Some of the comments By interviewees in this article are so backwards it's comical:
> "From a practitioner's perspective, it sounds to me that it was drafted by trying to implement a certain perspective of how the world should be without taking into account how technology actually works," Steiner said. "The way [public decentralized network] architecture works, means there is no such thing as the deletion of personal data. The issue with information is once it's out, it's out."
My answer to this is - don't put personal information in the blockchain then! What's the purpose of technology that doesn't serve human needs?
It's a bizarre worldview that positions technology as the master, not the servant of mankind.
> It's a bizarre worldview that positions technology as the master, not the servant of mankind.
Your comment is at odds with this statement. Blockchain and smart contracts appeal to those who want lines of code to have the final say in transactions. Most people want our institutions to make those decisions!
Current technology is great but still sometimes it fails. It's comforting to know that there's an actual human being that you can talk to and ask them to fix the mistake made by software.
That's what makes technologies like Blockchain at odds with human needs: unless you can formally prove that your software does not contain any bugs and therefore does not make mistakes there always has to be the room for manual intervention (like deleting personal data from blockchain).
If you put data that's considered personal into a public blockchain, or any decentralized system, who becomes the owner of that data? Was it the company/service that originally published it on the blockchain? or is every node required to treat it as their own GDPR-compliant data?
Not just a public blockchain, any blockchain. Say an employee leaves, they should have the right to have records removed. The internal Enterprise Blockchain doesn't allow that.
But because of hype, every big company has to have some sort of blockchain somewhere, for no good reason. The EU will get a lot of bad publicity while actually doing something very reasonable.
> because of hype, every big company has to have some sort of blockchain somewhere, for no good reason.
Fortunately that's not actually the case. Amusingly, it's nothing more than hype that every big company is actively using blockchain somewhere. Most of the Fortune 500 could care less from what I've seen of press releases and a couple hundred quarterly reports over the last two years. Blockchain is meaningless to their businesses for now because it's still not being used for anything of consequence to them. There are a few exceptions, most of which are in finance.
> Say an employee leaves, they should have the right to have records removed.
Not exactly. They have the right to be forgotten which is slightly different, and the company has certain rights to keep those records. Recital 65 is quite broad and allows a company to remember that it hired (or fired) someone because it may need this information to protect against legal claims, or to pay taxes correctly (i.e. another legal obligation). It would seem to permit private blockchains, and (at least in some cases) public blockchains.
Huh? If that was the case, it would go a bit too far, as it would make technologies like e-mail or git illegal to use internally, considering those are likely to have a real name of a person who sent an e-mail/committed.
Git history can be modified, as can email headers, but yeah - the law is more about e.g. disciplinary records, stuff stored on your section of the company file server, and other things which the company really has no legitimate use for once you’ve left.
In practice, the best solution to this is for companies to check over their data retention policies and making sure they’re not holding on to data for longer than they need to - which may involve creating processes to take information out of emails and put it somewhere more structured/permanent - rather than being blindsided with a request without the infrastructure to handle it. The best response, after all, is “we deleted/modified that data so as to comply with your request already”, rather than “we’ll be back to you once we’ve read through your 50,000 emails and decided which ones we need to keep”.
GDPR defines "data controllers" and "data processors," who both have obligations to the "data subject." Who qualifies as the "data controller" may be ambiguous in this situation, but it's a reasonable proposition that every node would be considered a "data processor" for that data.
There's a very naive assumption in the article that Blockchain being incompatible with GDPR issue can be resolved by altering GDPR.
I think it is impossible: GDPR is specifically designed to prevent sensitive personal information from leaking and information about one's financial transactions is one of the most sensitive pieces of information there is.
So, if GDPR versus Blockchain case ever reaches any EU court the only possible ruling is to outlaw the Blockchain technology (at least in it's current incarnation).
Laws are mutable, in general blockchains aren't. It is the case that the law can be modified.
> I think it is impossible
Unless they create an exemption for technologies which effectively partition transaction details from identity details. Or they could require the use of masking/ambiguation features like Ring signatures, mixer/tumblers, etc.
> Laws are mutable, in general blockchains aren't. It is the case that the law can be modified.
Or storing someone else's personal information on the blockchain opens you up to an effectively unlimited liability: Not smart.
It really depends on what is being stored. Is it that there is €30 in account 123 and €50 in account 234? It's unclear if this is personal information if someone can have multiple accounts and access them anonymously.
GDPR is not only conflicting with some Blockchain use cases but with old-fashioned ledgers and paper-based accounting as well because the same principles apply here, too (an entry cannot be deleted, its effect can merely be reversed).
If followed to the letter GDPR would've major repercussions on tax regulations because as a company you're legally bound to keep accounting records for at least 10 years whereas according to GDPR you're required to delete any record if asked by a person whose personal data appears in that record.
The solution in that case is that GDPR only applies if it doesn't contradict other, already existing laws.
So, where Blockchain applications facilitate legal requirements or don't manage personal data this should be perfectly fine but yes, other types of Blockchain applications are pretty much ruled out by GDPR.
> If followed to the letter GDPR would've major repercussions on tax regulations because as a company you're legally bound to keep accounting records for at least 10 years whereas according to GDPR you're required to delete any record if asked by a person whose personal data appears in that record.
False. You're allowed to retain the data where it is necessary to comply with other legal obligations, or to protect yourself legally (e.g. failure to pay invoices), among other reasons.
That‘s exactly what I said. For instance, you have to retain accounting records such as invoices even if the invoice recipient asks you to delete the personal data on that invoice.
Anything else would open up new avenues for tax fraud.
You are allowed to ignore (refuse) to delete personal data from the Invoice: You may need their name to file suit against them for refusing to pay the invoice.
Clickbaity headline. It's not the "blockchain technology" as a whole, but some specific use of it that can potentially violate the GDPR. You don't need a blockchain to violate the law: you can do it with paper or mysql or usb keys.
Bottom line is: don't put your customers' personal data onto anything that you don't control.
I don't think it's clickbaity. There is a legitimate conflict in goals between this legislation and the increasingly popular use of public blockchains to store personal data.
You don't need a public blockchain to violate the law, but it's hard to have a public blockchain without violating this law, if you use that blockchain to store personal data.
You encrypt all data stored on the blockchain. You have the private key to your encrypted personal data on the blockchain. You can share this key with private corporations who want to use your data. In order to invoke your "right to be forgotten", you just ask the 3rd party to delete any record of your private key. Now they can't access your data. Simple.
one drunken night you decide to put some random piece of private information on the bitcoin/etherum blockchain. can you invoke your "right to be forgotten"? if so, can you c&d every node in the EU to take down your info?
That would be completely your own fault. Drinking and banking is risky too, or drinking and driving. Make it a best practice to only interact with blockchain systems when sober. Not a very strange idea IMO.
Wouldn't it easy for a blockchain to just reference external data which then get deleted to comply with GDPR? I know, breaks some ideas about storing data in the chain, but if that's the compromise that works. In the end it will all be about the specific implementation of each blockchain, the idea of blockchains in general will never be endangered like u/mamon suggested.
Well, yeah, there is a rather straightforward solution - just don't store any personal information on a blockchain.
Is it practical? Sometimes yes. Some usecases won't be able to do that, and this is fine, they should just consider technologies other than a blockchain. Or if they really want to have blockchain, perhaps consider storing personal information in an external database with references to its fields on a blockchain. Possibly with a salted hash stored in a blockchain, so that it's possible to verify whether a value was changed. A matching checksum or an empty value (meaning a value removed due to GDPR requirements) would be fine.
Edit: A removed comment suggested storing an encryption key in a database to decrypt data on a blockchain. This is another way of looking at it - essentially keep two parts, one on a blockchain, another outside of blockchain - and you need both to decode the data while the part outside of blockchain could be removed.
Yes, I wish more people followed your advice... for anything, not just blockchain.
If you don't want your personal information leaked, never post it anywhere, blockchain or not.
Now, unfortunately, as you comment, this isn't necessarily always practical. So what do we do about that?
Well, ugh! This is why buzzwords of "blockchain" like this article is trying to cash in on, are annoying.
A blockchain does NOT have to be an immutable ledger, all a blockchain has to be is cryptographically signed/linked data. Sure, Bitcoin uses a blockchain that is computationally difficult to rewrite, and therefore for all practical purposes immutable, but it also isn't scalable for storing everybody's personal information.
Instead, you can store people's personal information in a blockchain, and since they are the cryptographic holders of that key, they can null out their data if they want!
This will actually make it easier to comply with the laws they reference, not harder, because people are self-sovereign over their own data and identity.
Definitely it was a good read, but let me just focus on the main point.
It is true that Blockchain technology has been thought as a replacement of a trusted third party like a notary or central register, but usually those are public registries: household ownerships, public offers... And those registries are usually exceptions or are treated in a different way (and usually they are explicitly regulated by each country). A few of them are even public, like the defaulters list in Spain.
Also, it is quite naive to think that an European citizen can erase "any personal data", that could be quite convenient to erase your fresh new mortgage or obligations. You are only allowed to ask for irrelevant information to be removed not for specific business related log even if they have your personal data in them.
Even in case of mortgages, you need to be prepared for requests. At least where I live, it's legally allowed to remove all information about a loan once you paid the entire cost of it.
I am not an expert on Spanish regulation, but I can tell you that sometimes the regulator oblige enterprises to store this records for long times (eventually it will expire).
Public records are store forever (unless broken)... =), at least, up to date.
The GDPR allows you to keep what you need. For a blockchain, verification is a need, provided that you need verification. You can easily argue that you need verification of the most recent 2, 4, 256, 131072 blocks. Some number. All of the blocks for which you have some vaguely reasonable business need to verify, rounded up a bit perhaps.
As for really old blocks, do you need those? Why? I realise you can't follow the blockchain all the way back and verify all the way back without them, but if you're a business (or any kind of organisation covered by the GDPR) why do you need to follow the blockchain all the way back?
1. Encrypt your personal data with a private key that you control.
2. Put encrypted personal data on a blockchain.
3. When a 3rd party wants to use your data, give them your private key. They can store this in their own database so that they can access your blockchain data whenever they wish.
4. To invoke your "right to be forgotten", simply ask the 3rd party to delete your private key.
This is cryptoshredding, more or less. There are a couple of wrinkles to your good idea.
* It potentially makes updates complicated.
* In the event of a key compromise, you're forever hosed.
* You probably shouldn't hand out your private key like that.
* They wouldn't need your private key to read the data you've described, requiring your public key instead.
* You have no ability to revoke someone's access - grant it once and it's eternal.
It's a good start! Cryptography is very powerful and can do a lot to solve this problem. Thank you so much for caring and putting forward an interesting idea.
How about if the owner of the blockchain (here I'm assuming, say, a land-ownership database run by the state) have a private key for each person in their own system which they use to put the relevant data into a blockchain. Then they delete the private key for that person to scramble entries that need deleting so no one can ever access it again. The person doesn't need to have or know their own private key since it's a backend for the municipal service.
Now why anyone would want to do this with a blockchain instead of a simple encrypted database... well, maybe someone else can explain that. I'm still assuming you visit deeds.mass.gov or something and have an interface you would use to find out who owns what, so the end user isn't actually touching the blockchain in this case.
As I understand PKI, and my understanding is limited so I could of course be very wrong, but in the scenario you describe the deletion of the private key would do nothing to prevent people from decrypting data readable with a public key.
This would work with a symmetric key! But as you say, I'm struggling to think of any real advantages to using a blockchain here.
Ok, what about this: Only you have your private key, which must be used to modify the data, everyone else is given a "view key", which is read-only. If at any point a view key is compromised, you can somehow revoke the view key using the private key. Would that not work?
The prevention of fraud countermands GDPR, so keeping the financial transactions of anonymous IDs in a public, reasonbly immutable format, is not going to be a problem, infact its going to be encouraged, because data portability is also another key feature of GDPR.
Storing people's personal pictures, well then yes, you have a problem. But then its a stupid place to keep private, non-public interest photos.
45 comments
[ 0.20 ms ] story [ 86.5 ms ] thread> "From a practitioner's perspective, it sounds to me that it was drafted by trying to implement a certain perspective of how the world should be without taking into account how technology actually works," Steiner said. "The way [public decentralized network] architecture works, means there is no such thing as the deletion of personal data. The issue with information is once it's out, it's out."
My answer to this is - don't put personal information in the blockchain then! What's the purpose of technology that doesn't serve human needs?
It's a bizarre worldview that positions technology as the master, not the servant of mankind.
Your comment is at odds with this statement. Blockchain and smart contracts appeal to those who want lines of code to have the final say in transactions. Most people want our institutions to make those decisions!
That's what makes technologies like Blockchain at odds with human needs: unless you can formally prove that your software does not contain any bugs and therefore does not make mistakes there always has to be the room for manual intervention (like deleting personal data from blockchain).
Someone else may do that for you. Example: revenge porn. Here's a relevant experiment:
https://boobies.surge.sh/
But because of hype, every big company has to have some sort of blockchain somewhere, for no good reason. The EU will get a lot of bad publicity while actually doing something very reasonable.
Fortunately that's not actually the case. Amusingly, it's nothing more than hype that every big company is actively using blockchain somewhere. Most of the Fortune 500 could care less from what I've seen of press releases and a couple hundred quarterly reports over the last two years. Blockchain is meaningless to their businesses for now because it's still not being used for anything of consequence to them. There are a few exceptions, most of which are in finance.
Not exactly. They have the right to be forgotten which is slightly different, and the company has certain rights to keep those records. Recital 65 is quite broad and allows a company to remember that it hired (or fired) someone because it may need this information to protect against legal claims, or to pay taxes correctly (i.e. another legal obligation). It would seem to permit private blockchains, and (at least in some cases) public blockchains.
http://www.privacy-regulation.eu/en/recital-65-GDPR.htm
In practice, the best solution to this is for companies to check over their data retention policies and making sure they’re not holding on to data for longer than they need to - which may involve creating processes to take information out of emails and put it somewhere more structured/permanent - rather than being blindsided with a request without the infrastructure to handle it. The best response, after all, is “we deleted/modified that data so as to comply with your request already”, rather than “we’ll be back to you once we’ve read through your 50,000 emails and decided which ones we need to keep”.
I think it is impossible: GDPR is specifically designed to prevent sensitive personal information from leaking and information about one's financial transactions is one of the most sensitive pieces of information there is.
So, if GDPR versus Blockchain case ever reaches any EU court the only possible ruling is to outlaw the Blockchain technology (at least in it's current incarnation).
> I think it is impossible
Unless they create an exemption for technologies which effectively partition transaction details from identity details. Or they could require the use of masking/ambiguation features like Ring signatures, mixer/tumblers, etc.
Or storing someone else's personal information on the blockchain opens you up to an effectively unlimited liability: Not smart.
It really depends on what is being stored. Is it that there is €30 in account 123 and €50 in account 234? It's unclear if this is personal information if someone can have multiple accounts and access them anonymously.
If followed to the letter GDPR would've major repercussions on tax regulations because as a company you're legally bound to keep accounting records for at least 10 years whereas according to GDPR you're required to delete any record if asked by a person whose personal data appears in that record.
The solution in that case is that GDPR only applies if it doesn't contradict other, already existing laws.
So, where Blockchain applications facilitate legal requirements or don't manage personal data this should be perfectly fine but yes, other types of Blockchain applications are pretty much ruled out by GDPR.
http://www.privacy-regulation.eu/en/recital-65-GDPR.htm
False. You're allowed to retain the data where it is necessary to comply with other legal obligations, or to protect yourself legally (e.g. failure to pay invoices), among other reasons.
Anything else would open up new avenues for tax fraud.
Bottom line is: don't put your customers' personal data onto anything that you don't control.
Nothing to see here.
You don't need a public blockchain to violate the law, but it's hard to have a public blockchain without violating this law, if you use that blockchain to store personal data.
You encrypt all data stored on the blockchain. You have the private key to your encrypted personal data on the blockchain. You can share this key with private corporations who want to use your data. In order to invoke your "right to be forgotten", you just ask the 3rd party to delete any record of your private key. Now they can't access your data. Simple.
Is it practical? Sometimes yes. Some usecases won't be able to do that, and this is fine, they should just consider technologies other than a blockchain. Or if they really want to have blockchain, perhaps consider storing personal information in an external database with references to its fields on a blockchain. Possibly with a salted hash stored in a blockchain, so that it's possible to verify whether a value was changed. A matching checksum or an empty value (meaning a value removed due to GDPR requirements) would be fine.
Edit: A removed comment suggested storing an encryption key in a database to decrypt data on a blockchain. This is another way of looking at it - essentially keep two parts, one on a blockchain, another outside of blockchain - and you need both to decode the data while the part outside of blockchain could be removed.
If you don't want your personal information leaked, never post it anywhere, blockchain or not.
Now, unfortunately, as you comment, this isn't necessarily always practical. So what do we do about that?
Well, ugh! This is why buzzwords of "blockchain" like this article is trying to cash in on, are annoying.
A blockchain does NOT have to be an immutable ledger, all a blockchain has to be is cryptographically signed/linked data. Sure, Bitcoin uses a blockchain that is computationally difficult to rewrite, and therefore for all practical purposes immutable, but it also isn't scalable for storing everybody's personal information.
Instead, you can store people's personal information in a blockchain, and since they are the cryptographic holders of that key, they can null out their data if they want!
This will actually make it easier to comply with the laws they reference, not harder, because people are self-sovereign over their own data and identity.
In fact, we've already implemented a system like this, check it out at https://hackernoon.com/so-you-want-to-build-a-p2p-twitter-wi... .
It is true that Blockchain technology has been thought as a replacement of a trusted third party like a notary or central register, but usually those are public registries: household ownerships, public offers... And those registries are usually exceptions or are treated in a different way (and usually they are explicitly regulated by each country). A few of them are even public, like the defaulters list in Spain.
Also, it is quite naive to think that an European citizen can erase "any personal data", that could be quite convenient to erase your fresh new mortgage or obligations. You are only allowed to ask for irrelevant information to be removed not for specific business related log even if they have your personal data in them.
But in some cases it could happen that this data has to be erased.
Public records are store forever (unless broken)... =), at least, up to date.
The GDPR allows you to keep what you need. For a blockchain, verification is a need, provided that you need verification. You can easily argue that you need verification of the most recent 2, 4, 256, 131072 blocks. Some number. All of the blocks for which you have some vaguely reasonable business need to verify, rounded up a bit perhaps.
As for really old blocks, do you need those? Why? I realise you can't follow the blockchain all the way back and verify all the way back without them, but if you're a business (or any kind of organisation covered by the GDPR) why do you need to follow the blockchain all the way back?
2. Put encrypted personal data on a blockchain.
3. When a 3rd party wants to use your data, give them your private key. They can store this in their own database so that they can access your blockchain data whenever they wish.
4. To invoke your "right to be forgotten", simply ask the 3rd party to delete your private key.
Am I missing something?
* It potentially makes updates complicated.
* In the event of a key compromise, you're forever hosed.
* You probably shouldn't hand out your private key like that.
* They wouldn't need your private key to read the data you've described, requiring your public key instead.
* You have no ability to revoke someone's access - grant it once and it's eternal.
It's a good start! Cryptography is very powerful and can do a lot to solve this problem. Thank you so much for caring and putting forward an interesting idea.
Now why anyone would want to do this with a blockchain instead of a simple encrypted database... well, maybe someone else can explain that. I'm still assuming you visit deeds.mass.gov or something and have an interface you would use to find out who owns what, so the end user isn't actually touching the blockchain in this case.
This would work with a symmetric key! But as you say, I'm struggling to think of any real advantages to using a blockchain here.
Ok, what about this: Only you have your private key, which must be used to modify the data, everyone else is given a "view key", which is read-only. If at any point a view key is compromised, you can somehow revoke the view key using the private key. Would that not work?
It sounds a lot like you're trying to re-invent PKI and mutable data stores. Are you sure that isn't what you want here?
The prevention of fraud countermands GDPR, so keeping the financial transactions of anonymous IDs in a public, reasonbly immutable format, is not going to be a problem, infact its going to be encouraged, because data portability is also another key feature of GDPR.
Storing people's personal pictures, well then yes, you have a problem. But then its a stupid place to keep private, non-public interest photos.