Blockchains and data protection laws: incompatible?


The GDPR (General Data Protection Regulation), new European legislation for the protection of personal or sensitive data, was approved in 2016 and entered into force on 25 May 2018.

Created to harmonize data protection in the European Union and return its property to private individuals, GDPR emerges in the midst of social outrage for better data control, fueled by the company's leak scandal. Facebook, which resulted in the biggest devaluation of its history since the opening of its capital.

The new law therefore aims to provide transparency and more detailed information on how organizations and companies should treat the collected data. Also the determination of "right to be forgotten", rules on portability and conditions that have to be met in the eventual assignment of data to third parties.

Given the impact that the AVG has caused in the world, including Brazil, to develop its own Personal Data Protection Act, this article aims to analyze how the blockchain structures, with their distributed and unchangeable character, will be influenced by this legislative movement. privacy.

Can a decentralized application or blockchain solution be used and comply with data protection legislation? Is it possible to co-exist alongside blockchains next to the right to forget?

The problem with the rearview mirror

In the beginning, it is important to realize that GDPR has been designed to protect the privacy and freedom of those who have long suffered from abuses and failures related to "centralized " shipping and storage.

How do you accuse a malicious actor who, for example, provides a link that leads to a PDF file of the income tax return of his ex-wife in the invariable Blockchain van Ethereum? How will GDPR perform its function if it is impossible to delete data stored and sent in a fully distributed manner?

This is an example of how regulation sometimes tries to solve a problem by looking into the rear-view mirror instead of looking at the road ahead. When European policy makers discussed and completed aspects of GDPR, blockchain technology was not on the radar of most people.

To achieve our goal (to clarify whether it is possible to reconcile the distributed and unchanging nature of the blockchains with the new European data protection legislation), we need to know how to identify blockchain structures (of which the DNA has networks). peer-to-peer (point-to-point), encryption and distributed consensus), and know how to deal with data in a blockchain.

Save and send data in blockchain

Blockchain stores information containers, called blocks, which are chronologically linked to form a continuous line, a series of blocks.

To change the information already registered in a particular block, the previous information is not deleted to add the new one. Instead, every change of data is stored in a new block demonstrate that X has been changed to Y at a specific date and time. Gain, the previous information is not erased.

How can we reconcile the immutability and the distributed nature of a blockchain with values ​​(personal and sensitive data, for example) that should be kept confidential?

The different blockchains

That is not alone an open platform or a single blockchain where everyone can request or modify information or change the system as a whole. What exists are different types of blockchains, classified as public or private, open or closed, depending on how they approach your security model and threats. It can also be granted or not granted, allowing different structures and governance rules to be implemented in the different existing platforms, allowing the use of this technology for the most diverse purposes, with application to the most diverse audience.

while public or open blockchains are those in which everyone can join the network, blockchains private or closed are those in which only pre-selected participants can participate in the network.

In blockchains permissionados, are pre-selected entities that direct the consensus process. Already in the blockchains non-permissionadosEveryone can participate in the consensus process.

Nevertheless, Blockchain's projects can be divided into three categories:

  1. a) Specialized systems blocks designed to process non-personal informationsuch as bills of lading, letters of credit or diamond certificates;
  2. b) Specialized systems blocks designed to process personal informationas proof of identification, or even sensitive personal data, such as medical records;
  3. c) Blockchain systems uneducated that can be used to process any form of data.

Ways to reconcile personal or sensitive data with blockchains

We are in the initial phase of the development of blockchain structures, a time comparable to what happened in the early days of the internet.

At the beginning of the worldwide web, the vast majority of people saw it as a chat room, without imagining the business models that would come later (Amazon, Netflix, Uber).

If we know this, let's look at the paths that are being built to preserve personal rights and freedoms in data processing in blockchains.

The first of these is to process personal and sensitive data "from chain" (information or transactions assigned outside the blockchain network).

The transactions from chain, acting between parties that trust each other (for example because of a contractual relationship) and generally require intermediaries (reliable validators).

Nevertheless, the storage of sensitive or personal data from chain are a great alternative to reconcile Blockchains and GDPR, and it has become increasingly popular because of its advantages: more privacy (the transfers are not visible in the public blockchain), low costs (usually free, because middlemen do not have to validate the transaction ) and speed (transactions are recorded immediately without requiring network confirmations).

For those who want to dig deeper in storage from chain, it is recommended to watch the video on chain X Off Chain Transactions & # 39; from QuickX.

Another possible way would be to use side chains (parallel networks). Unlike the off-chains (whose storage of sensitive information takes place in a traditional network outside the blockchain), a "side chain"Is a parallel blockchain, located next to the primary or main blockchain and serving multiple users The level of confidentiality and privacy in transactions taking place in side chains depends on which technology side chain used.

These side networks are independent, so if they fail or are hacked, they will not damage other networks. That is, the damage is limited within that parallel network.

Well, the use of side chains activated experimental versions of pre-release of blockchain.

Another alternative that we can quote to preserve personal rights and freedoms concerns the choice between blockchains and not allowed , the choice between some type of blockchain has a direct influence on who is responsible for complying with the privacy requirements. Therefore, it is always advisable to make an advance analysis of the means and purposes of the processing before choosing the blockchain to be used, to ensure that the privacy rules are taken into account.

The right to forget. the immutable character of the Blockchains

In the beginning it should be noted that the right to forgetfulness (or the right to delete) does not give absolute right to forgetfulness.

Individuals have the right to delete personal or sensitive data and prevent their processing in specific circumstances:

  1. a) When personal data is no longer needed for the purpose for which it was originally collected / processed.
  2. b) When the person withdraws the permission.
  3. c) If the individual objects to the processing of his data and there is no legitimate interest in continuing with the processing.
  4. d) Personal data is processed illegally (ie in violation of GDPR).
  5. e) Personal data must be removed to comply with a legal obligation.
  6. f) The processed personal data relate to a child.

Another point to consider is: does it mean to delete, delete?

What the term & # 39; forget & # 39; understands, is still open for discussion. Some data protection authorities have discovered that irreversible cryptography is an erasure.

Of course, given the characteristic of immutability, "erasing the data" in a blockchain environment is technically impossible, because the system is designed to prevent this.

However, smart contracts may contain mechanisms that regulate access rights. Hence smart contracts can be used to withdraw all access rights, making the content invisible to third parties, even if it is not deleted.


It is completely natural that the questions do not stop. For example, who would be the controller of the data in a blockchain if they can be stored in different places inside and outside the European Union?

Humanity goes through a time of transition and important changes in the way the world is today.

Challenging old patterns and ideas that populate our minds for centuries will challenge blockchain governance and centralized and controlled ways of transaction, and it is unfair to define it as just a distributed record. This represents only one of many dimensions whose breadth and impact, regulators and companies still can not qualify and quantify.

In this context, a dialogue between regulators, society, developers and key players of this new sector is essential to better harmonize citizens' protection with the technological advances that will inevitably come.

The violent reactions of the candle, kerosene and gas lighting industry (which described "new technology" as "dangerous to health and with a high explosive potential") prevented the development and acceptance of electricity?

Source link

Leave a Reply