By Kate Goldfinch, Science Editor at The Fintech Times.
The Global Token Review asked blockchain providers how to make blockchain architecture more compliant with new Data Protection Directive.
Joseph Thompson, CEO and Co-founder of AID:Tech, the company that revolutionises how governments, enterprises, and NGOs deliver digital entitlements:
GDPR has brought about consequences as to what data can be stored on the blockchain. This seemingly inherent conflict does not directly impact the potential of blockchain as a technology for addressing the current issues. This particular conflict can be resolved, and many are doing so, by keeping data, such as personally identifiable information, off the blockchain while storing associated transactional data on the blockchain.
Currently, we’re seeing centralised databases play this role, but in the future, a self-sovereign identity system where individuals hold, manage, and even monetise their data will be the key. This ensures that regulations to manage and protect sensitive information can be complied with while services can continue to leverage the strengths of blockchain.
Nicolas Gilot, Co-CEO of blockchain-powered gaming distribution platform Ultra:
At present, huge efforts are being made to make blockchain architecture more compliant with GDPR and to handle user data. This being said, the technology isn’t mature enough and hasn’t been tested on a wide enough scale.
Blockchain projects targeting mainstream markets that need to comply with regulations will either have to choose to work with untested technology, or work with either hybrid decentralised or centralised solutions temporarily until they feel comfortable enough to fully decentralise their service.
Real world businesses typically do not make every single piece of information about their companies publicly available, and do not disclose their numbers on a daily basis. Therefore, corporations will have to adapt and select the features of blockchain best suited to their needs and which they stand to benefit the most from.
Carlos Grenoir, CEO of Olyseum, a collaborative and specialised, blockchain-based, social network created by sport leaders for sport lovers:
Blockchain and the new Data Protection Directive is a double-edged sword. One of the main attractions of blockchain technology is its ability to facilitate greater data privacy and security. Similarly, the idea behind GDPR and PSD2 is to allow people more control over their own personal information. Unfortunately, that is where the similarities end and, for the most part, blockchain and the new Data Protection Derivative do not go hand-in-hand.
GDPR allows people to exercise their ‘right to be forgotten’. This means they have the power to edit and delete information about themselves, which is at odds with a defining feature of blockchain where information stored on the blockchain is immutable and cannot be altered or deleted.
With this in mind, it is difficult to tell how this problem will be solved. We know GDPR was in the pipeline since 2012, which indicates just how long it takes for policies like this to come into effect. However, it is only just the beginning for blockchain as its potential is extraordinary, and if the two are here to stay, we are going to have to come up with a solution to allow both to co-exist.
Gabriele Giancola, Co-founder and CEO of qiibee, the Swiss loyalty token protocol helping brands around the world run their loyalty programs on the blockchain:
The General Data Protection Regulation (GDPR) and the revised Payment Service Directive (PSD2) are, for the most part, incompatible with blockchain-powered startups and businesses. Both frameworks were developed to put control back into users’ hands and ensure we have more control over the storage and usage of our own personal data. However, the frameworks were conceptualised under the assumption that data would be stored with traditional centralised parties, a so-called cloud service model, which makes the implementation of the new standards unclear for blockchain processes.
There are some obvious conflicts given blockchain’s inherent tamper-proof features – it is what ensures the reliability of the information stored on the blockchain. With public blockchains, all the data is replicated and shared across the network and you cannot delete data off a blockchain once written. However, it should be noted that either directive doesn’t exactly define what it means by the ‘right to erasure’, so there is still some room left for interpretation both from companies and regulators.
For all their contradictions, blockchain and the Data Protection Directive do share similar goals: both want us to be in charge of our own data. So how can we ensure they work side by side and not against each other? A solution lies in a “dual data handling architecture”, where sensitive data is stored off-chain but a reference to it goes into the blockchain. Thanks to smart contracts, we no longer have to rely on centralised service providers, so data rights could be exclusively managed by this combination. However, this too raises concerns; How easily can the data be accessed? How will the database protect itself from potential hack attacks?
First mooted in 2012, it is apparent that GDPR was not designed with blockchain in mind and while this poses a challenge for blockchain-powered projects, they must ensure they are complying with the law of the land.
Michael Borowiec, Communications Lead at Lisk, the decentralised blockchain application platform:
Europe’s new Data Protection Directive may have a considerable impact on blockchain projects focusing strictly on the transparency and immutability aspect of this technology in the region. There are, however, ways for the industry to remain true to the foundations of blockchain and comply with the regulation whilst simultaneously growing. One such solution could involve including links to external databases within blockchain transactions where private data could be stored separately.
Certain blockchain use cases depend on maintaining immutability and trustlessness, particularly in regards to the journey of a product through the supply chain. However, other aspects must also remain private, such as the financial details of contractors. A solution would be to link these details to a private database off-chain which would ensure compliance with the regulation whilst retaining the principal benefits of blockchain.
Manuel Martin, CEO and Co-founder of Orvium, the new open source decentralised platform that aims to revolutionise the academic publishing sector:
Blockchain technology is based on a distributed ledger system that is decentralised and immutable. It is intended to be a permanent, tamper-proof record that sits outside the control of a central governing authority, this is what makes it such an attractive and useful technology. The question here is not about blockchain’s compatibility with GDPR but more why is it that regulators always seem to be only just catching up with real-world technology.
While European policymakers were debating and finalising the regulatory terms of GDPR, blockchain wasn’t on most people’s radar. This is a clear example of regulation addressing a problem in the rear view mirror rather than looking at the road ahead.
Governments must work in collaboration with society, academia, and the private sector to co-develop policy with a process that is as dynamic as technology. Policymakers and the regulatory processes they use need to be reimagined to be as nimble as the technology they seek to regulate, in order to help create the future we all want to see.
GDPR’s ‘right to forget’ and blockchain’s native immutability directly contradict one another. As a result, new solutions are emerging to enable some compatibility without eroding the value of blockchain in the first place. Using standard database technologies held by corporates bound by GDPR, it is possible to design data control processes and checks so that customers can have comfort in the preservation of their ‘right to be forgotten’. Blockchain applications can choose to segregate and withhold personal information from appearing in the chain, but for most use cases this will require completely new supplementary processes and erode the benefits case for the application.
So we must look towards solutions that allow for on-chain transfer of cryptographically secure information that cannot be reverse-engineered. We have seen two approaches to this challenge used in the blockchain sector.
The first and most commonly used thus far is to leverage SHA-256 to create a one-way cryptographic hash message that is unique to the underlying data, but can never be decrypted. When the underlying data is transferred via traditional technologies like email, the same SHA-256 algorithm can be applied and if the same hash is generated, you can be certain that the underlying data is identical. If one letter changes, the hash is completely different. This approach leverages the existing GDPR controls established to eliminate the original data from the corporate’s systems.
The second and more secure and frictionless mechanism is to use location-agnostic, end-user controlled, information access management solutions. In short, this requires a call to be made back to the end-user to validate the entity trying to look at the data has current access rights. The access management system can revoke that right, and each request is logged. This privacy control stays with the asset as the asset moves between systems.