Ardi Kolah speaks Blockchain & GDPR

Blockchain technology provides a paradox. The technology can protect the integrity and security of data. However, the technology does not yet provide a way in which the rights and freedoms of an individual.

Share this post:

General Data Protection Regulation Effects on Blockchain Technology

The EU General Data Protection Regulation (GDPR) is meant to ensure individuals adhere to rules and regulations relating to data protection, privacy, and security. GDPR dictates the relationship model for Data Subject, Data Controller, and Data Processor. In its framework, GDPR sets outs rights, freedoms, duties and responsibilities of players in the industry.  The regulation helps keep order and healthy environment between Data Controllers and the Data processors to the benefit of Data Subject.

GDPR requires Data Controllers and Data Processors to keep proper records and carry out data protection impact assessments (DPIAs) in instances where there are high or very high risks involved in data possessed. It also requires the appointment of Data Protection Officers (DPO) whose mandate is to ensure there is no breech of the laws. Participants who fail to follow these requirements attract fines and sanctions from GDPR.

This brings to question its impact on emerging technologies such as Blockchain. Blockchain evangelists believe it is the best feature in the interest of data processing. However, Blockchain's nature defies a number of requirements rolled out in the EU GDPR. The technology is a distributed database hosted on several computers running at the same time.

Private & Public Data Chains

The Blockchain forms a decentralized network that is either public or private. Anyone can have a copy of the database in a public Blockchain. This means that no one individual controls or manages a public Blockchain network. GDPR applies a centralized model where specific entities are tasked with given responsibilities.

This is in sharp contrast against what public blockchains entail without defined designations for both Data Controllers and Processors. As a consequence, contrary to the requirements in GDPR, it is difficult to determine who holds the legal liabilities for any data processing activity done on the network.

Despite the ambiguity of Blockchain, it by its nature implements some of the set regulations set out in the GDPR. Primarily, Blockchain thrives by ensuring the highest levels of data security and transparency. Blockchain technology guarantees privacy facilitated by its decentralized nature.

No single person has the power to manipulate data validated in a block, consequently making the Blockchain network attractive to many data processing organizations. Important to note, the transparency of data on the blockchain makes it easy to access but takes away the need for express permission from data owner for access.

According to GDPR, data subjects should not only permit the use of their data, permission granted should be from a point of information on how the data will be used.

These Blockchain technology aspects conflict with the GDPR laws as a result of their basic make up. Significant to note is that data stored on blocks within the Blockchain cannot be deleted. Every single block constitutes the formation of the next block. Should a block be deleted, the entire network is invalidated.  

This comes in between the right of erasure (right to be forgotten) as constituted in the GDPR. This technicality infringes on people‚Äôs legal rights and freedoms in situations where personal data must be removed. 

Talking GDPR with Ardi Kolah

Ardi Kolah, an advocate for privacy in data processing and Executive fellow at Henley Business School and writer of the GDPR Handook stated that:

"Blockchain technology provides a paradox. The technology can protect the integrity and security of data. However, the technology does not yet provide a way in which the rights and freedoms of an individual to correct and delete, temporarily suspend or temporarily transfer personal data."

Transactions done on the blockchain network have a global nature in that anyone across the world can participate in them. Traditionally, international data transfers are only allowed under certain conditions. This is envisaged in the GDPR that sets out protocols on how data leaves the EU/EEA. 

The general principle for data transfer is that no data can leave specified regions in the absence of given protection laws. Blockchain operations work against this. It hosts data through several computers (referred to as nodes) located in different parts of the world. This means nodes outside the EU are not subject to GDPR laws.

These areas of conflict between GDPR and Blockchain if not reconciled seems to suggest Blockchain cannot flourish in the EU as it is. Blockchain may have to make several adjustments to comply with the laws.