Regulatory observation: the two core characteristics of the blockchain are difficult to coordinate with GDPR

Author | Paul Knight

Since the implementation of the General Data Protection Regulations (GDPR) in the European Union last May, the rules of the game regarding privacy and data usage have changed. This summer, the Information Privacy Agency's Information Commissioner's Office announced that it intends to impose fines on British Airways and Marriott International for a fine of £183 million and £99 million, respectively, on the grounds of improper management of public data.

However, although the legal status of GDPR seems to be very high, especially considering that other parts of the world are drafting similar regulations, its applicability to the increasingly digital world, and even its rationality, is Suffer from the challenges of the blockchain.

In the report on blockchain and GDPR, EU regulators have pointed out that there are “multiple tension points” between the two. On the issue of blockchain, we are faced with a large number of “lack of legal certainty”. One of the areas of uncertainty is the definition of “personal data”. GDPR deals with people's online activities and personal information, but you may feel that the public key and transaction records that are the basis of the blockchain network are a different kind of data.

Unable to change records

Once personal data is encrypted or hashed, the boundaries become blurred. Hashing refers to a data configuration that replaces a personal identifier with a unique, fixed-length code. However, if the hash can be further updated to a specific "hash function" to collect personal information, is this data still personal? Usually, the answer is yes, because it is just "pseudo-named" rather than completely "anonymized."

This issue is important because the two core functions of the blockchain seem to conflict with GDPR at a more fundamental level.

The first core function of the blockchain is the immutability of data records . Based on the design of the blockchain ledger, it is extremely difficult to subsequently change and delete the data. While this guarantees the reliability of data logging, it clearly conflicts with a key principle of GDPR, "storage restrictions," and the "forgotten rights" that have been hyped.

The storage limit principle of GDPR means that personal data must not be stored for longer than necessary to complete the purpose of collecting data. The right to be forgotten means that in some cases, an individual may request the removal of previously published material related to it.

This shows that these contradictions are very obvious . One of the biggest selling points of blockchain technology is that it cannot be changed casually except in the most special cases. In this context, how can the blockchain be coordinated with a regulation that considers personal data to be deleted?

This problem is difficult to solve, but it is not impossible. A solution may not be able to ensure the complete removal of personal data, and it will work as long as it meets the requirements of the regulatory body. For example, one of the solutions is to remove the elements that allow validation (such as the "key" of the hash function). A "key" is a code that is used to generate a hash to hide the original data. Although this solution does not necessarily remove all of the data on the blockchain, some EU data protection regulators believe that this is the “best thing to do” that constitutes effective clearance.

Distributed ledger

Another benefit of the blockchain (core function) is the "distributed" nature of its books . No individual or institution can control the final record of this ledger, and each participant in the blockchain network can usually hold exactly the same copy as the full ledger. However, while this ensures the credibility and reliability of information sharing, it complicates the classification of data “controllers” by GDPR.

Under the framework of GDPR, the person (whether “legal or natural person”) who determines the purpose and means of processing personal data is a “controller” who is responsible for ensuring that these data are managed in accordance with the data protection principles of GDPR. of. The blockchain distributes and democratizes any transaction while also distributing responsibility in a distributed manner. Who should be responsible for data breaches and people’s lives? In the blockchain domain, it may not be possible to clarify the causal relationship of any data ownership change.

The problem is not limited to this. In classifying the managers of any data group, GDPR distinguishes between data “controllers” and data “processors”, indicating that the latter needs to transfer and modify data under the guidance of the former. . From a traditional perspective, this is plausible. Data processors have many responsibilities in data management, but the ultimate responsible person is the controller.

However, in the world of blockchains, the distributed nature of the books means that it is difficult to distinguish between “controllers” and “processors”. The French data regulator CNIL recently concluded that all blockchain participants will be designated as “controllers” that control the data generated by the blockchain as it processes transactions .

What is worrying is that this may raise the problem that ordinary participants are assigned responsibility for protecting data, but they cannot allow others to enjoy the benefits of GDPR .

Clear position

As the EU continues to emphasize, the two central characteristics of the blockchain are difficult to coordinate with the GDPR. But as a principle-based regulation, GDPR was originally designed to remain technology-neutral and future-oriented. Therefore, the key to the problem is not the blockchain or the GDPR itself, but the lack of legal clarity on how the specific concepts under GDPR should be applied in the blockchain field.

In the absence of a clear framework for well-defined regulations, blockchain development can be difficult to make progress. Therefore, the European Data Protection Board should collaborate with national regulators to introduce new blockchain regulations .

In addition, given that the “Artificial Intelligence Review Framework” project initiated by the UK Information Commission’s Office for another high-profile technology (artificial intelligence) has ended, in addition to concerns about “Brexit” matters, the Office may soon Attention to the blockchain.

Original link:


[The copyright of the article belongs to the original author, and its content and opinions do not represent the Unitimes position. Reprinted articles only to disseminate more valuable information, please contact us at or add WeChat unitimes2018 for cooperation or authorized contact.