Last week we had the pleasure of talking to Dr. Markus Kaulartz, lawyer at CMS Germany, discuss with us the very hot topic of Blockchain & GDPR. We will try to answer the question of how does GDPR, drafted in a world in which centralised and identifiable actors control personal data, sit within a decentralised world like blockchain? Markus is the co-author of “The tension between GDPR and the rise of blockchain technologies“.
Markus works in the IT law department of CMS Germany with a focus on innovative topics such as blockchain, AI, cyber security and all the data protection issues. Previously to becoming a lawyer, Markus used to work as a software developer.
What is Blockchain?
From a pure legal point of view there are two aspects:
- Blockchain is a database which is distributed and synchronised, whose data cannot be deleted. This definition however is controversial within some quarters as blockchain isn’t considered as a database but it is used to simplify defining it for a non-IT audience.
- Blockchain enables us to move digital assets. This is very important because a receiver of a digital token for example will always know that the sender of the token doesn’t own it anymore. In other words the tokens transfer of ownership emulates the transfer of ownership of real life offline assets. If we look at the transfer of ownership of paper share certificates they presently use a bank as a central intermediary to help identify who is the present owner of a share. In a blockchain world we can theoretically eliminate the need of the bank.
What is GDPR?
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It was enacted in May 2016 but only applied from May 2018. It replaced the former EU Data Protection Directive with a big difference that it applied directly to the member states of the EU without the need for it to be transformed into national laws. The other big difference of GDPR with the former EU Data Protection Directive is the amount of the fines. Under GDPR the fines are up to 4% of the global turnover of a company.
What is key is that GDPR also applies to companies outside of the EU that works with the EU. For example if you’re an Indian or American company who offers services to EU citizen you will have to comply with GDPR regulation.
Personal Data & Application of GDPR
GDPR only applies where personal data is being processed. Personal data is defined as any information relating, directly or indirectly, to a natural living person, whether the data identifies the person or makes him or her identifiable.
Article 4 of GDPR defines Personal Data – “as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The key implication is that a person, not a company, can be identified or identifiable. Being identifiable means you don’t necessarily need to have their name, or address of the person, it suffices to have their unique ID and even their IP address. In a blockchain world the public key is considered as personal data as it is related to an identifiable person. Having any of these identifiable data points means that GDRP applies.
If GDPR applies an assessment needs to be carried out to identify which obligations are applicable:
- Inform data subjects with what to do with the data
- Maintain records of processing activities
- Implement technical and organisational measures
- Review in which country the data is stored (i.e. EU or non EU)
- Need a legal basis for the data processing. In general processing of personal data is forbidden unless there is a legal basis. A legal basis might be consent or whether the processing is necessary for processing a legal obligation
Consent
A consent needs to be very specific. Getting an informed consent in a public blockchain such as bitcoin is very difficult, if not impossible, as it’s very hard to say on which node the data is stored in which country.
A private blockchain is easier to implement GDPR, than a public blockchain, as you can control the data flows.
CNIL, the French Data Protection Authority, stated that although the public key, in a public blockchain such as bitcoin, is considered personal data, GDPR doesn’t apply because people use it in a purely private context. This is known as the household exemption.
Controller and Processor
In a GDPR context we distinguish between a Data Controller and a Data Processor.
GDPR applies to data controllers and data processors whether or not there are established within the EU. If outside the EU, if such controllers and processors process personal data in connection with offering services or goods to EU data subjects, or in respect of the monitoring of data subject behaviour within the EU, then they have to abide to GDRP.
The Controller determines the process and means of the data processing. The data processor processes personal data on behalf of the data controller. A typical example of a data processor is a hosting service provider which does not determines the purpose of the processing but only stores and processes the data on behalf of its customers (ie. the controller of the data).
In a Bitcoin world the nodes essentially are processors that store the data. However as users of the Bitcoin blockchain we should have data processing agreements with the nodes which is challenging as most nodes are unanimous. Another potential legal framework is to look at the nodes as data controllers which also has the challenge of what happens when the data is transferred outside of the EU.
Markus believes that these legal challenges can lead to the creation of a future EU public blockchain.
Suggestions for Public Blockchain builders
Markus highlights a set of solutions for blockchain builders on how to deal with GDPR:
- Store personal data off chain
- Identify the nodes outside of the EU and prepare legal agreements with each of them
- Set up a blockchain that only uses nodes within the EU
Private Blockchains
Private blockchains in comparison to public blockchains are much easier to reaching GDPR compliance. Markus proposes two solutions:
1. Deleting Decryption Key
Some companies have business models that require them to store personal data on-chain. As blockchains are meant to be immutable (ie. the data cannot be deleted), this can provide a challenge with GDPR’s “right to be forgotten” clause. To overcome this challenge Markus recommends that personal data should be stored in an encrypted way. If the customer wishes to have their data removed under the “right to be forgotten” clause, then deleting the decryption key related to that personal data will make it inaccessible. CNIL, the French Data Protection Authority, supports this solution as a means to becoming GDPR compliant.
2. Lookup Tables
An alternative solution that Markus usually recommends is to store the personal data off-chain and linking that data to a blockchain via a lookup table.
In his document, “The tension between GDPR and the rise of blockchain technologies“, Markus provides a detailed example of how this could work in a GDPR compliant manner:
“Let’s say you have built a platform that allows people to rent out their cars to those in need of cars. In this case, the blockchain is used strictly as a payment channel and, after payment, a customer receives a unique car token with which to enter the car. For the platform to work, however, there has to be a link between the users’ identities and their public keys. The details of their identities and the links can be kept in an environment where they can be modified and deleted (off-chain). To be extra safe you may even want to oblige parties to create unique public keys using your platform for each relationship. If you destroy the link that has been used as an identifier, all that is left on that blockchain is a public key and its transaction history. The public key is just a string of characters that, in itself, may or may not amount to personal data. Following deletion of the link, whether the data qualifies as either personal or anonymous depends on what is left on that blockchain and the likelihood of link-ability. If all that is left is three simple transactions between two anonymous public keys, the ability to link that to an identifiable natural person may become practically impossible. Therefore, the data that was once considered personal in the GDPR sense, may have morphed into anonymous data.”
You have a lookup table which is the link between the data off-chain and the data on-chain. You have a key on-chain which is associated with another key in the lookup table. That other key refers to the data set stored off-chain. If someone requests their data to be deleted then you can delete the data off-chain and you can delete the entry in the lookup table. Thus the remaining key on-chain will have lost its association with the lookup table key (related to the off-chain data) as that would have been destroyed. The remaining ID on-chain is unanimous and which is thus GDPR compliant.
DPIA – Data Protection Impact Assessment
DPIA is essentially a deep dive into a company’s data processing activities. If a company is required to perform a DPIA, it has to assess the entire process of how data is being handled at a very sophisticated level. A DPIA is usually required to be done if the data processing is likely to be a high risk for the rights and freedoms of a natural person. In the case of blockchain a DPIA is required because of the following reasons:
- When new technology is being used with other data processing circumstances which can lead to a high risk for data subjects
- When data subjects are prevented from exercising their rights
How can data protection principles be fulfilled in blockchain?
The most important point is to apply the principle of privacy by design. That means from the very first line of code that is written a company has to apply appropriate technical and organisational measures to being GDPR compliant. For example:
- ensuring that personal data is correctly encrypted
- data subjects can delete their data
- where is the data stored? Is it stored in other countries or not?
- Is there the appropriate legal basis for the processing of data?
If privacy by design isn’t applied from the beginning then the company runs the risk of having to significantly update their software to being GDPR compliant.
Your Turn
Markus has provided us with some great insights on the challenges of GDPR and Blockchain. If you liked this episode, please do review it on iTunes – your reviews make a huge difference. If you have any comments or suggestions on how we could improve, please don’t hesitate to add a comment below. If you’d like to ask Markus a question, feel free to add a comment below and we’ll get him over to our site to answer your questions.