Distributed ledger technology in the light of GDPR compliance
Last week I met with the blockchain startup Lition, which promises to solve the blockchain vs. GDPR conflict on a technological layer. Why should you care about what they have to say?
- These folks cooperate with the largest German software company SAP
- They launched a consumer-ready decentralized energy market place
- They have recently discussed the STO regulations with the German government
Let’s just jump into the expert contribution of Lition’s CEO Richard Lohwasser about (A) the background of GDPR, (B) four existing compliance solutions to make blockchains GDPR compliant and a fifth solution proposed by Lition.
A. Background of GDPR
In May of 2018, near the peak of blockchain mania, the European Union (EU) rolled out the General Data Protection Regulation (GDPR) in an attempt to prevent the gross exploitation of data that had become commonplace by internet giants like Facebook, Google, and Amazon.
The GDPR protects individuals by laying down strict rules for data use and management by companies, including the “right to be forgotten” and requiring data to stay within the borders of its native country. The “right to be forgotten” forces companies to delete user data after an individual leaves the network.
Violating GDPR can lead to fines of up to 4 percent of a company’s global annual revenue, which can be hundreds of millions of dollars for large corporations.
The GDPR helps combat an incredibly pressing issue in our digital world. Companies have profited off of user data without curtail for far too long. Facebook has, at some point, conspired with nearly every tech company you can think of to circumvent its own privacy policies.
But the GDPR comes with a catch. The legislation is in direct conflict with another effort to empower users to take back control of their data: blockchain.
With the rampant abuse of user data in the last decade or so, the EU seems unlikely to back down and amend their legislation any time soon, but how can blockchain technology move forward and comply without destroying the systems that make it so useful in the first place?
B. Existing compliance solutions
Let’s take a look at several possible solutions…
This tactic keeps sensitive user data off the blockchain, allowing a continuous blockchain record and the ability for data to be deleted. Unfortunately, off-chain systems largely defeat the purpose of blockchain by storing data via traditional methods, meaning data is more vulnerable to hacks, edits and other trickery.
Deleting encrypted keys keeps sensitive data on the blockchain but throws away the ability to access the information. This method essentially deletes the data by rendering it inaccessible, but does not technically erase it. The GDPR explicitly calls for the deletion of data, and while the deletion is not clearly defined in the legislation, making something inaccessible and destroying it all together are not the same thing.
While there are a couple different ways to go about anonymizing data, most solutions involve the same version of our already defunct off-chain storage method. On-chain pointers connect mainchain information to sensitive off-chain information. Once the off-chain data is destroyed, the link is broken and the on-chain information is anonymous. However, this method still leaves data on the mainchain, and while tough, identifying information could still be obtained from the blockchain.
Another proposition is to completely overhaul the concept of blockchain and create centralized back end systems, that allow data to be anonymized without interrupting any chains. While this would allow GDPR and blockchain to peacefully coexist, you have basically gutted the fundamentals of blockchain by doing so. Centralized back-ends give data control back to companies and require users to once again trust companies with their information behind closed doors. That worked great the first time?
A better solution? Public-private deletable blockchain infrastructure.
Public-private deletable blockchain infrastructure could remedy blockchain and GDPRs incompatibility by preserving blockchain functionality while protecting user data in accordance with the GDPR.
Software giant SAP’s Chief Technology Officer, Dr. Juergen Mueller, has been advising Lition, a German tech startup, in the development of their blockchain platform with true deletability through the use of private side chains that stem from the mainchain. The team was presenting their MVP on February the 21st at the SAP Data Space in Berlin.
Lition’s network tracks metadata in the mainchain to ensure network functionality. This is where things like consensus are maintained, token balances are tracked, and transparency is provided. Smart contracts are executed on the main network, but invoke private permissioned sidechains where sensitive data is kept. These side chains can be deleted, destroying the information contained with in them, while preserving the block hashes to maintain network integrity.
The public private infrastructure is the first protocol that both allows true deletion of data and abides by the fundamentals of blockchain.
The GDPR and blockchain initiatives were both attempts to reclaim our information and put an end to the rampant abuse of data Silicon valley’s top dogs have orchestrated for too long. Although they emerged from different ends of the ideological spectrum, permanent deletion versus un-tamperable transparency, the end goal was mostly the same.
Through the use of public-private deletable platforms, we will be able to diversify our tool set for the fight to take back our digital identities. The GDPR doesn’t cripple blockchain, rather, it challenges it to innovate and incorporate all the best strategies to ensure our data is secure and protected.