Data Privacy Regulations Versus Blockchain Technology
In their 2016 book, Blockchain Revolution, Don & Alex Tapscott defined blockchain as “an incorruptible [immutable] digital ledger of economic transactions that can be programmed to record not just financial transactions but virtually everything of value” (Tapscott, 2016).
When data is stored in a digital ledger using public/private keys, digital signatures, and cryptographic hashes—tampering is immediately obvious. The append-only data store secures against deletion or alteration and, therefore, is a useful data structure for storing audit data.
Before deploying blockchain technologies, organizations must determine whether the implementation is consistent with data privacy regulations. Understanding whether blockchain implementations promote privacy objectives or undermine these objectives is an important consideration.
Organizations under the jurisdiction of the GDPR and CCPA, or similar legislation, should proceed with caution before storing personal data on a blockchain. The immutable nature of blockchain technology provides challenges to organizations faced with right to erasure and correction requests.
The CNIL (Commission Nationale Informatique & Libertes) notes that it is “technically impossible to grant the request for erasure made by a data subject when data is registered on a blockchain” (CNIL, n.d., p. 8). Methods to delete data from a blockchain are not available, but this may change. Several solutions to this dilemma have been posed:
- Exemption: Some believe that legislation that provides an exemption for personal data stored on a blockchain may be the answer.
- Deletion of the private key: This is a technical means to render encrypted data unusable by deleting the keyed hash function’s secret key. This will make it impossible to prove/verify which information was hashed but may not satisfy the requirements of the legislation.
- An editable blockchain: In 2016, Accenture was awarded a patent for an “editable blockchain” for enterprise use. While geared to permissioned (privately controlled) blockchains, this option could allow organizations to alter data in the event of errors or fraud—and possibly to respond to requests to erase private information.
For now, if your organization employs blockchain technology, the best way to ensure compliance with privacy regulations such as GDPR, CCPA, and similar legislation is to keep personal data off the blockchain. The feasibility of deploying a solution that links to data off the blockchain will depend on how well the blockchain technology employed integrates with existing enterprise systems. However, the speed at which both blockchain technology and legislation are evolving requires constant monitoring of both.
Commission Nationale Informatique & Libertés (CNIL). n.d. Blockchain: Solutions for responsible use of the blockchain the context of personal data (p.8). Paris, France: CNIL.
Tapscott, Don and Alex. (2016). Blockchain Revolution. Old Tappan, New Jersey: Penguin Group (USA) LLC).