Balancing privacy concerns with opportunities offered by Blockchain Technology

15 January 2020   |  By Maria Teresa Zucchelli

ECLA’s Tech Insights 

Balancing privacy concerns with opportunities offered by Blockchain Technology

I would start asking if you know what Blockchain is. And several of you would answer…’Yes, I do. It is a technology’.

Not really.

Blockchain as of today is mostly a marketing tool. Everybody seems to be leveraging on blockchain popularity to attract interest on its own business; however, blockchain application is not always the most appropriate solution for every kind of business and every kind of problem.

It is fundamental to briefly explore the main features of blockchain in order to fully appreciate advantages it may bring. Let’s start from a consideration: blockchain is not one technology only but rather a group of technologies. However, all the blockchains are shared and synchronized digital databases maintained by a consensus algorithm and stored on multiple nodes.

A Blockchain is a chain made of blocks, where blocks are the data structure used to group transactions.  Each block is made of a header and a footer, and contains the previous block’s header ashed, so that it constitutes the link between the two blocks.

Each node of the chain stores the entire set of information of the chain – a node being a computer running a specific software which allows that computer to process and communicate pieces of information to other nodes. A node doesn’t need any peculiar technology; anyone can download from the web the necessary open source software. Not all the nodes can upload information on the chain (validating nodes) but all the nodes (participating nodes) can see the entire set of information stored on the chain. This is the reason why most of the information are stored on the chain not in plain text. The encryption techniques allow to prevent anybody but the owner of the decrypting key to understand the information on the chain.

Such technique can be either reversible or non-reversible. The first type (symmetric and asymmetric encryption) consent only to the person in possession of the key to decrypt data, while the second type (ashing techniques) is a mathematical function that generate a unique, fixed-length string of characters such that 1) if you change even one byte only of the underlying data, the ash will be dramatically different and 2) you cannot obtain the initial set of data by means of a reversal mathematical function.

 

Hereinbelow in brief the main features common to each type of blockchain, that may imply some tension with GDPR’s principles:

1. Append-only data structure: information can be only stored in blockchain, but not deleted (in ordinary circumstances) thus continuously increasing the amount of information on chain;
2. Tamper-evident nature: no change may be made to on chain information without having full evidence of such alteration by means of breaking the links between the nodes;
3. Resilience through replication: the entire content of the database is duplicated and stored on each single node of the chain;
4. Synchronization through a consensus protocol: a mechanism ensures that all the transactions occurring on the network are genuine, by allowing all participants to agree on the content recorded on the ledger.

The GDPR has been created with the objective to offer a better protection to the fundamental rights of individuals, thus realizing an evolution of the existing system, whereas Blockchain has the ambition to reshape social, economic and political structures, with an undoubtfully disruptive impact. It goes without saying that such different paces may generate conflicts. What’s more, applying a legal framework as GDPR, constructed for a centralized environment, to a decentralized framework is undeniably challenging.

Thus, hereinbelow I will analyze three major tension points:

1. The anonymization of Personal Data
2. The identification and obligations of data controllers
3. Compliance with GDPR’s principles and the exercise of certain data subjects’ rights

 

The anonymization of Personal Data

Pursuant to Art 4 (1) Personal Data is any information relating to an identified or identifiable natural person (‘Data subject’); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental  economic cultural or social identity of the natural person .

Pursuant to Recital 26 anonymization results from processing personal data in order to irreversibly prevent identification («anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”).

In the context of Blockchain public keys serve as a kind of identifier as per Recital 30 of GDPR. When data are encrypted they can still be accessed with the correct keys, meaning that identification is not irreversibly prevented but, given that the data subject can still be indirectly identified, they may rather fall under the definition of pseudonymized data.

In fact, Art. 4(5) of the GDPR defines pseudonymization as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.

Pseudonymized data remain Personal Data for the purposes of GDPR, as pseudonymization is not a method of anonymization – it only reduces linkability of a data set with the identity of a data subject, therefore being a security measure.  Recital 26 of GDPR adopts a risk – based approach to determine whether data are deemed pseudonymized and therefore qualified as personal. Where the risk is merely negligent data can be deemed anonymous even though identification cannot be excluded with absolute certainty.

The identification and obligations of data controllers

Pursuant to Art. 4(7) of the GDPR, the data controller is any natural or legal person or other body who, alone or with others, determines the purposes and the means of the processing of personal data.

In private/permissioned blockchains there is generally a legal entity that determines the means and quite often also the purposes of the personal data processing.

In public/permissionless blockchains instead it becomes necessary to determine controllership at an infrastructure level as there isn’t one entity that may determine both means and purposes:

• Software developers’ influence over the means of processing is limited and generally they have no influence on the purposes, therefore they cannot be deemed controllers.
• Miners (validating nodes that group transactions into new blocks and suggest them to the network in accordance with the consensus algorithm) exercise relevant control over the means in choosing which version of the protocol to run but do not determine the purposes so they are not to be deemed controllers as well.
• Participating and validating nodes are instead controllers as on saving or initiating a transaction they pursue their own purpose to participate in the network and are not subject to external instructions.

Art. 26 of GDPR defines Joint Controllers as two or more controllers determining the purposes and means of processing. Such joint controllers shall, in a transparent manner, determine their respective responsibilities for compliance with the obligations under GDPR, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Art. 13 and 14, by means of an arrangement between them. The essence of the arrangement shall be made available to the data subjects. Irrespective of the arrangement, the data subject may exercise his/her rights under the Regulation in respect of and against each of the controllers.

Anyone who chooses a particular technical infrastructure, such as DLT, to process data, can be deemed a joint controller of that system – even though he may have only limited control over the purposes and no meaningful control on the means of processing. But, is it reasonable to be attributed the role and responsibilities of a Controller without even having the power to actually control?

 

Compliance with GDPR’s principles and the exercise of certain data subjects’ rights

On one hand the principles of lawfulness, fairness and transparency are undoubtfully fostered by the usage of blockchain technologies, integrity and confidentiality are granted by increased security against unauthorized and unlawful processing, and accountability is fully achieved thanks to the resilience and tamper-evident nature of the system.

On the other hand, the following principles may suffer from blockchain application:

1. Purpose limitation (data should be collected for specific, explicit and legitimate purposes): the compatibility of reiterated processing of data added to blocks may be deemed compatible with GDPR’s principle only if a data subject may have reasonably expected such repeated processing.
2. Data Minimization: the ever growing and replicated nature of the database may conflict with the requirement for data to be adequate, relevant and limited to what is necessary for achieving the purpose of processing. Such conflict may be solved only (i) if the replicating nature of the database may be deemed included in the initial purpose of processing or (ii) by means of off-chain storage.
3. Storage limitation: the requirement not to keep data for longer than needed for the determined purpose may be in contrast with the impossibility to delete data stored on chain.
4. Accuracy: the possibility to update data stored on-chain is affected by the above-mentioned impossibility to change uploaded data without breaking the chain.

And the possibility of exercising certain rights granted to data subjects by GDPR may require further consideration:

1. Right to access: in order to allow data subject to fully exercise such right it is needed an adequate governance mechanism in place among nodes of the chain.
2. Right to rectification/Right to erasure/Right to restriction of processing/Right to object: deletion and modification are made purposefully burdensome in an append-only ledger, especially in public/permissionless blockchains where coordination among potentially thousands of nodes could be too difficult. However, the application of such principle shall be based on the available technology and the cost of implementation. Also, the destruction of the private keys or other means of anonymization can be used to make inaccessible the encrypted data, as well as off-chain storage of data.
3. Right not to be subject to a decision based only on automated processing: an exception is granted to such right with regards to the execution of a contract between Data Controller and Data Subject; it is therefore fundamental to have a proper identification of the two subjects.

 

Blockchain could be the technology enabling data sharing models and providing data subject with control over their data.

Data sharing would indeed be possible without the need of a central trusted intermediary. Data subject will be granted full transparency on who has accessed data, which data and for how long. What’s more the data subject may regulate through smart contract the automatic sharing of selected data with a specific set of people, that may be granted access to certain data only.  Data Subjects may be the only ones allowed to set off permissions to access personal data, therefore deciding who can access through a private key.  Also, application of blockchain technologies would provide guarantee that data are not altered by users or by anybody else.

It is obvious that blockchain and the GDPR were not designed to naturally get along, but they share a main goal: allowing individuals to have greater control over their data and to be able to share data only with trusted parties. Therefore, all that remains is to define how the GDPR objectives can be achieved in ways that are perhaps different from those envisaged by the experts who thought and drafted the regulation.

How? First, through the encryption of personal data and the subsequent elimination of corresponding decryption keys, therefore leaving only indecipherable data on chain or by using ‘off-chain’ models.

If today our personal data have become the currency of the digital economy and its efficient marketplaces, the use of blockchain may allow us to regain possession of what is ours. Today, each of us may be able to monitor his personal data: see which data are processed, for how long, who can access such data, how they are used, and verify that no one has altered the data.

 

Yet we can go further. Smart contracts can be used to automate mechanisms for the remuneration of data subjects, who, each time their data are transferred to third parties, may receive a cryptocurrency bonus as compensation for consent to their data being processed. And all without intermediaries to oversee the system.

At this point I know that I may have shocked those who see privacy as an inviolable right at risk of being vulgarized and transformed into a mere commodity. But we must face the reality – our data are analyzed, profiled and transferred without us even realizing it. Getting transparent information about our data circulation is exactly what regulation requires.

Transferring (at least partially) the economic benefits from entrepreneurial giants to data subjects is a duty.

 

Study on behalf of the European Parliamentary Research Service “Blockchain and General Data Protection Regulation”, July 2019

Michèle Finck – “Blockchain Regulation and Governance in Europe” – Cambridge University Press, December 2018

Luca Bolognini – “Artificial Insanity. Reflections on the resilience of human intelligence” – Rubettino, July 2018