While users of public Blockchains will have to beware of their own footing regarding their personal information, upcoming EU General Data Protection Regulation (GDPR) has complicated matters slightly for enterprise blockchains in order to be compliant. Speaking to Diar, Hyperledger Executive Director Brian Behlendorf remains calm about the EU framework as agreements between validating participants to amend the ledger in extreme circumstances could potentially address any grey areas, should concerns arise. (Jump to GDPR Primer)

Enterprise blockchains are soon to be entering unchartered waters with the EU General Data Protection Regulation (GDPR) that will take full effect on May 25. Whilst subtle, there are key differences between how the US and EU describe personal information (see table). But as with any new laws without previous precedent, technical details remain up for interpretation on what constitutes personal information that could ultimately lead back to an individual, and what can be stored.

|| ON PERSONAL DATA

There are opposing views on whether or not public keys constitute personal information, or would be exempt under the regulations rules as it would be part of transactional data. Mr Behlendorf tells Diar that “the point of a public key is to intentionally share it so other participants can verify the signature. There isn’t something that it reveals about person unlike other Personally Identifiable Information (PII) like IP addresses.”

Michèle Finck, an EU law lecturer at the University of Oxford believes otherwise however – the purpose of public keys is to identify the author of the transaction, it is reasonable to think that reusable public keys will qualify as personal data.

The same view was reiterated by former R3 Director of Market Research Tim Swanson, now Post Oak Labs, who spoke to Diar. Mr Swanson said that “from a theoretical and academic standpoint, it makes sense that public keys could be personal data because they are connected to specific persons. Therefore, they can violate GDPR. However, this has not been tested in court yet so there is no concrete answer.”

Ultimately, the new regulations lead to the question on whether or not immutable blockchains could actually function without violating EU rules. Washington-based Blockchain and digital assets advocates Coin Center think not. GDPR is fundamentally “incompatible with the reality of open blockchain networks” and suggested that if blockchain is not exempt, “Europe is closing itself off from the future of the Internet.”

|| ON ADOPTION

Mr Behlendorf believes “there is going to be a period of time after the launch of the GDPR when some of these questions about what specifically it applies to will get addressed. You wouldn’t want to store PII such as medical information into ledger even in encrypted form because the landscape of what’s decryptable will change throughout the lifetime of these blockchains. We will need to wait on the regulatory bodies to weigh in.”

And as noted by Mr Swanson “Blockchain enterprise platforms always try to be compliant because otherwise they would never actually be used. If the blockchain platforms get implemented, it is only with the approval of the customers that will ultimately use the blockchain.”

It then falls on the consortia that are currently building enterprise geared Blockchains to address the issues. And while the answers aren’t clear, there are some ideas on the drawing board.

|| ON OPTIONS

In current conditions, the enterprise blockchain solutions that want to comply with the GDPR will have to be either mutable by consensus or mutable by a central administrator. Personal data can be deleted retrospectively if an individual exercises their right to be forgotten. This could ultimately lead to more centralization and begs the question whether a mutable blockchain is not just a database.

However, Mr Behlendorf suggested another potential method that Hyperledger may explore. “Instead of actually erasing the data from the blockchain, it might be possible to have a legal agreement between all the participants of the permissioned blockchain, in which everyone agrees that if one participant tells the rest to “forget” the data, the rest will be legally obliged to never export the data, never use it or render it in any end user interface. Even though the data will still be there.” Whether or not regulators would be appeased by such a method is to be established.

Accenture seems to be have taken a different, more direct approach. Last year the company filed a patent for an editable blockchain that can be changed or deleted by a central administrator under extraordinary circumstances. Whether or not an editable blockchain would effectively mean the equivalent of a shared database as it strips immutability as a key feature, Accenture said that the solution would “allow enterprises to resolve human errors, accommodate legal and regulatory requirements, and address mischief and other issues, while preserving key cryptographic features.” Accenture says since GDPR requires personal data to be redactable, its solution will be one of the few to be compatible.

And Neepa Patel, R3 Chief Compliance Officer, told Diar that “transaction information begins from a point to point communication system instead of from a public broadcast model, so there is less data propagation, pseudonymous or not. Pseudonymization techniques are inherently built into the platform. Corda is currently exploring sophisticated anonymization techniques to comply with the “right to be forgotten” – a challenge faced by all blockchains.”

Ethereum Enterprise Alliance may potentially have more of a problem as their platform will be built on an immutable ledger. The foundation did not respond to our request for comment.

GDPR’s main intention was to protect citizens against centralized services controlling personal data. It hasn’t taken blockchain into account, which can actually give people more control about their own data; especially through self-sovereign identity which would store data at source rather than aggregate it and keep in big datasets. It is unlikely that the EU will exempt blockchain from GDPR but certain aspects have yet to been clearly defined by the regulators. And just lurking behind GDPR are extensions to the law, the ePrivacy Regulations that looks to address confidentiality of communications. Whether or not the EU can creep in amendments to satisfy Blockchain as part of open internet services and applications leaves the window cracked open – even if ever so slightly.