In April 2016 the European Parliament passed the General Data Protection Act (GDPR). As part of the regulation, the right to be forgotten article stipulates that EU citizens have the right to request that companies (data controllers) erase their personal data when data is considered inaccurate, inadequate, irrelevant or excessive. Data controllers have one month to erase the data and provide proof that the data has been removed. Substantial fines for every occurrence of breach will be as much as €20 M or 4% of global revenue (whichever is higher). It applies to companies in the EU as well as organizations outside the EU offering services to European citizens. This May, the regulation will be enforceable.
Traditional applications store data on databases that they own or control. In those cases, it is a relatively clear-cut task to delete the data. Many applications even already have databases located globally where they can make allowances for GDPR. But applications built on blockchains or using blockchain databases as part of their stack have unique considerations since these technologies have inherent functionalities that make compliance far more challenging: permanence and immutability.
Once a transaction occurs on blockchain, it is there for the life of the blockchain. At the core of the technology is cryptography and the use of public and private keys. If the private key is lost or destroyed, the data is no longer accessible. In that case, if the person who is the subject of the data is the only one who has access to the private key, then that person has complete sovereignty over that data but what if the possession of the key changes or the key has been shared? It doesn’t seem to be nearly enough assurance.
Some efforts are being made toward this. BCDiploma, which stores degrees using Ethereum, proposes a system called EvidenZ that uses a set of three keys which must all exist to read the data. If one of the keys is destroyed, the data is no longer accessible. BigchainDB is exploring functionality that has time limits for access to data. Still, as with anything blockchain related, it is early. Surely we will see continued innovation in this space quickly. Companies and organizations considering blockchain technologies as part of their stack should be considering the GDPR implications carefully not only because of the massive fines but also because data privacy is a fundamental human right.
~ ~ ~
Here are the links that inspired and informed this newsletter. We recommend them to you as interesting data points in your consideration of decentralized technologies, blockchain, and its impacts on society.