It has been the subject of much discussion in recent days: the General Data Protection Regulation (GDPR). The EU’s General Data Protection Act, which officially came into force yesterday, states that under certain circumstances all users may request that their personal data be corrected or deleted. But what does this development mean for the Blockchain technology?
Impact of GDPR on the blockchain technology
A blockchain is, simply put, a constantly growing, common record of past activities, spread across many computers and characterized by a high degree of immutability. It is precisely the long-term storage of transaction information that makes this technology so important for companies all over the world. But the long-term and inviolable storage of data could be exactly the problem with the GDPR.
Looking at the processes and components of the blockchain, both encryption and hashing are fundamental for the components of a blockchain. But what is hashing? In short, hashing is a one-sided conversion of incoming data into an unreadable string. Hashing means to take any length of a string and create an output with a fixed length. In the context of crypto currencies, the transactions are taken as input and become a fixed-length string using an algorithm. Data becomes unreadable and can only be reset to its original value with a key. But behind these transactions still lie the personal data, which is a problem according to the GDPR…
“If you clean up a block of transactions, the trustworthiness of all subsequent blocks of transactions is not given.” – Andries Van Humbeeck
From a legal point of view, it is now highly controversial whether a hash is already to be defined as personal data or not. Especially when several hashes are considered together, it may even come to the identification of a person. To solve this problem, the blockchain would have to be editable, but the integrity and manipulation security of the blockchain would be lost. A dilemma, if you look at it that way.
The new regulation has a meaning in three areas of the blockchain:
- Data stored on a block chain is tamper-proof, making subsequent deletion impossible.
- Blockchains are distributed so that control over the data stored on them is given up.
- Smart contracts are automated and can therefore be challenged.
In summary, it can be said that the unchangeable character that characterises blockchain networks could violate the GDPR regulations. However, the technology can at the same time become a helper of the new data protection regulation. Here it depends on the correct implementation.
Possibilities for the blockchain
In a article of t3n it is assumed that the GDPR could support the blockchain. Developers, companies and politicians must consciously orientate themselves towards and use the blockchain. So so-called “root keys” could be created for each transaction, which ensure that the individual hashs can no longer be connected to each other. This ensures maximum security and data integrity. Each user receives such a key for each transaction and so the hashs cannot be associated. Thus the basic idea of the GDPR is perfectly kept, because the sovereignty over the own personal data holds each blockchain user.
Another solution would be to store the personal data outside the chain and refer to it with a hash. Together with other meta data such as rights management, the comparability of data sets can also be avoided.
What consequences the GDPR really has for the new technology will become clear in the future.
Further information on the Blockchain and the GDPR can be found here:
- GDPR: Motor or brake for the blockchain technology? (German)
- Will blockchain run afoul of GDPR? (Yes and no)
- Blockchain and GDPR (PDF)