GDPR and the blockchain in practice Implementation of the GDPR in blockchain applications
Data protection is rightly on the agenda of blockchain conferences and companies planning blockchain projects. GDPR and blockchain should not be understood as a contradiction. The blockchain can even help to put data protection into practice.
Blockchain applications may pose data protection challenges, but they can be solved with a little planning.
(Picture: Leowolfert – stock.adobe.com)
One should not look for problems that can be solved with a technology, but one should use the appropriate technology for existing challenges. This is especially true for blockchain, as even blockchain experts and supporters confirm at blockchain conferences such as the Crypto Rockstars in Cologne.
So if a blockchain survey by the digital association Bitkom shows that practically all companies surveyed hope to be able to adapt existing products or services from blockchain, almost as many (94 percent) expect to be able to make completely new offers, and 3 out of 4 (77 percent) rely on being able to develop completely new business models thanks to the blockchain, it is important to look at the use of blockchain in everyday business life: only seven percent of companies in the economy as a whole are specifically dealing with the use of blockchain.
However, this is not due to data protection problems, which are often discussed at blockchain. Instead, Bitkom cites the following reasons for the still low use of blockchain: the technology is still at an early stage and there is a lack of know-how in many places.
Nevertheless, companies have difficulties in implementing the General Data Protection Regulation (GDPR), not only with blockchain, but also there. That’s why it made more than sense to explicitly address data protection issues at the Crypto Rockstars blockchain conference.
The right to deletion also exists for blockchain applications
Anyone who wants to use blockchain technology should not fall for the idea that the GDPR and blockchain would not fit together, arguing that blockchain applications are about immutable data and decentralized concepts, while data protection, for example, wants to identify a precise location in the area of responsibility and demands a timely deletion of data.
The question of whether the GDPR can be applied to blockchain does not arise, it must be applied there. The rights of data subjects, such as the right to erasure, must also be implemented in a blockchain application.
The data protection supervisory authorities in France and Spain have been explaining how this is possible for some time.
Important information from the supervisory authorities
If blockchain properties are not required for the purpose of processing, one should prefer other solutions, an advice that should be heeded not only from a privacy point of view. Many of the current blockchain projects are not suitable for blockchain per se or at least they do not require blockchain technology.
Permissioned blockchains should be preferred, according to the data protection officers, as they allow better control over the management of personal data, especially for transfers outside the EU.
The necessary, suitable guarantees for transfers outside the EU, such as binding corporate rules or standard contractual clauses, are fully applicable to permissioned blockchains.
The right to information of the persons concerned is unproblematic, as is the right to portability. The data protection supervisory authority in France considers that the exercise of these rights is compatible with the technical characteristics of blockchains.
For the challenge of data deletion in blockchain applications, the recommendation of the Spanish supervisory authority is to protect the data by asymmetric encryption and to delete the private key, which is kept off-chain, for the deletion of the data, in addition, of course, the original data, if it is available as plain text outside the blockchain.
The data was then subjected to anonymization, which cannot be undone due to the lack of a private key. This procedure also corresponds to a position paper of the German Federal Data Protection Commissioner, according to which “an obligation for immediate deletion can be fulfilled by anonymization”.
But blockchain also helps in the implementation of data protection
So it turns out that the data protection challenges in blockchain applications can be solved. But blockchain projects can not only fulfill data protection, they can also facilitate the implementation of data protection.
Two examples of this can be found in blockchain applications developed by startups that have been or are still being supported by Crypto Rockstars partners:
ipOcean is a blockchain-based, proprietary Internet network that enables organizations to present and forward knowledge, technologies, solutions, innovations and any other type of intellectual property in a protected manner, according to the provider. It combines the speed, connectivity and performance of an Internet platform with the proof of ownership, the transfer of data and the identification of users in a verifiable and tamper-proof way, thanks to blockchain.
The Smart Blockchain Ecosystem TEAL sees itself as an alternative to Google, Amazon and Co. An associative AI, interlinked with the decentralized infrastructure of the blockchain, gives the user back control over their data, according to the startup. In the TEAL blockchain, the user stores his data in a decentralized and protected manner. The user decides to whom he provides which information and receives the data sovereignty back, as the provider emphasizes.
It turns out that data protection and blockchain should not be seen as a contradiction, but as allies. There are not only theoretical concepts on how data protection and blockchain can be reconciled, but numerous blockchain applications have the protection of data in mind or even as an object.