GDPR and Blockchain, a match made in heaven?

“Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather”. With this famous paragraph, John Perry Barlow (R.I.P., feb. 7, 2018) starts his renowned Declaration of Independence of Cyberspace in 1996.

Barlow expected that the internet “would create a civilisation of the mind, more humane and fair than the world your governments have made before”. Little did he know.

The internet as we know it nowadays is not always as civilised as we’d want it to be. And that’s a huge understatement. Andrew Keens book The Internet Is Not the Answer joins a number of recent books by critics who are also trying to wake us from the nightmare into which we have been sleepwalking. Far from being the “answer” to society’s problems, Keen argues, the internet is at the root of many of them.

Multinationals like Google, FaceBook, WhatsApp, Telco’s and even our own governments violate peoples rights on a massive scale. Personal data is being unlawfully collected and processed, misused, shared, sold, sent over country borders, profiled, etc, etc. The internet clearly is missing a secure layer where peoples identities are securely safeguarded.

The upcoming General Data Protection Regulation, new European privacy law that will be enforced May 25th has the Universal Declaration of Human rights, article 12, as its first predecessor. It will enforce legislation that protects data subjects information in many more ways then before. It will also fundamentally change the way organizations process Identity.

In comes the blockchain, trust and self sovereign identity!

A blockchain is a distributed ledger. A distributed ledger can be described as a ledger of any transactions or contracts maintained in decentralised form across different locations and people, eliminating the need of a central authority to keep a check against manipulation. All the information on it is securely and accurately stored using cryptography and can be accessed using keys and cryptographic signatures. Once the information is stored, it becomes an immutable database and is governed by the rules of the network. While centralised ledgers are prone to cyber-attack, distributed ledgers are inherently harder to attack because all the distributed copies need to be attacked simultaneously for an attack to be successful. Further, these records are resistant to malicious changes by a single party.

Now weighing the first blockchain application, Bitcoin, on a privacy scale it won’t make you happy. It’s primary purpose was to act as cryptocurrency. As first mover it has many flaws in the overall architecture. Crypto forensic companies like Chainanalysis have emerged and have a day job tracking and tracing BTC token flows since all is publicly visible on the chain. Pseudonimization is the maximum Privacy level on this disruptive blockchain. Next to that it is slow, doesn’t scale, expensive and environmentally polluting. Nevertheless it kicked off the renaissance of money.

Blockchain 2.0
The second round of blockchain innovation came with coloured coins, smart tokens and smart contracts. Ethereum is the most well known blockchain in this league followed by many others. Now developers are allowed to build programs (such as the Distributed Autonomous Organisation) and API’s on the blockchain protocol to facilitate, execute or enforce the performance of an agreement set in computer code. The smart contract code is immutable meaning that once it is deployed it cannot be changed. This is good for trust but not good when bugged!

Blockchain 3.0
But why do we even need a block? On the bitcoin network, many transactions are mined into blocks and the transaction sequence is maintained by the prehashes between blocks. What if you combine blocks and transactions together? Make every transaction directly involved in maintaining the sequences. After the transaction is placed, you can skip the process of mining. This makes it blockless and more efficient. Come in Directed Acylic Graph (DAG). Well known examples of DAG protocol chains are NXT, Hashgraph and IOTA that claims to be fast enough to support the internet of things. They all claim to provide global (and private) cloud solutions without servers.

Back to GDPR and Privacy!
The Data Protection Act gives rights to individuals in respect of the personal data that organisations hold about them. The Act says that:

“Personal data shall be processed in accordance with the rights of data subjects under this Act.”

This is the sixth data protection principle, and the rights of individuals that it refers to are:
1. a right of access to a copy of the information comprised in their personal data;
2. a right to object to processing that is likely to cause or is causing damage or distress;
3. a right to prevent processing for direct marketing;
4. a right to object to decisions being taken by automated means;
5. a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
6. a right to claim compensation for damages caused by a breach of the Act.

It is evident that your blockchain architecture needs to be able to execute the above rights without braking the chain by breaching its immutability. Also personal data is not to leave the EU. That’s a challenge with a public blockchain. This article describes the GDPR-Blockchain paradox and one workaround in a nice fashion.

To Summarize!
Blockchain developments are necessary for the people to take back their right to own their digital identity again. Blockchain initiatives can be a great answer to the mass profiling by multinationals and governments. As John Perry Barlow stated “You are not welcome among us. You have no sovereignty where we gather”.

When setting up your infrastructure, make sure your off chain environment is GDPR compliant and decouple the personal data from the hashed data. As we see initiatives sprout up all over the world we see that many questions still need to be answered. Decentralised and Sovereign Identity however, is here to stay!

Dimitri van Zantvliet Rozemeijer MBA CIPP/E CIPPM is founder of EU Privacy Protectors and a lifelong geek..