La protecci\u00f3n de datos y la privacidad, entre otros, son dos razones importantes del entusiasmo mundial en torno a Blockchain y por qu\u00e9 la tecnolog\u00eda est\u00e1 transformando la forma en que las transacciones de confianza, transparentes y rastreables ocurren en Internet.<\/p>\n
Data protection and privacy, among others, are two important reasons for the global enthusiasm around Blockchain and why the technology is transforming the way trusted, transparent, and traceable transactions occur across the Internet.<\/p>\n
So it\u2019s ironic that much of the initial reaction around Blockchain relative to General Data Protection Regulation (GDPR) is that the technology is an ill fit for the new European Union directives intended to enhance the protection and privacy of consumer data. It also happens to be a superficial and unhelpful misassumption. A closer look at Blockchain\u2019s underlying concepts and technologies reveals how the technology\u00a0improves<\/em>\u00a0the fundamental aspects of data privacy and security specified in GDPR, depending on how this solution is designed to meet the GDPR needs.<\/p>\n The fundamental challenge is adapting the new decentralized peer-to-peer Blockchain Internet technology for GDPR directives that are fundamentally predicated on the traditional centralized Internet approach.<\/p>\n Alternative Blockchain techniques allow for implementation oriented toward GDPR compliance. These techniques demand a thorough comprehension of Blockchain distributed ledger technologies (DLT), as well as their ecosystem. Blockchain\u2019s identification management processes, such the ones that store and process personally identifiable information (PII), are crucial in designing GDPR-compliant solutions.<\/p>\n Addressing immutability<\/strong><\/p>\n One of the key principles of GDPR is Article 17’s \u201cRight to erasure\u201d (or \u201cright to be forgotten.\u201d). Based on this GDPR principle, whenever required, consumers can request that their personal information be erased by their data processors (or \u201ccontrollers\u201d).<\/p>\n However, due to the Blockchain “immutability of records” principle, any data contained on the Blockchain transactions are virtually impossible to modify. Data is copied to peer-to-peer nodes, which function as distributed databases, or distributed ledgers, and are the main components of the Blockchain. The data that is added to the public, permission-less Blockchain is, indeed, there forever, and, technically speaking, such data, or other metadata, cannot be altered. Because of how Blockchain blocks and transactions are constructed, all of the information and records that are entered into the distributed ledgers are publicly visible, tamper-proof and immutable.<\/p>\n So, does this immutability of data transactions imprinted in the very fabric of the distributed ledgers render Blockchain inconsistent with GDPR Article 17? Not necessarily. Adoption of hybrid off-chain architectures for distributed data storage is one alternative approach to adapt for this challenge. Other alternatives call for keeping PII data within the user’s devices, creating metadata and hashes of this PII information, and referring back to this local data using third party servers or the Blockchain layer itself. This creates different Blockchain-GDPR compliance levels.<\/p>\n To account for Article 17, then, one alternative is that all GDPR-sensitive information and data could be stored off-chain in distributed or cloud-based servers, with only the corresponding hashes stored in the Blockchain layer. In this way, the hashes serve as control pointers to the GDPR-sensitive data, which is stored off-chain. These control pointers are not the user data that GDPR seeks to protect but a pseudonymization of that original data. The other database storing the original data is not, in practice, subject to the issues regarding record immutability that Blockchain provides. For the sake of Article 17 compliance, then, the service provider can erase the \u201clinkability\u201d of the Blockchain hash pointer to the data located in distributed off-chain servers whenever required.<\/p>\n Addressing anonymization<\/strong><\/p>\n Perhaps the most interesting \u2014 and most controversial article \u2014 related to Blockchain\u2019s applicability to GDPR is Article 25, \u201cData protection by design and by default,\u201d which addresses pseudonymization techniques for consumers\u2019 stored data.<\/p>\n Hashing is Blockchain\u2019s pseudonymization technique, and there are two critical interpretations for the pseudonym linkage using Blockchain relative to Article 25. The first one states that because data pseudonymization is accomplished in Blockchain hashing, but not anonymization, the data linkage is no longer considered personal when it is established, and if this linkage is deleted, it also complies with Article 17. However, the second interpretation is that pseudonymization, even with all cryptographic hashes, can still be linked back to the original PII data. There still may, however, need to be some mathematical proof that brute-force cyberattack of off-chain data linkage using hashing can compromise this assumption.<\/p>\n The conclusion that this discussion leads to is that this issue remains a moving target as Blockchain innovation is accelerating, just as GDPR is being implemented, and significant legal-technical battles lie ahead. GDPR regulation must adapt and come up to speed quickly on the ramifications, issues and opportunities that is enabling the next generation decentralized Internet using Blockchain technology.<\/p>\n