Intersection of GDPR and Blockchain: Privacy Issues

INTERSECTION OF GDPR AND BLOCKCHAIN: PRIVACY ISSUES

In this digital world, the development of technology is growing rapidly. The introduction of new technologies is paving the way toward a smarter world. Most of these technologies collect the data where it is processed and stored, as these data are used there is a rising concern about data privacy. One such technology that was trending is blockchain technology.

WHAT EXACTLY IS BLOCKCHAIN TECHNOLOGY?

Blockchain technology was developed in 2008, it was initially developed as a cryptocurrency technology. The popularity of cryptocurrencies led to the popularity of blockchain technology. Blockchain as a technology works by sharing information about transactions, it is a shared immutable digital ledger, which records the transactions. The ledger consists of lists of blocks which are nothing but sets of transactions that are collected for a certain period in chronological order. It operates through a peer network, in which the transactions must be verified by the participants before they can be added to the chain.

The other key aspect in the case of blockchain is smart contracts. These smart contracts are used by most blockchains excluding bitcoins. Smart contracts are self-executing codes that are automatically triggered if the conditions are met.

TYPES

There is a permissionless and permissioned blockchain. The permissionless blockchain is with no restrictions on participation and permissioned blockchain with restrictions on participation. There are private keys and public keys that are used in blockchain, where the private keys are used in private for authentication and encryption. The public key is publicly known and is used for identification.

The Public blockchain falls under the category of permissionless blockchain with no central authority. The Private and Consortium blockchain falls under the category of permissioned blockchain where they are controlled by one authority and by a group respectively. The Hybrid blockchain falls under the category of both permissionless and permissioned blockchain.

ADVANTAGES AND DISADVANTAGES OF USING BLOCKCHAIN

The main advantage of using blockchain is that it creates trust among the users, secures the data, reduces the cost of production, provides immutable records, and uses the method of encryption.

The disadvantage of using blockchain is that the data cannot be modified, changed, or deleted, requires the storage of a large database, if the private key is forgotten or lost the owner will be unable to access it, difficulty in identifying the controller since it is decentralized in nature.

PRIVACY ISSUES IN BLOCKCHAIN

The growth of blockchain resulted in the emergence of blockchain as a service platform. Since blockchain uses loads of data, there is also a concern over the privacy of blockchain. The blockchain as a service platform also faced privacy issues. It needs to be noted that the privacy risks associated with blockchain are more serious due to the nature of it being immutable and decentralized.

On comparing the permissionless and permissioned blockchains, the privacy issues are high among the permissionless blockchains since it reveals all types of data to all the participants.

The data cannot be deleted even in the period of blockchain’s collection and expiration period. This violates the provisions of the General Data Protection Regulation (GDPR). This creates the intersection of GDPR and blockchain: Privacy issues.

THE INTERSECTION OF GDPR AND BLOCKCHAIN: PRIVACY ISSUES

The European Union has implemented the General Data Protection Regulation (GDPR) in 2018 which protects the data of European data subjects. In blockchain personal data and transaction history are being stored, this falls under the purview of GDPR. Since GDPR deals with the protection of personal data.As stated above there is the intersection of GDPR and Blockchain in the case of privacy.

GDPR Rights

GDPR provides various rights to the users, where one of the rights includes “the right to be forgotten” or “right to erasure”. From this, it is evident that the control is in the hands of the users. Where they have the right to delete the data that they have provided to the data fiduciary.

The “right to rectification” is also a right that’s provided to the users where if there are changes in the data provided earlier, then the data subjects have the right to inform the changes or edit or correct the data.

But in the case of blockchain, the data are immutable so they cannot be deleted however they can be encrypted, the safety of such data is not guaranteed, since there are methods like quantum computing that break the encryption.

GDPR principles

Lawfulness and purpose limitation – According to GDPR, the personal data that are collected with explicit consent, must be a specific, legitimate purpose, and must be processed lawfully. In the case of blockchain, it is difficult to implement consent and storage, especially for permissionless blockchain which has no intermediaries.
Fairness – In the blockchain, the authority for the assessment of fairness is challenging.
Transparency – Informing the data subjects about the use of the collected data, must be informed by the controller. However, the blockchain interoperates with external storage, so it might require other procedures.
Data minimization, accuracy, and storage limitation – Since blockchain is immutable in nature, it is incompatible with the data minimization, accuracy, and storage limitation principle. Since there is no ability to delete those data.
Confidentiality and integrity – The data controller is responsible for confidentiality and integrity. They must also know which data should not be disclosed to third parties. In the blockchain, every user can access the transactions directly or through a smart contract the permissionless blockchain.
Accountability – In the blockchain, identifying the controller is critical for demonstration, in permissionless blockchain it is challenging to identify the controller.

COMPLIANCE

The GDPR when initially drafted in 2012, was designed for social networks and cloud services to make sure that users have control over the usage of personal data on these mentioned platforms.

From this, it is evident that the blockchain is primarily not the target. However, the blockchain also deals with the storage and the transaction of personal data, as said above it falls under the purview of the GDPR framework. So, this may result in re-evaluating the plans to adopt the compliance of GDPR, since there are difficulties in complying with the principles of GDPR adopting different measures is important to comply with GDPR.

As there is growth of the blockchain as a service (Baas) platform, which is a cloud-based service that builds digital products for Distributed Ledger Technology (DLT) and in the case of blockchain environments.

So, there is no doubt that there will be a growth of Baas in the future if you’re a company that provides Baas, comply with GDPR to get rid of the penalty!

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
elementor	never	The website's WordPress theme uses this cookie. It allows the website owner to implement or change the website's content in real-time.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.

Cookie	Duration	Description
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.

Intersection of GDPR and Blockchain: Privacy Issues

Checkout Other Whitepapers

PRIVACY COMPLIANCE CHALLENGES FOR GENERATIVE AI PLATFORMS

DIGITAL PERSONAL DATA PROTECTION ACT 2023

GENERATIVE AI AND DATA PRIVACY:NAVIGATING THE INTERSECTION

The EU Artificial Intelligence Act

Privacy Terms & Conditions

About Tsaaro

Resources

Other Links

Tsaaro Netherlands Office

Tsaaro India Office

Tsaaro Noida Office

Tsaaro Bangalore Office

Tsaaro Mumbai Office

We’d love to help your organization achieve your Data Protection goals!