Last Friday marked a very important day for data privacy and consumer rights as the long awaited General Data Protection and Data Regulation (GDPR) finally went into effect. There has been a lot of discussion around what GDPR means for data rights, privacy and the blockchain ecosystem — but perhaps not enough clarity.

At Enigma, solving for privacy is our focus. We believe privacy technologies will ultimately determine what we can build and scale in a decentralized world — and that Enigma will be the foundation for these new solutions. In this post, we are going to briefly touch on what GDPR is, what it can mean for the blockchain ecosystem, and where Enigma’s solutions fit in.

What is GDPR?

First, the basics: GDPR is a set of data privacy laws that was passed by the European Parliament in order to give EU citizens greater control over their personal data and provide safeguards in case of data breaches. GDPR is intended to mitigate risk for consumers — a valuable goal, given that recent high-profile data breaches have compromised the personal information of tens of millions of users across the globe.

GDPR introduces large potential penalties (the greater of 4% of global annual revenue or EUR20mn) for companies that control or process personally identifiable information. GDPR’s scope is unprecedented, as it will apply to virtually every company that collects and processes data from natural persons located on the territory of the European Union, regardless of the place of treatment of these data.

Here we should note that GDPR only applies to personal data (i.e. “any information relating to an identified or identifiable natural person”). As stated in GDPR, article 4 (1), “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This is important in determining whether data stored on a blockchain qualify as personal data for the purpose of GDPR.

GDPR primarily concerns three types of stakeholders:

Data subjects are individuals who reside in the EU and use applications / services which collect their personal data;

Data controllers are organizations that collect user data;

Data processors are organizations that facilitate storage and processing of user data that is collected by data controllers.

The concept of data controller and its interaction with the concept of data processor play a crucial role in the application of the GDPR, since data controllers determine who shall be responsible for compliance with data protection rules and how data subjects can exercise their rights. As a result the data controller is liable, in principle, for any damage resulting from unlawful processing of personal data or any breaches at data processor level.

Let’s go over a quick hypothetical example to make these definitions more concrete:

Alice lives in France and uses Orange for mobile telecommunication services. Orange stores Alice’s personal information, payment information and location information. Orange then stores its data in AWS cloud services. Orange frequently receives consultancy service offers from transportation planning companies, which aim to use user location data in order to better plan public transportation stops. Since these transportation planning companies do not have the resources in house, they frequently contact third party data analytics companies (let’s call one such company Startup_X) to gather insight from Orange’s consolidated customer location data.

In this example Alice is the data subject, Orange is the data controller, and AWS and StartupX are data processors.

GDPR introduces certain rights for data subjects around consent and data ownership. Data ownership is particularly interesting within the blockchain ecosystem as a lot of companies are looking to enable individuals to monetize their personal data through decentralized data marketplaces. (Please refer here for more details on rights of data subjects within GDPR.)

In addition, GDPR introduces certain measures to limit damages caused by data breaches. Privacy by design is introduced to minimize the amount of personal data stored by companies and provide certain incentives to companies that store customer data in anonymized / encrypted formats. GDPR also dictates that in case of a breach data controllers or data processors notify data subjects within 72 hours so that preventative measures can be taken by data subjects. This is a huge improvement from current practices where companies like Dropbox only admitted data breaches after 2 years.

How does GDPR relate to blockchains?

In some important ways, the aims of GDPR and blockchains are similar. Both GDPR and blockchain seek to enable people to have more control over their data and reduce the cost of trust for consumers. In GDPR’s case, Article 20 (Right to data portability) allows a subject to access her personal data and transfer the data from one controller to another or even store it herself. The scope of both blockchain and GDPR are similar as well. Blockchain’s potential to enable decentralization encourages us to overcome any concept of geographical boundaries. Similarly, the GDPR’s scope of application is unprecedented, as it could potentially impact every company operating in the world.

However, there are real conflicts between GDPR and blockchains. While GDPR intends to empower individuals, it’s written with respect to centralized and safeguarded databases. This in turn creates significant incompatibility issues for the blockchain ecosystem. For example, GDPR dictates personally identifiable information (whether encrypted or hashed) is still considered customer data under EU laws. GDPR allows for anonymized data to be shared. However, there is a lot of ambiguity around anonymization techniques. For example, hashing doesn’t qualify as an acceptable anonymization technique as it does not irreversibly protect personal information. In other words, one can use brute forcing to recover actual SSNs from a hashed SSN table. In addition, as proven by Arvind Narayanan and Vitaly Shmatikov on Netflix customer data, in most cases anonymized lists can be de-anonymized. (Please refer here for more details on anonymization within GDPR.)

As a result storing data on blockchains, where everyone can access any data stored on blockchains, becomes impractical from a GDPR perspective and can be considered a data breach. In addition, there are several other inconsistencies between how blockchains work and how GDPR is worded. Going back to the earlier example, let’s consider the following example:

If Alice exercises her right to be forgotten (which means that Orange has to delete all data about Alice), and then exercises her right to data portability to store her data on a blockchain, does Alice become a data controller? If so, even though her data may be encrypted, this could be considered sharing of personal information and therefore a data breach. How should Alice be penalized?

The reason we point out these discrepancies is to show that blockchains are not silver bullets for all GDPR-related complications. With all that said, it’s important to restate that the overarching themes around GDPR and blockchains are aligned. This opens the conversation for off-chain storage solutions that provide data sovereignty to users and allow certain sensitive data to move with the consent of data subjects.

How can Enigma work with GDPR?

At Enigma, we have been vigorously highlighting the importance of privacy in the blockchain ecosystem ever since our first whitepapers were published in 2015. We stand behind the principles of GDPR, but we must remain cautious as GDPR currently stands on a very theoretical level. We acknowledge that we do not yet know exactly how these concepts will translate into practice. With that said, let’s explore two areas where Enigma can be helpful within the scope of GDPR. One is around data sovereignty and the other, which we are very excited about, is around enterprise use-cases.

Data Sovereignty

While GDPR dictates all personal data (whether encrypted or hashed) is personal data and thus likely cannot be stored on blockchains, there may be ways to work around this issue. Let’s once more revisit the Alice — Orange example from above:

Alice exercises her right for data portability and stores all her data locally on her device. Alice uses a registry contract that indicates some high level data about her background and transportation data. The transportation company (or Startup_X) that wants to access travel details of Alice and many other can query the registry contract and pay Alice and others to do computations on their data and identify where to build bus stops.

In this model there’s data storage and data computation layers, as well as a verification layer to ensure the right computations took place. In Ethereum, currently all of the three take place on Ethereum network. As presented recently in Consensus 2018, Enigma Discovery (our first release) uses Ethereum for data storage and verification layers, while it performs privacy preserving computations using Trusted Execution Environments that nodes run in the distributed Enigma network.

There’s also interesting work around personal data storage called Identity Hubs, (spearheaded by the Digital Identity Foundation, which Enigma is a part of). One can store personal data in such off-chain storage layer and perform off-chain computations and use public networks like Ethereum for storing proofs. For example, Alice can store her date of birth on her identity hub, which can be on her mobile device. Using the Enigma network, Alice can prove she’s over a certain age and store a claim on Ethereum network proving her claim. Please refer to our previous post for more details on this use case.

While Enigma is currently integrated with existing solutions, our ambitions remain some of the largest in the blockchain space. We aim to become a standalone solution that brings together new technologies and best practices in the most user- and development-friendly manner possible. We are considering integrating database functionalities into Enigma nodes as an off-chain storage option. We are also planning to build our own verification layer, as seen in our roadmap. (It’s important to note here that IFPS is not a data storage solution, but a file storage solution. Thus any database that is built upon IPFS is suboptimal.)

Enterprise use-cases

While not blockchain specific, Enigma’s private computation technology can be extremely beneficial in managing the relationship and responsibilities between data controllers and data processors. In most cases, data controllers are not agile companies that adopt cutting edge data analysis methods. Similarly, agile innovation companies do not have the same checks and balances that safeguard data. From numerous informational interviews that Enigma has conducted, we understand that it can take months for large data controllers like Orange to get approval from compliance departments and to share data with small data analytics startups. Within GDPR, this problem is exacerbated as data controllers become liable for their data processors and potential breaches that the processors may face.

With Enigma, this problem can be effectively addressed. Data controller and data processors can set up a permissioned Enigma network where the participants (or nodes) can be selected based on business relationship or some element of trust. Thus, data processors can run computations on data controllers data without ever having access to it.

In the example above, Startup_X can perform computations on Orange’s customer data without ever directly accessing the data. Currently Startup_X gets an anonymized customer list, and in many cases (as mentioned above with the Netflix case) anonymization is not completely irreversible and can be de-anonymized if leaked. With Enigma, Startup_X never gets access to any of Orange’s customer data. This not only eliminates the liability that Startup_X can impose on Orange, but it’s far better practice than what we currently see in the market. Furthermore, the proposed design helps Orange provide transparency to Alice when she inquires how her data is being used, as all computations and data inputs can be stored in a private ledger.

While we are supportive of the idea of data sovereignty, the wording of GDPR and its potential interpretations by law enforcement lead us to be cautious. However, blockchain and related technologies still hold the powerful promise for users to better control their personal data and enhance their individual autonomy. Enigma is dedicated to using these new technologies in order to create safer, scalable, and innovative solutions for data privacy and data sharing. We are building a more decentralized and sustainable world.