The EU’s General Data Protection Regulation (GDPR) contains Article 17 in the law that is more commonly known as “the right to be forgotten.” This article is a great defense for citizens of the EU who wish to have all data and records about them permanently deleted so that they do not exist anymore on the Internet. The excerpt below is from the GDPR; Paragraph 1 of Article 17 reads as follows:
The data subject [EU citizens] shall have the right to obtain from the controller [holder of personal information, company, etc.] the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
[Further more exact points are listed].
Compliance challenge: amend rather than delete
Since it entered into force on May 25, 2018, any citizen of the EU may ask any company with data about them to delete it and provide them proof of deletion. However, with Blockchain technology and its inmutable, decentralized ledger technology, one simply does not click “delete.”
Therein lies the problem: data of individuals who wish to be forgotten can only be “crossed out” on a Blockchain.
The data can still be viewed on the Blockchain even if has been “removed”. Essentially, this individual record stillexists. Since May 25, 2018, this is now against the law, because this person wants his/her data removed and it cannot be erased.
There is a workaround, but critics call into question of if it is semantically compliant with Article 17-semantics will be discussed later.
Most importantly, what can be done, is to use the blockchain not as data storage, but rather as a guardian of the personal data that is stored off chain.
For a public Blockchain, the system can be changed so that the records are stored elsewhere, off chain, and the only way to get that data have permissions set up.
For example, a request is sent to the Blockchain for person x and the requester has permission to only the data he/she needs to see, that person then gets the API keys to access that data temporarily and the keys are returned.
Now to be compliant with Article 17, that data can either be deleted on the off-chain computer and/or the Blockchain data can be randomly encrypted and the keys were thrown out. In this scenario, the data exists but no one has keys to access it and if there were keys, they are randomly encrypted so that they cannot unlock the data.
The data is not, however, “erased” and that leads to the questions of is that semantically compliant with Article 17?
Reduction in transparency
The downside of the new law is that the GDPR has actually spawned more questions about what happens to data that is off chain.
This is because the workaround removes some aspects of interactions when the Blockchain is being used to only process permissions requests or used for verifying only specific data. Problems that arise from this process are the following:
Ownership of the data in an off-chain storage
Off-chain data encryption
Copies on other systems
Opponents of the law will try to frame an argument as such: So while trying to make citizens lives better, the GDPR works against the new Blockchain technologies that are trying to improve transparency in the public space and limits what blockchain can offer to the public spheres.
However, this stance is easily defeated as you would never want to put any personal information on a Blockchain anyways because it will remain there forever. Imagine, a bank account or credit card number there forever.
Even worse, your home address or personal identification number.
What is the GDPR? Who does it affect?
The GDPR is a new data protection framework that applies to nations within the EU and the UK. The new laws provide citizens more control over how their personal data is used and impose strict rules on companies managing and processing this personally identifiable information anywhere in the world.
Companies based in the US but also have operations in Europe are rushing to comply with the changes. However, it would be interesting to see if US companies that enact compliance with these new privacy policies also extend these new rights to non-EU citizens.