When the mysterious Satoshi Nakamoto launched Bitcoin back in 2009, many of us were not aware of the revolution that this could unleash in many ways. And it is that the cryptocurrency Bitcoin (BTC), was accompanied by a very special travel companion, so special, that he kept it in his heart: Blockchain.
What is blockchain?
We could define blockchain very roughly, like a database. There are those who define it as an accounting book in which the different accounting entries are added, one after the other. But let's think about a database where we store information.
This database is a little bit particular. The first implementation of blockchain technology was made in 2009 by bitcoin. It is the first implementation of a public blockchain where anyone who downloads the software can participate, and where the information on this blockchain does not have any type of restriction regarding its access (for example, it can be consulted with tools such as the browser for blocks).
Apart from its advertising, another characteristic that makes this database so unique is that it is distributed. This database is replicated in thousands of nodes throughout the world. These nodes are machines (computers and servers) that are responsible for writing and keeping the blockchain alive, keeping the data synchronized between all of them.
Thus, the first blockchain is a database that can be public and that is distributed. In addition to these features, blockchain keeps one last secret. It is a one-way database, that is, once the information is entered into the blockchain, it cannot be altered or deleted.
What types of blockchain networks are there?
Since blockchain is a decentralized database technology, they need a network to function. This blockchain network is made up of nodes (computers and servers) that can be of two types:
- Validation nodes: They are the only nodes that can add data to the blockchain. Participating nodes: They are the ones that keep a synchronized copy of the blockchain data.
According to a recent report from the EU observatory for blockchain, there are three types of blockchain networks:
- Public and permissionless networks, where anyone can participate as a validation node or as a participating node. The only requirements to actively participate are to install the client software and download a copy of the blockchain. In this type of network, all the nodes can see the data stored in the blockchain. Public and permissioned networks: in this type of network anyone can participate and see the data stored in the blockchain, but only some actors will be able to act as validation nodes and, therefore, add data to the blockchain. Private networks and with permissions, where the validation nodes must be authorized by those who have said network and where there are usually rules that define who is authorized to see the blockchain data.
Does blockchain technology comply with the GDPR?
Given the very nature of blockchain, the perception has been generated that it is totally incompatible with the GDPR. However, all technology is neutral in itself. It all depends on the use made of it. If the use of a technology violates the rules or causes harm, it does not mean that the technology itself is illegal, but that someone uses it to violate the rules. With blockchain the same thing happens. It is a very powerful technology that does not have to be considered incompatible with the RGPD. Indeed, there are obvious tensions between blockchain use cases and the RGPD, such as the difficulty of rectifying and deleting data that has previously been entered into a blockchain.
Blockchain technology is not in itself incompatible with the GDPR. Affirming something like this would be like saying that smartphones are incompatible with the GDPR or that the internet itself is. Blockchain is just an available technology from which different uses can be made. It is these uses that could be contrary to the GDPR. Below, we examine some of the difficulties that exist today for the use of blockchain technology, ensuring respect for the RGPD.
“Tensions” with the RGPD and some solutions
However, the use of blockchain technology presents important challenges for the actors who decide to put it into practice, since there are still unresolved questions regarding its use. Here are some of the tensions and solutions that appear in the report of the EU observatory for blockchain:
- Difficulty or impossibility of identifying the person responsible: This difficulty is more pronounced depending on the type of network. Public networks: In a public network such as Bitcoin, it is extremely difficult, if not impossible, to determine who is responsible for data processing, since the network is fully distributed, and there is no clear actor to order or take it decisions about it. Private networks: In a private network it would be easier to define the controller or the group of data controllers. We could understand that, if the network is shared between different entities, they could be considered co-responsible for the treatment of the data.
Solution: Although there is no easy solution, the report advocates that entities that include personal data in a public network be held responsible for the treatment. In private networks, he advocates that the parties that make up the private network define their position regarding treatment, suggesting the model of co-responsibility.
Difficulty in determining the legitimating basis:
Public networks: In this type of network, the only requirement to enter data on the blockchain is to download client software. Along with the difficulty or impossibility of determining the controller, there would be the difficulty of determining the legitimizing basis for the treatment of the data. For example, to whom should the user give consent? Who would be in charge of requesting, informing and saving it? What if we understand that the mere fact of using technology is giving consent? The RGPD stipulates that consent must be specific, expressed through a clear affirmative action.
On the other hand, we could understand that, by using technology we could protect it in the need for the execution of a contract, however, we would be facing a contract without a counterparty and without clear terms and conditions.
Private networks: In private networks the problem could be solved by signing a contract between the parties, in such a way that all are identified and there are certain terms and conditions for the use of said network.
Solution: Avoid using a public blockchain to store personal data and only enter personal data on a private network if strictly necessary. All this until there are encryption technologies that allow you to save only the evidence of the existence of certain documents or events, without entering your own data.
Difficulty in complying with the rectification and deletion rights: Due to the immutability of the blockchain itself, regardless of the network model, we are faced with a difficult difficulty to overcome. And it is that the blockchain is not designed to be altered, since that is the trust that users place in it.
Solution: Again, avoid entering personal data on a blockchain. Although it should be noted that in the report published by the French data protection agency (CNIL) it was said that the RGPD does not specify what should be understood by deletion of the data, leaving open the possibility of using certain encryption techniques, along with the destruction of decryption keys of the information (which would mean that nobody could access the data) could be considered as a form of deletion. However, formulas are still being worked on to guarantee the rectification of the data.
Difficulty exercising the right of access: The right of access is defined as the right to obtain from the data controller a confirmation about whether he is treating data of a data subject, in his case, specify what data, for what purposes, are communicated to third parties, etc. Precisely the difficulty of determining a person in charge makes it difficult to put this right into practice.
Solution: In this case, the solution is to determine a person in charge of informing the user.
Automated decisions based on automated data processing: Another of the rights included in the RGPD indicates that data subjects have the right not to be subject to automated decisions based solely on automated treatment that produces legal effects on it or significantly affects it. Similary. Thus the interested parties would have the right to the intervention of a human to verify said automated decision. Although still a minority, the blockchain is also used for the elaboration of “smart contracts”, contracts that are programmed in the blockchain itself so that they are executed automatically when there are a series of circumstances.
Territoriality: Due to its decentralized nature, it can be very difficult to control that the information that is entered into a public blockchain is not hosted in territories that do not offer an equivalent level of protection to the European Union.
Solution: The use of a private network, whose servers are located in territories that guarantee an adequate level of protection.
Conclusions
Blockchain technology is undoubtedly a very powerful tool that is already contributing to changes in some business models. However, its true potential is yet to be exploited. The tensions between the use of this technology and the proper application of the RGPD are evident, for which, for now, there is no solution. While the legislator, control agencies and the European Committee on Data Protection decide on certain aspects of the use of this technology in relation to the RGPD, companies that decide to use it must act with extreme caution, avoiding always include personal data on the blockchain.
