an early end to blockchain progress. A practical instead of a systematic approach by GDPR is thereby recommended. For blockchain to be able to become compliant, the GDPR should change some of its conceptions, taking account of the specifics of blockchain technology.