Blockchain Technology and The Right to be Forgotten Part 1

From time to time, we at Validactor are asked why we decided not to use the Blockchain technology for our platform. There are many reasons for this decision, listing all of them will make the reding of this short entry very long and uncomfortable, so we decided to split the reasoning behind Validactor VS. Blockchain in more than one part.

This is Part 1

The roots of the “Right to be forgotten“ can be traced back to the lawsuit Google Spain v. AEPD and Mario Costeja González. In this case, the Court of Justice affirmed that upon data subject’s request “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person…” This ruling by the Court of Justice can be thought of as the first conceptualisation of the “Right to be forgotten” which was later expanded upon in the GDPR.

Article 17 of the GDPR mandates that the data subject “shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”

It becomes obvious at first glance that the GDPR right to be forgotten – designed for a world where data is centrally stored and processed – is profoundly incompatible with permissionless and decentralized blockchains not only at the technical, but also at a conceptual level.

Put simply, a blockchain is a data structure that allows a network of distrusting peers to share a continuously growing list of records (grouped in blocks) linked together and secured using cryptography. The state of the blockchain is determined by what is known as emergent consensus. Emergent consensus is a technical term describing the way in which thousands of independent nodes, following simple rules dictated by the consensus algorithm, reach an agreement on the latest state of the blockchain.

Decentralized blockchains do not rely on central authorities to process data and, therefore, the idea of data controllers that can erase personal data from the blockchain is rendered meaningless. Besides, blockchains are, by design, tamper-proof. The modification of data in a blockchain is possible in theory, but in reality we can’t expect a straightforward application of the right to erasure to decentralized blockchains. Not only is the enforcement of the GDPR on public and permissionless blockchains almost impossible from a technical standpoint, but the mere idea of a right to erasure goes against everything blockchains stand for. Looking at blockchains as mere apolitical technological tools is a narrow-headed, reductionist approach to the study of this multi-layered technological and cultural phenomenon.


A Nice Article

The right to be forgotten as the main risk for blockchain technology

Nov 20, 2017

The right to be forgotten, that is set out in the new General Data Protection Regulation (GDPR) of the European Union (EU), mainly in article 17 and that already have come into force on 28th May 2017, nowadays empowers any person to correct or even delete his personal data and information that affects him (person) and stop being treated if this personal data are no longer necessary for the purposes collected or if person have not withdrawn his consent. This right can conflict with Blockchain, as the one of the ways to use it is the storage of documents, information and its strong immutability and rightful inalterability. So the main feature of this new IT technology deeply can collide with the fundamental principles of the right to be forgotten. It has to be taken into account that when a data or information is registered in blockchain it becomes unique, unrepeatable and even indelible. This quality of information entry and storage is the basis of the reliability of this technology, since an any attempt to change it completely or partially is simply impossible within the framework of cryptographic capabilities. This unique feature is a problem and an advantage on the same time, on the one hand guarantees information’s security and allows the system to be able to defend itself against any illegal or duplicate transactions but in the other hand prevents the possibility of deleting it. In addition, the inabilities to correct false data can continuously causing solid harm to every user.

What it comes if someone decides to use their right to be forgotten and delete or correct their personal information from Blockchain? The answer is that can be an almost impossible task. In existing systems on which the blockchain procedure is based, if the data is deleted, there will be a record in the system that will lead to bifurcation of information, that is, while there is no data in the new block, the previous one will continue to exist in the old block, that is, the actual symptoms of the data and information bifurcation to existing and non-existing. An alternative to the data destruction, which we have seen is realy impossible, is removing Blockchains credentials and access so the information and data contained is inaccessible to anyone at the same time. However, these blockchain credentials can recovered by different methods, as “bruce forcé” included (cryptographic procedure to retrieve a password by testing all possible combinations). The most realistic option in this way as recommended by IT professionals is creating a new accounting system, as editable Blockchain, that allows one or more designated administrators to rewrite or change data blocks, if the right to be forgotten will be claimed by the any user. What is emphasized that lawmakers should interpret the possibilities of the Right to be forgotten in the view of certain technical restrictions, but at the same time, present in the legislative field a peculiar balance between protecting the privacy of citizens and understanding the consequences of using blockchain and how it evolves. In this sense, European Union regulation should limit the scope of the right to be forgotten in blockchain systems, accepting an indefinite locking of data as compliance rather than forcing it to be abolished. However, to a greater risk for the development of blockchain technology, Directive (EU) 2016/679, these facts does not take into account, it is easier to say, that this problem with the blockchain is simply out of sight. The content of this directive is a threat to the blockchain, or rather the threat to its technical advantages.

Since today, as the blockchain is being used in an ever-growing list of applications, at the same time, European privacy laws are becoming everyday more sophisticated and complex, based on a liberal legislative framework and traditions that prioritizing the unlimited human rights and the right to defend one’s own honor and dignity. In this endeavor one can see an attempt by lawmakers to play some kind of catch-up with technological developments, and, accordingly, to try to protect a person or better to say the EU citizen from such kind of modern technologies. Key attractions of blockchain are, for sure, it permanency, sustainability and transparency, as the data storing is added to and it is very difficult to take away or delete. However, since new EU rules will essentially give individuals a right to no longer have their data processed — basically the right to be forgotten, as it is pointed out in regulations, important difficulties and conflicts arise of which users and developers of blockchain should be aware of.

We remind you that the blockchain itself fixes a series of transactions in blocks and can include data and information of any kind, including “personal data” as defined in the EU directives (ie data related to a living person) and in a number of national EU legislation. As a fact, any record that can be stored electronically and recognized by a computer can be stored on a blockchain with the potential to be used by a wide range of users. For example, it was recently reported that a number of EU national governments are exploring the possibilities to use blockchain technology for storing data about benefits claimants and applicants, as the creation of a special state register with the help of blockchain. In blockchain the data and information are only added to and are maintained by a peer network of nodes in which each node has a copy of the blockchain and has an equal authority to add to it. This is a main attraction of blockchain as once some data is embedded, it cannot be altered without that any amendment being approved by other nodes in the network. But in cases, where personal data is concerned, however, this inability to remove data can lead to problems, particularly in light of the new laws coming down from EU legislation. In particular, mentioned above the new EU General Data Protection Regulation (GDPR), which was approved earlier in 2016 following over four years of negotiations and replaces a law which is more than 20 years old (Directive (EU) 95/46), introduces, amongst other things, a right to be forgotten. Generally speaking, it means that if an individual no longer wishes for his data to be processed, and that there are no legitimate reasons for retaining it, this individual could ask the person controlling his data and information to erase it from the blockchain. Since the General Data Protection Regulation (GDPR) will apply to all those processing data in the EU or those who process data relating to EU data subjects, it is easy to understand how this be able to extend to those within a peer network storing data, such that someone could now technically ask those within the network to erase data they hold in system. So it is technically not realistic to fulfill such requirements for the Right to be forgotten. And since the Directive (EU) 2016/679 is already everywhere becoming a law in the spring of 2018 in the EU, including Great Britain, despite of Brexit, this gives preconditions to all persons involved in the blockchain operations and to whom the General Data Protection Regulation (GDPR) is applied, to solve in time certain tasks that would be able to minimize the risks of the application of the right to be forgotten in the EU.

Conflict: technology against the law
Since blockchain can be used for a wide range of tasks, for example, from recording visits to health practitioners to ascertaining the owner of an asset, it is easy to imagine these moments when an individual may wish that data be no longer held about him in the way it was entered to blockchain, or when an individual may request that data relating to him be deleted immediately. Nevertheless, in order to delete all data and information, various nodes would have to work together to rebuild the blockchain from the beginning that data was added, which is useless. At the same time, there are some steps which can, and should, be considered to reduce the risk of a court order compelling data to be removed, or worse, nodes to be shut down because of a failure to recognize this right to be forgotten and satisfy it reclamations. In particular, one should pay great attention to the quality and structure of information when constructing the contents of the blockchain and network, which supports them from the very beginning, while reducing the risks. One of the key ways to minimize this risk can be simply using blockchain to provide a timestamp for information stored elsewhere — for example, on a website — if the content needs to be removed, so the realization of the right to be forgotten will be much less cumbersome and awkward. Similarly, when designing transactions, consider that they cannot be used to add comments or information that could include personal data. All this would help, at least in terms of compliance with the primary principles of the compliancy of the privacy policy. Other solutions may include controlling process that becomes public within a peer-to-peer network of trusted nodes, therefore, hiding data in the blockchain that should not be shared in the first place, or encrypting data within the blockchain, although such problems may of course arise if the decryption keys were ever made public or lost. As the right to be forgotten is treated in the context of the blockchain technology, of course, remains to be seen. For example, could it be argued that there is a legitimate reason for retaining transaction blocks and in which way EU regulators/courts would implement this right in the terms of jurisdictional hurdles. These are just a few key questions that arise when considering this problem. Nevertheless, for all users of the blockchain, the advice is that this change in the legal landscape requires careful planning and reviewing of its activities.

As I mentioned earlier, every day we constantly hear about how all brand new software products appear on the technology of blockchain. A cryptographically secure technology (secured by means of member consensus) is turning out to be the solution for many problems and exterminating inefficiencies in the world around us. And this isn’t just about technological improvements or the reconstruction of business models: different blockchain use cases and examples will leave a permanent mark on the economy, society and, perhaps, also on politics. Blockchain, especially public ones such as bitcoin or ethereum, breaks many paradigms, including legal ones. Thus we are entering an interesting transition period when successive applications of this technology will encounter legal norms that not always can be adapted to the new reality. One of the most interesting and intriguing examples for analysis is the protection of personal data. And this is clearly understood from the problem under discussion. Legal regulations protecting personal data are of great importance in many areas where blockchain already exist: finance, healthcare, electronic identification systems, and so on.
Problems and advantages of blockchain

First of all, why are blockchain networks a challenge for the protection of personal data? There are three main eventual reasons:
· Blockchain networks are decentralized and distributed. It is virtually impossible to identify the subject responsible for what is happening on the blockchain and for the processing of personal data.
· Blockchain networks are public and transparent. As a rule, all information on a blockchain, which may include personal data, is accessible to everyone.
· Blockchain is non-editable. It is impossible to change or delete information contained on a blockchain (personal data). Transactions are irreversible.
Why blockchain can be considered as an opportunity to protect personal data at the same time? Strangely enough, the same problems are turning out to be advantages. Here, in this paradox, is the legislative complexity of regulating the blockchain technology:
· Blockchain networks are decentralized and distributed. Currently, various trusted third parties process our personal data. These entities are centralized and, therefore, often constitute single points of possible failure. Leaks of unimaginable amounts of data as a result of cybercrime often occur in the form of an attack on a single entity, such as a hospital, email service provider, and so on.
· Blockchains are public and transparent. We do not currently have any effective control over who processes our personal data and how. In fact, the data subject is in control of their personal data only to a restricted degree. Upon a transfer of that data, the subject loses control over how it is subsequently used.
· Blockchain networks are very safe. Through the using of cryptography (digital signatures, encryption, time-stamping) and systemically embedded economic incentives for network maintaining entities, blockchain provides a fairly secure way of storing and managing information, including personal data.

What kind of the legislative problems facing the blockchain today in EU?
The legislation that most closely regulates the protection of personal data in the European Union is the General Data Protection Regulation (GDPR). Although the GDPR is said to have been designed to be technologically neutral and adapted to processing personal data in different contexts, structures and manners, in the case of blockchain technology, many questions are raised. The answers will be different for different types of blockchains, but here are some issues that need to be discussed:

· Who is the controller of personal data on a blockchain networks?
The controller determines the purposes and means of the processing of personal data. Does such an entity exist at all in the context of a distributed net of blockchain? We can potentially treat transaction-confirming miners as the controllers (in the case of the proof-of-work consensus) that is something that in the case of large public blockchains will be unreal in practice.

· What kind of laws should be applied to blockchain technology?
In situations where it is not possible to identify the personal data processing entity and the place where the data is processed (there are probably as many of these entities and places as there are network nodes), it is difficult to underline the jurisdiction which will be appropriate and accurate for the legal assessment of data processing — in other words, the applicable national law.

· What is the personal data in the context of blockchain?
The understanding of personal data is becoming more and more wide broad in the modern life. So can we treat public open keys as personal data? After all, they do not have the features of anonymous data and they are often associated with specific natural persons, although their characteristics are similar to pseudonymized data.

· Does the blockchain limit the purpose of collecting and processing data and its minimization?
According to the GDPR, the specific purposes for which personal data is processed should be specified, explicit and legitimate (purpose limitation). The personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation). These are just examples of principles set out by the GDPR. Meanwhile, in a public blockchain, data is maintained on every node of the network and is publicly accessible to anyone, regardless of the original purpose of their collection and processing, which clearly contradicts the concept of the GDPR

· Are blockchains compatible with the personal data protection system by design and by default a priori?

· How to realize the right to be forgotten?
Blockchain networks are practically non-editable and data held therein is often impossible to update, delete, change or correct.

· Who is liable for violations of the above requirements and obligations, since it is not possible to indicate the data controller?
What other threats are possible from GDPR in addition to Article 17 for blockchain?

Right to Access
Article 15 of the GDPR stipulates that an individual has the right to understand who has access to their personal data, what data has been made available and how that data is being used or processed. In
addition, the individual must be able to obtain, on demand and with no charge, a copy of the digital information undergoing processing.

Right to Consent
While not new to GDPR, the regulation continues to stipulate, specifically in Article 7, that an individual must consent to data being used and, moreover, has the right to rescind that consent at any time.

Right to Portability
The right to portability outlines that an individual has the right to receive the personal data provided to a controller in a digital format and may transmit that data as desired. Effectively, an individual should be able to obtain, move and provide access to their digital data as they see fit.

Right to Data Minimization
In article 25 of GDPR, the processor is mandated to use “… only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.” Meaning that only the minimum amount of personal data needed should be granted.
A look at blockchains through the prism of data protection laws — especially laws as ambitious as the GDPR — is an interesting exercise, since it is not just a question of concluding that the application of this technology will generate legal problems. This is only one side of the problem. Blockchains may also become essential components of future institutions, systems and mechanisms developed to cope with data protection regulations. For maximum efficiency, blockchain elements will likely combine with traditional solutions. The advantages of this technology can be used to build a truly effective framework for the protection of personal data, where the data subject will have actual power to control how their data is used. Therefore, we are facing today quite a challenge. We should interpret the laws, and design and build blockchain applications, in a manner that maximizes their synergy. Otherwise we will be stuck in a situation where the law will hold back the development of technology and innovation, while personal data will be protected less and less effectively. Together, the GDPR and blockchain advocates point to the same thing — the need to fundamentally change the way in which personal data is managed.

Sergiy Golubyev
EU structural funds, ICO projects, NGO & investment projects, project management, comprehensive support for business, expert with AgroChallenge foundation

Validactor “Protects, Profiles & Tracks”.

Based on a secure serialization technology, Validactor protects products and brands, fights any form of counterfeiting and profiles customers’ spending habits.
An innovative close-to-the-customer loyalty program promotes a series of activities and incentivises focusing to build brand loyalty.
The Validactor’s offering includes advanced customer services, a sales portal and Big Data related activities. Many other features are also integrated, such as a flexible and customizable database, the unique “Lost&Found” function, a Recall Management tool, Product Statuses and Diversions.

The Validactor’s solutions are fully customizable to be used in any vertical market, regardless of the products’ type. No special hardware or costly training sessions are needed. Validactor tools can be quickly mastered so that companies can start protecting their products in a very short timeframe.

Validactor’s collected data can be used for a wide range of marketing and sales activities, including specifically targeted interactive videos based on real data.

Follow us on Twitter and Like us on Facebook

Per visualizzare I termini sulla privacy clicca qui. To view the privacy terms used in this website in English clic here.

Ottieni visibilità per la tua Azienda