General rules on data protection (GDPR) was adopted by the European Union in 2016 and entered into force on 25 may this year. It strengthened protection of personal information of citizens of the EU and has extraterritorial effect, that is, its requirements apply not only to companies registered in the EU, but also on those who process personal data of residents of EU citizens, regardless of their location.
GDPR is intended to protect personal data, and the concept of personal data has a very broad definition. In fact, it is any information that is associated with an identifiable individual (the latter in this case is the subject of personal data). However, such information includes the encrypted data and the data of the persons, hiding under a pseudonym.
A small loophole and indulgence lies in the fact that the requirements for personal data protection shall not apply to anonymous data of the users. However, the scope of the fully anonymous services are too limited. Although the blockchain and cryptocurrencies continue to be associated with increased privacy and protection of financial information from prying eyes, a lot of important players in the crypto space on the path of compliance and regulatory transparency. Such a large exchange like Coinbase, Poloniex, Kraken, Gemini consistently improve relations with the securities Commission of USA (SEC) and receive a broker-the traders ‘ license, which, on the one hand, allow the exchange to expand the list of trading instruments and do not «fall into disgrace» as an illegal ground, and the other — involve the disclosure of user information.
Regardless of jurisdiction, whether the SEC, FINRA or the European institutions — the registration requires the organization to comply with KYC laws (know your customer, or «know your customer») and AML (anti money laundering, or «combating money laundering»). Both of these tools came in the crypto industry from traditional banking and stock market regulation. KYC within a financial company must identify its client and verify certain information, including personal data, the probability of involvement in illegal activities and the legitimacy of the funds in the account.
As for AML, in April 2018, the EU Parliament approved new measures to combat money laundering which will be applicable to the cryptocurrency sector. The rules said that the crypto currency exchange will be required to verify all users, from traders to the providers of cryptocurrency wallets. That is, all providers of blockchain services to register. Through total control of all market participants, parliamentarians «will put an end to the anonymity associated with virtual currencies and stock markets», the report said.
In such circumstances, to offer popular, in demand and at the same time guaranteeing complete anonymity of the cryptocurrency service impossible. Therefore, those wishing to survive to players of the crypto-space will have to make friends with the rules of the GDPR.
Two basic principles, implied GDPR, — accountability and protection of personal data.
Accountability when processing personal data implies that persons involved in processing data are divided into «controlling party» (controllers) and «processing side» (processors). Controlling are the ones who determines the «purposes and means» of data processing. Machining — those who follow the instructions of the controlling party and processes the data on behalf.
GDPR requires that these roles were distributed in advance, and then the parties must enter into a contract that will specify their responsibilities.
As for the second principle, data protection, it is implemented in GDPR through the transfer of certain rights to the data subject (i.e. the user, the real owner of your own personal information). So, the data subject has the right:
To request access to information about themselves that is available to the company;
Ask them to correct the information if it is incorrect;
Request to remove certain information if you do not want the company owned the name.
The second and third paragraph of the section on the protection of the obvious conflict with the nature of the blockchain, namely, his immutability.
In fact, as explained by Dave Michaels, employee of the Research center with Microsoft cloud computing and a member of the Cloud Legal Project at the University of London Queen Mary, «the data on the blockchain is actually not immutable — they just difficult to change. The nodes jointly control all copies of the blockchain. They can change the data stored on the circuit, moving to a new version of what is called a fork».
Michaels examines the process of compliance with the GDPR to the specific example. He proposes to submit a hypothetical blockchain, which will help to verify the authenticity of the information in the summary — namely, a degree. For example, a group of universities designed a blockchain. Each University owns the private key, and each degree, which assigns the University to its students and recorded on the blockchain and secured by this University. Accordingly, the employer can see this information on the chain and verify the authenticity of the information mentioned in the resume.
While academic degrees contain personal information. Accordingly, the creators of blockchain needs to provide such a structure which would not have violated the requirements of the GDPR for the protection of information. The developers have two options: to create a public blockchain (public) or closed (private).
In the first case, anyone can download it and run it on your device. In this case, it is a device that stores a current version of the blockchain, will be the Noda and will be included in the network of other such nodes. It is on this principle does bitcoin work. The larger the node, the safer the network, so it is more resistant to centralization, attack 51% and the other attacks on the principle of double spending. However, this scenario is very complex in terms of compliance with the GDPR.
In this case, the problem is that the universities that developed the blockchain, not necessarily handle personal data. Do all the nodes of the network. But the nodes do not control the network.
It turns out a confusing distribution of roles, which is hard to find «responsible» — the controlling and processing parties — as required by the GDPR. Universities cannot be considered the controlling party. Michaels draws an analogy with the restaurant. If you imagine the controlling party as the commander of a restaurant chef, the universities do not meet this role. Rather, they «published a book of recipes, which everyone can cook at home».
Under this system, it is not clear how to determine who controls and who handles and how to conclude between them the necessary GDPR agreement obligations.
«Suppose I don’t want my degree was stored on the blockchain. As universities will satisfy my request for deletion?» writes Michaels.
To do this, they will have to convince each node that we remove this information from its local copy of the blockchain. And even if all nodes agree to do this, delete data from a specific block will change the hash of that block. This will be confusing to hash the pointers that connect blocks in the chain.
And here Michaels goes to the second option, which was the developers of blockchain, namely: create a private blockchain, which will make compliance with the GDPR in practice much more simple and real.
In this case, to control the blockchain will only be the developers themselves (or approved persons). They will manage nodes of the network, which can be run on their own devices or rent a place in the cloud. In this case, the nod would most likely be much less, but between them there will be better communication and coordination.
When the system of private universities set up the blockchain and run them together, accordingly, they may be deemed to be the controlling party. Cloud services provider (if any) can be considered the manufacturing side, because it processes the data (provides computing power) on behalf of the universities. Universities and the cloud provider sign an agreement of commitment. Thus, the GDPR to demand accountability and a clear division of roles observed.
The three main actions that must allow to perform blackany to meet the requirements of the GDPR on this point:
Search for all examples of the use of personal data relating to a particular individual;
To extract data and provide them to the individual in a portable format;
To edit or delete data at the request of the individual.
The last item is natural is the biggest problem.
If all the universities agree, they may remove certain data from the block. Although this will be ruined by the hash pointer, connecting blocks, universities can simply refresh the links between the blocks, making new hashes. Because in private blockchain dispensed algorithm proof-of-work, this process does not require high computing power.
In this case, the credibility of the information stored on this blockchain, rests only on the credibility of the controlling universities. However, according to Michaels, there are ways to create bestrasova of blockchains, which will allow you to remove the information while maintaining the integrity of the blockchain (privacy by default, or «privacy-by-design»).
The first method to accomplish this uses encryption. In the above example, the universities could encrypt each record with its pair of private and public keys and store data in the circuit in encrypted form. Instead of deleting the encrypted text, the universities can just remove attached to it a public key. Thus, although the cipher will still exist on the blockchain, access to the hidden data behind it nobody else will. The question is whether such information is remote according to the GDPR, remains open. But at least according to the laws of great Britain considered, says Michaels.
The vulnerability of this method lies in the possibility that public keys can be stolen before it was deleted. Given the examples, when a hacking attack went unnoticed for several years, it is impossible to be sure that your public key is not compromised and is not stored «in inventory» of a party that is interested in your data or your funds and would use the stolen key in the desired time. Another threat, which almost inevitably will become real at some point in the future — quantum computing, who will be able to break any cryptography, and thus to release the locked personal information.
The second, more reliable method of removal of information involves the use ofcan storage. Universities can obtain a hash for a degree, they want to confirm inserting it into a hash function. Then they can store the resulting hash in the blockchain, and the degree (with all it contained personal information) offscan. Deleting information stored in offcine, not a problem, and in this case, after removing the required data will remain in the blockchain only in the form of a hash. One of the characteristics of a cryptographic hash is irreversible, that is, «for the given value of the hash function m must be computational infeasible to find a block of data X for which H(X)=m». Therefore, even with a hash, it is impossible to obtain encrypted thus information.
As with the first method, it is unclear whether this method is a full removal of information in the GDPR, as anyone who owns the original data, can create the same hash function to associate it with stored on the blockchain hash and thus to disclose the identity of the data subject. Michaels notes that this problem can also be resolved by adding a random sequence of values — nonce — personal data. This will provide protection in the condition that nonce will not be compromised.
In late September, the national Commission on Informatics and liberties of France (CNIL) released official guidance for interaction between GDPR and the blockchain. Experts have identified several important aspects that clarifies this guide:
Guide CNIL distinguishes an additional category of «participants,» which includes those who carry out transactions on the blockchain, that is, has the right to write data to the blockchain and send them for validation to other network participants (miners and operators gcd). As these parties themselves determine for what purposes will be processed personal data and choose means of their processing (the blockchain), according to CNIL, they act as the controlling party.
As noted by Laura Gelle, one of the leaders of the blockchain-division of the law firm BakerHostetler, this part of the manual CNIL will have a significant positive impact on the blockchain solutions for identity, which transmit the control over personal data out of the hands of corporations in the hands of users.
According to the guidelines of the CNIL, the controlling party is either a natural person who processes personal data for professional or commercial purposes or a legal entity that records personal data on a chain. «A natural person who is involved in the purchase or sale of bitcoin… may be considered the controlling party if it carries out these transactions as part of professional or commercial activities [and works] with other accounts of physical persons», — the document says. By this definition, cryptocurrency exchanges directly fall under the definition of controlling party in the GDPR and, accordingly, shall be subject to all the rules of the controlling party.
The CNIL guidance suggests that any party supporting the transaction or writes data to the circuit, thereby performs processing of personal information. Because individuals or businesses who are miners or of the operators gcd, should be considered as processing parties.
CNIL offers another way of «destruction» of personal data stored on the blockchain, namely: to make access to the data practically impossible, «thus approaching the effect of data destruction». In addition, the guidance indicates the possibility of destruction of the private key or the value from which is generated an encrypted or hashed result. According to the authors of the document, this will be «enough to anonymize cryptographic commitments in such a way that they cease to possess the quality of personal data». Given that this method is «limit access» to information by destroying private key described Michaels, France joins Britain in a number of countries that equate the restriction of access destruction of information and consider it sufficient to meet the requirements of the GDPR.
5. The participants of the private blockchain must choose one participant which will be the controlling party. Otherwise it will be assumed that they exercise joint control.
In the case of data stored on the closed (private) blockchain, controlled by enterprises are the ones that define the purpose of processing and entering data onto the chain. For them, the CNIL leaves two options:
Create a legal entity in the format of the Association;
To choose one person who will make decisions for the protection of personal information.
If the group does not choose one of these options, is subject to the principle of joint control, that is, each participant will be held responsible for the personal data of all participants of the given platform.
The manufacturing side they will be counted if they develop smart contracts at the direction of a third party.
This aspect is covered in the manual for example, a particular smart contracts, launched last year by the insurance company AXA. In this case, «the developer offers the insurance company a solution in the form of a smart contract that allows the company to automate compensation to passengers when their flight is delayed. This developer will be deemed to be a party which processes the data, and the insurance company is the controlling party,» reads the document.
7. Any business that wants to use the blockchain technology, should carefully evaluate privacy considerations before launching your decision.
According to CNIL, the organization that develop or use blockchain solutions, should set the requirements for the protection of personal data is paramount, while respecting as GDPR compliance requirements and minimize potential harm to users.
CNIL encourages companies to start with a question, whether is necessary the blockchain in their particular case, or the same result can be achieved with traditional centralized media. In the leadership of the CNIL noted that «the blockchain is not always the best technology for data processing. It can cause difficulties for the owner [of data] subject to the requirements of the GDPR».
8. Private blackany need to set the minimum number of node to protect the integrity of the data
CNIL encourages the operators of the block chain be aware of the threat of attack 51%, in which the party that controls more than half can see, can manage the transaction and, in fact, all bloccano. Because the manual advises to introduce a mandatory requirement on the minimum number of nodes, which will be sufficient to eliminate this risk. Another aspect is adequate protection against collusion and consolidated control over the network (and therefore personal information), which can make operators of nod.
9. The personal data subjects should have the opportunity to challenge the results of executing the smart contracts. How, is unclear.
As noted by Laura Gelle, the CNIL guidance is inconsistent in the question of the extent to which the personal data owner can challenge the result of the executed smart contract.
According to one of the items, the user requires to enable it to intervene in the work of smart contracts, arguing that «the data subject shall have the right to human intervention to Express their point of view and to challenge the decision, after which the contract may be fulfilled.»
Thus, in the next sentence States that it is sufficient to allow the data subject to challenge the smart contract after his execution: «…requires that the controlling party has provided the possibility of human intervention, which will allow… the personal data subject to challenge the decision, even if the contract has been fulfilled.»
Thus, the moment of intervention of the personal data subject is not clear, but CNIL requires developers to provide the data owner the same level of influence on smart contracts.
10. Will exist «right» and «wrong» ways to use the blockchain from the point of view of privacy and security, and will subsequently be developed more regulations.
Gelle said that on 3 October 2018, the European Parliament issued a resolution entitled «Technology for distributed registry and blackany: building trust without intermediaries.» In it the technology of distributed registry is defined as «a tool that expands the rights of citizens, giving them the opportunity to control their own data.» The resolution calls on the countries belonging to the European Parliament, to promote the adoption and dissemination of technology. In her opinion, it is an indication that contrary to fears, the EU does not seek to limit the use of the blockchain, but wants to develop the most safe the scope of its application and even encourages its use.
With all the optimism of the approaches to reconciliation GDPR and blockchain hard not to notice that the requirement of removing information technically feasible. Then it all depends on whether behind GDPR parties to make concessions and to pretend that «loss of key» equal to completely remove encrypted using his information (although not equal).
Even more philosophical question is whether «mutable blockchain» bloccano? Here, again, it all depends on willingness to make concessions in terminology, but to make a step forward should the other side. It should be noted that the «true chiromancy», in particular, Timothy may not recognize private platform bloccano in the true sense. Although the trend of the introduction of closed corporate blockchains actively developed by a number of consortia, some members of the community these developments are already beyond decentralized space: «the Tension between anonymous and KYC-approaches is a key issue. This “decentralization, anarchy and odnorangovoj” against “centralization, privacy and backdoor” (part of the algorithm, which allows the developer to gain unauthorized access to the data and control the system. — DeCenter)… There are two roads: freedom vs. private and centralized systems,» writes may.