Examining The Right To Be Forgotten Through The Prism Of Blockchain
Crynet.io (project manager), EU structural funds, ICO/STO/IEO, NGO & venture, marketing projects
The right to be forgotten, that is set out in the new General Data Protection Regulation (GDPR) of the European Union (EU), mainly in article 17 and that already have come into force on 28th May 2017, nowadays empowers any person to correct or even delete his personal data and information that affects him (person) and stop being treated if this personal data are no longer necessary for the purposes collected or if a person has not withdrawn his consent.
This right can conflict with Blockchain, as one of the ways to use it is the storage of documents, information, and its strong immutability and rightful inalterability.
So the main feature of this new IT technology deeply can collide with the fundamental principles of the right to be forgotten. It has to be taken into account that when data or information is registered on the blockchain it becomes unique, unrepeatable, and even indelible.
This quality of information entry and storage is the basis of the reliability of this technology since any attempt to change it completely or partially is simply impossible within the framework of cryptographic capabilities.
This unique feature is a problem and an advantage at the same time, on the one hand, guarantees the information’s security and allows the system to be able to defend itself against any illegal or duplicate transactions but on the other hand, prevents the possibility of deleting it. In addition, the inabilities to correct false data can continuously cause harm to every user.
What it comes if someone decides to use their right to be forgotten and delete or correct their personal information from Blockchain?
The answer is that can be an almost impossible task. In existing systems on which the blockchain procedure is based if the data is deleted, there will be a record in the system that will lead to a bifurcation of information, that is, while there is no data in the new block, the previous one will continue to exist in the old block, that is, the actual symptoms of the data and information bifurcation to existing and non-existing.
An alternative to the data destruction, which we have seen is really impossible, is removing Blockchains credentials and access so the information and data contained is inaccessible to anyone at the same time.
However, these blockchain credentials can be recovered by different methods, as “brute forcé”.
The most realistic option in this way as recommended by IT professionals is creating a new accounting system, as an editable Blockchain, that allows one or more designated administrators to rewrite or change data blocks if the right to be forgotten will be claimed by any user.
What is emphasized that lawmakers should interpret the possibilities of the Right to be forgotten in the view of certain technical restrictions, but at the same time, present in the legislative field a peculiar balance between protecting the privacy of citizens and understanding the consequences of using blockchain and how it evolves.
In this sense, European Union regulation should limit the scope of the right to be forgotten in blockchain systems, accepting an indefinite locking of data as compliance rather than forcing it to be abolished.
However, to a greater risk for the development of blockchain technology, Directive (EU) 2016/679, these facts do not take into account, it is easier to say, that this problem with the blockchain is simply out of sight. The content of this directive is a threat to the blockchain, or rather the threat to its technical advantages.
Since today, as the blockchain is being used in an ever-growing list of applications, at the same time, European privacy laws are becoming every day more sophisticated and complex, based on a liberal legislative framework and traditions that prioritizing the unlimited human rights and the right to defend one’s own honor and dignity.
In this endeavor one can see an attempt by lawmakers to play some kind of catch-up with technological developments, and, accordingly, to try to protect a person or better to say the EU citizen from such kind of modern technologies. Key attractions of blockchain are, for sure, permanency, sustainability, and transparency, as the data stored is added to and it is very difficult to take away or delete.
However, since new EU rules will essentially give individuals a right to no longer have their data processed — basically the right to be forgotten, as it is pointed out in regulations, important difficulties and conflicts arise of which users and developers of blockchain should be aware of.
We remind you that the blockchain itself fixes a series of transactions in blocks and can include data and information of any kind, including “personal data” as defined in the EU directives (ie data related to a living person) and in a number of national EU legislation.
As a fact, any record that can be stored electronically and recognized by a computer can be stored on a blockchain with the potential to be used by a wide range of users.
For example, it was recently reported that a number of EU national governments are exploring the possibilities to use blockchain technology for storing data about benefits claimants and applicants, as the creation of a special state register with the help of blockchain.
On blockchain the data and information are only added to and are maintained by a peer network of nodes in which each node has a copy of the blockchain and has an equal authority to add to it.
This is a main attraction of blockchain as once some data is embedded, it cannot be altered without that any amendment being approved by other nodes in the network. But in cases, where personal data is concerned, however, this inability to remove data can lead to problems, particularly in light of the new laws coming down from EU legislation.
In particular, mentioned above the new EU General Data Protection Regulation (GDPR), which was approved earlier in 2016 following over four years of negotiations and replaces a law which is more than 20 years old (Directive (EU) 95/46), introduces, amongst other things, a right to be forgotten.
Generally speaking, it means that if an individual no longer wishes for his data to be processed and that there are no legitimate reasons for retaining it, this individual could ask the person controlling his data and information to erase it from the blockchain.
Since the General Data Protection Regulation (GDPR) will apply to all those processing data in the EU or those who process data relating to EU data subjects, it is easy to understand how this be able to extend to those within a peer network storing data, such that someone could now technically ask those within the network to erase data they hold in the system. So it is technically not realistic to fulfill such requirements for the Right to be forgotten.
Since the Directive (EU) 2016/679 is already everywhere becoming a law in the spring of 2018 in the EU, including Great Britain, despite Brexit, this gives preconditions to all persons involved in the blockchain operations and to whom the General Data Protection Regulation (GDPR) is applied, to solve in time certain tasks that would be able to minimize the risks of the application of the right to be forgotten in the EU.
Conflict: technology against the law
Since blockchain can be used for a wide range of tasks, for example, from recording visits to health practitioners to ascertaining the owner of an asset, it is easy to imagine these moments when an individual may wish that data be no longer held about him in the way it was entered on the blockchain, or when an individual may request that data relating to him be deleted immediately.
Nevertheless, in order to delete all data and information, various nodes would have to work together to rebuild the blockchain from the beginning that data was added, which is useless. At the same time, there are some steps which can, and should, be considered to reduce the risk of a court order compelling data to be removed, or worse, nodes to be shut down because of a failure to recognize this right to be forgotten and satisfy it reclamations.
In particular, one should pay great attention to the quality and structure of information when constructing the contents of the blockchain and network, which supports them from the very beginning, while reducing the risks. One of the key ways to minimize this risk can be simply using blockchain to provide a timestamp for information stored elsewhere — for example, on a website — if the content needs to be removed, so the realization of the right to be forgotten will be much less cumbersome and awkward.
As the right to be forgotten is treated in the context of the blockchain technology, of course, remains to be seen. For example, could it be argued that there is a legitimate reason for retaining transaction blocks and in which way EU regulators/courts would implement this right in the terms of jurisdictional hurdles?
These are just a few key questions that arise when considering this problem. Nevertheless, for all users of the blockchain, the advice is that this change in the legal landscape requires careful planning and reviewing of its activities.
As I mentioned earlier, every day we constantly hear about how all brand new software products appear on the technology of blockchain. A cryptographically secure technology (secured by means of member consensus) is turning out to be the solution for many problems and exterminating inefficiencies in the world around us.
This isn’t just about technological improvements or the reconstruction of business models: different blockchain use cases and examples will leave a permanent mark on the economy, society, and, perhaps, also on politics. Blockchain, especially public ones such as bitcoin or ethereum, breaks many paradigms, including legal ones.
Thus we are entering an interesting transition period when successive applications of this technology will encounter legal norms that not always can be adapted to the new reality. One of the most interesting and intriguing examples of analysis is the protection of personal data.
This is clearly understood from the problem under discussion. Legal regulations protecting personal data are of great importance in many areas where blockchain already exists: finance, healthcare, electronic identification systems, and so on.
Problems and advantages of blockchain
First of all, why are blockchain networks a challenge for the protection of personal data? There are three main eventual reasons:
· Blockchain networks are decentralized and distributed. It is virtually impossible to identify the subject responsible for what is happening on the blockchain and for the processing of personal data.
· Blockchain networks are public and transparent. As a rule, all information on a blockchain, which may include personal data, is accessible to everyone.
· Blockchain is non-editable. It is impossible to change or delete information contained on a blockchain (personal data). Transactions are irreversible.
Why blockchain can be considered as an opportunity to protect personal data at the same time? Strangely enough, the same problems are turning out to be advantages.
Here, in this paradox, is the legislative complexity of regulating the blockchain technology:
· Blockchain networks are decentralized and distributed. Currently, various trusted third parties process our personal data. These entities are centralized and, therefore, often constitute single points of possible failure. Leaks of unimaginable amounts of data as a result of cybercrime often occur in the form of an attack on a single entity, such as a hospital, email service provider, and so on.
· Blockchains are public and transparent. We do not currently have any effective control over who processes our personal data and how. In fact, the data subject is in control of their personal data only to a restricted degree. Upon a transfer of that data, the subject loses control over how it is subsequently used.
· Blockchain networks are very safe. Through the use of cryptography (digital signatures, encryption, time-stamping) and systemically embedded economic incentives for network maintaining entities, blockchain provides a fairly secure way of storing and managing information, including personal data.
What kind of legislative problems facing the blockchain today in EU?
The legislation that most closely regulates the protection of personal data in the European Union is the General Data Protection Regulation (GDPR).
Although the GDPR is said to have been designed to be technologically neutral and adapted to processing personal data in different contexts, structures, and manners, in the case of blockchain technology, many questions are raised. The answers will be different for different types of blockchains, but here are some issues that need to be discussed:
· Who is the controller of personal data on blockchain networks?
The controller determines the purposes and means of the processing of personal data. Does such an entity exist at all in the context of a distributed net of blockchain?
We can potentially treat transaction-confirming miners as the controllers (in the case of the proof-of-work consensus) which is something that in the case of large public blockchains will be unreal in practice.
· What kind of laws should be applied to blockchain technology?
In situations where it is not possible to identify the personal data processing entity and the place where the data is processed (there are probably as many of these entities and places as there are network nodes), it is difficult to underline the jurisdiction which will be appropriate and accurate for the legal assessment of data processing — in other words, the applicable national law.
· What is the personal data in the context of blockchain?
The understanding of personal data is becoming wider and broader in modern life. So can we treat public open keys as personal data? After all, they do not have the features of anonymous data and they are often associated with specific natural persons, although their characteristics are similar to pseudonymized data.
· Does the blockchain limit the purpose of collecting and processing data and its minimization?
According to the GDPR, the specific purposes for which personal data is processed should be specified, explicit, and legitimate (purpose limitation). The personal data should be adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed (data minimisation).
These are just examples of principles set out by the GDPR. Meanwhile, in a public blockchain, data is maintained on every node of the network and is publicly accessible to anyone, regardless of the original purpose of their collection and processing, which clearly contradicts the concept of the GDPR
· Are blockchains compatible with the personal data protection system by design and by default a priori?
· How to realize the right to be forgotten?
Blockchain networks are practically non-editable and data held therein is often impossible to update, delete, change, or correct.
· Who is liable for violations of the above requirements and obligations, since it is not possible to indicate the data controller?
What other threats are possible from GDPR in addition to Article 17 for blockchain?
Right to Access
Article 15 of the GDPR stipulates that an individual has the right to understand who has access to their personal data, what data has been made available, and how that data is being used or processed. In addition, the individual must be able to obtain, on-demand, and with no charge, a copy of the digital information undergoing processing.
Right to Consent
While not new to GDPR, the regulation continues to stipulate, specifically in Article 7, that an individual must consent to data being used and, moreover, has the right to rescind that consent at any time.
Right to Portability
The right to portability outlines that an individual has the right to receive the personal data provided to a controller in a digital format and may transmit that data as desired. Effectively, an individual should be able to obtain, move, and provide access to their digital data as they see fit.
Right to Data Minimization
In article 25 of GDPR, the processor is mandated to use “… only personal data that is necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility.” Meaning that only the minimum amount of personal data needed should be granted.
A look at blockchains through the prism of data protection laws — especially laws as ambitious as the GDPR — is an interesting exercise, since it is not just a question of concluding that the application of this technology will generate legal problems.
This is only one side of the problem. Blockchains may also become essential components of future institutions, systems and mechanisms developed to cope with data protection regulations. For maximum efficiency, blockchain elements will likely combine with traditional solutions.
The advantages of this technology can be used to build a truly effective framework for the protection of personal data, where the data subject will have the actual power to control how their data is used. Therefore, we are facing today quite a challenge.
We should interpret the laws, and design and build blockchain applications, in a manner that maximizes their synergy.
Otherwise, we will be stuck in a situation where the law will hold back the development of technology and innovation, while personal data will be protected less and less effectively. Together, the GDPR and blockchain advocates point to the same thing — the need to fundamentally change the way in which personal data is managed.
Subscribe to get your daily round-up of top tech stories!