IYSC Forum

News:

Welcome to the International Youth Scientific Congress Forum

GDPR: A new challenge for Blockchain.

GDPR: A new challenge for Blockchain.
« on: 04 August , 2019, 16:16:30 pm »
Hi everyone!

In other posts you have already considered different problems related with Blockchain, specially talking about the energy waste this technology entails. However, there is also a huge legal problem when introducing blockchain into the European Union due to the GDPR (General Data Protection Regulation), the new data protection legislation that came into effect the 25th of May of 2018. This issue has already frightened to several authorities such as the CNIL (French National Commission on Informatics and Liberty), that has published recently an article about the incompatibilities with Blockchain and the new GDPR.

Moreover, the anonimity that Blockchain offers to the users has also made easier for illegal services to sell their services through cryptocurrency, ensuring that the customer and the supplier cannot be discovered. In fact, Bitcoin transactions in the Darknet have been doubled in just one year making cybercrime much easier than without Blockchain technologies.

Through this post I wanted to introduce you a new perspective of the disadvantages of Blockchain that are not limited just to technical problems but also social and legal issues. I would find really interesting if you investigate more about these topics and discuss how would you solve this problems. Can we actually solve them? Can this obstacles make us think if we should continue developing this sort of technology?

I would really like to know your opinion,
Javier Herrero, Veteran.


Re: GDPR: A new challenge for Blockchain.
« Reply #1 on: 25 August , 2019, 20:01:49 pm »
Hi everyone,

I am currently surprised that this topic or others have not being receiving too many answers or feedback for the last weeks I would just like to remind the fact that this forum does not aim to be a simple encyclopedia written by the ones with more knowledge for the ones with less to read silently, because if that was the case, the program will not exist. I encourage sincerely to keep posting and writing, because the real purpose is to help each other and contribute to the general knowledge about this topic. You do not really have to absolute experts about this topics (no one does really know more than the Internet  ;)), but rather be willing to share your opinions, discoveries, progress, etc.

In order to provide an example, you could start researching about this topic that my fellow veteran shared some weeks ago. The GDPR may not be a law (or set of laws) which is always on the news, in fact it is rather unknown despite its purpose of regulating such an important topic as the Internet privacy. And even though it might seem as something which affects us directly, we shall not forget that most countries participating in IYSC are part of European Union and are supposed to abide it. And even for those countries which are not part (for instance, most technology enterprises are located in America or Asia), they must respect this laws when trading with UE, so, they are indirectly affected too.

Taking into account that Blockchain technology is supposed to "eliminate intermediaries" and provide a new framework of privacy, to what extent do you think it might clash with any GDPR detail? Are there  really any legal dispositions which could threaten Blockchain functionality in Europe?

I will really like to hear your opinions.

Best regards,
José Javier

Re: GDPR: A new challenge for Blockchain.
« Reply #2 on: 30 August , 2019, 14:18:23 pm »
Good morning everyone,

Firstly, we should understand what the GDPR (General Data Protection Regulation) is. As Javier has already explained, it is basically a data legislation created by the European Union which aims to achieve privacy of personal information. This new legislation will radically transform the way digital companies work and manipulate their client’s data, after it was adopted in may 2018 the regulation has brought many questions related with the consequences that might cause to structures such as Blockchain or networks like Bitcoin.

So, what we are trying to answer is: ¿How will GDPR affect decentralized protocols such as public blockchains?
When thinking about blockchain, we can easily find that the fact that this system stores some potential personal data such as transaction records might clash with some GDPR statements.

For example, among many statements declared in the GDPR we could highlight the "right to erase", which is against the immutable property of Blockchain.
Here we have the statement which is mentioned in Article 17: "Grants EU citizens the right to be forgotten and to data erasure which requires companies to stop processing and delete personal data upon request"

We tend to think that GDPR is completely against Blockchain, however, this revolutionary technology shares many objectives with the new data legislation. Both of them try to decentralize any data control and temper inequality between centralized service providers and final users.

But nowadays Blockchain can't provide the anonymity that the GDPR is looking for, and this could bring serious problems to the system's development. ¿Can we find a solution?
Some organizations are trying to find the way to get that anonymity, and the combination between reliable hardware and blockchain might be a good option. Reliable hardware could protect data from external attacks and store it out of the chain, this way anonymity could be achieved.

The Imperial College of London and the Cornell University have started Teechain, a project that uses reliable hardware to enable safe and efficient shutdown of off-chain transactions for a public blockchain.
Another project has been started inside the Enterprise Ethereum Alliance (EEA) with the collaboration of iExec and Intel.

This might be the solution for the problems GDPR shows when talking about Blockchain and for some serious issues when talking about blockchain's anonymity. If Blockchain achieves this objective, then it will be a great ally for the General Data Protection Regulation. I will leave a link which contains an analysis about the challenges Blockchain will have to face for compliance with the GDPR.
https://medium.com/golden-data/blockchain-challenges-and-solutions-for-compliance-with-the-gdpr-c354987f8fae

I hope you find this information useful! If you have any doubt or you want to discuss anything just feel free to answer this message ;)

Best regards,
Manuel Cortés (Spain)

Re: GDPR: A new challenge for Blockchain.
« Reply #3 on: 30 August , 2019, 22:18:27 pm »
Hi everyone!

As we may know, GDPR (General Data Protection Regulation) are the new data protection laws in the EU. It is a legal framework in the EU concerning companies that process data. Data processors that handle the data of EU citizens must follow these laws and it does not matter where the organization or its servers are located.

GDPR has a lot of clauses, and most of them do not clash with the blockchain at all.

The GDPR said that users need to be informed about any data processing (Article 18). This applies for example when a company wants to email people. The problem is that, as most blockchains are open, anyone can see or even copy your personal data, this means that you have no control over who is processing your data.

 We have just seen one problem. However, in my opinion, the biggest problem starts with the clause known as The Right of erasure (Article 17). According to this part of the GDPR, a company must delete all information about a user on request.

As we known, one of the most important property of the blockchain is immutability, this means that information on the blockchain cannot be modified. Even if a government wants to delete some information, he cannot, as blockchain structure does not allow it. So, the right for erasure is incompatible with immutability.

How can we solve this?

The first thing you can think of is to change the GDPR as it was not designed to this case, we could add some specials clauses for blockchains.

The second options is to make immutable blockchains illegal, this may be impossible because of the high number of people who sustain them.

We can also try to encrypt personal data before storing it on a blockchain. Doing this, just one person can possess the key to decrypt the information, if the user wants to delete it, all we have to do is destroy the key and, in theory, the encrypted data become useless. Many people claim that strong encryption is still reversible, as our computer get faster over time, it is more likely than the encryption can be broken and reveal the personal data again.

As we have seen, there are a lot of problems when applying the GDPR to blockchains. This, may be caused beacouse the GDPR was designed before the blockchain boom and it was made for centralized organizations.

“GDPR compliance is not about the technology, is about how the technology is used” Blockchain Central

What do you think about this? If you know any other solutions make sure to leave them here.

I hope to read you soon!
David Corral Pazos

P.S.
In case you want to learn more about this topic, I leave here some websites that can be useful:
https://www.youtube.com/watch?v=wdhMW4yZ1SI
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data
https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf
https://dl.eusset.eu/handle/20.500.12015/3159
https://thenextweb.com/hardfork/2018/11/29/blockchain-gdpr-complicated/
https://thenextweb.com/syndication/2018/07/26/gdpr-blockchain-cryptocurrency/