Antoine Demicoli, Senior Manager at KPMG in Malta, discusses some aspects to be kept in mind, in respect of the interaction between GDPR and Blockchain
Left to their own devices, organisations, both private andpublic, hoard personal data. The General Data Protection Regulation (GDPR) is a unified privacy regulation that introduced more privacy rights to data subjects by introducing new procedural and organisational obligations for data processors. GDPR curtails the unnecessary hoarding of data by data processors and also introduced a right for individuals to have their personal data erased.
However, technology has a habit of running ahead of legislators. For instance take blockchain: it relies on a distributed ledger system that is decentralized and immutable, and is intended to be a permanent and a tamper-proof record that sits outside the control of any one governing authority. Anne Toth, Head of Data Policy, at the World Economic Forum contends that because data stored on the blockchain, including personal data, cannot be deleted, there is no way to exercise “the right of erasure” that people are granted under GDPR. Toth further argues that Blockchain is not designed to be GDPR-compatible. Or rather, we believe that GDPR is not blockchain-compatible the way the regulation was written to date.
Others have propounded that the “right of erasure” can be reconciled with blockchain technology by persuading regulators that “erasure” does not have to imply that data is literally deleted and that making data permanently inaccessible without deletion should produce the same result. Where personal data is saved on a blockchain in hashed form (meaning that the data is transformed in a way that it cannot be reverse engineered to its original state) one can argue that the existence of the hashes on the blockchain are not in violation of GDPR as data is sufficiently anonymised, such that it falls outside the definition of personal data under the GDPR regulation in the first place. Yet, the Article 29 Working Party (now replaced by the European Data Protection Board) in its Opinion 05/2014 on Anonymization Techniques had partially concluded that hashing may still leave some small possibility of a successful brute force attack. A brute force attack is an instance where an attacker tries an extremely large number of guesses with the hope of eventually guessing correctly, thereby exposing hashed personal data stored on blockchain.
Still others contend that an alternative solution might be that of encrypting all personal data with a key and in the event that a data subject would request his blockchain data to be erased, the key would be deleted, which in layman’s terms should be tantamount to deletion for GDPR purposes. The challenge is however that GDPR does not define what it means to “erase” data. Another possible reconciliatory solution in respect of the “right of erasure” might be that of keeping personal data in separate “off-chain” databases, but to do so would sacrifice several of the benefits of using blockchain in the first instance.
In the light of the above, companies should be aware of the risk of developing blockchain technologies that will include personal data of EU based individuals until such time as we have clarification on the interpretation of the obligation to “erase” date, or until GDPR is amended to take blockchain into account, to our mind a matter of time.
© 2019 KPMG, a Malta civil partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.