Businesses of all kinds have learned to adapt to new requirements for customer privacy since the European Union’s General Data Protection Regulation (GDPR) came into effect in May of 2018. But adapting has proved especially difficult for blockchain technology companies.
That’s because some of the biggest pluses about distributed ledger technologies – the fact that data on a public blockchain can be viewed by anyone and is preserved immutably – also creates big problems for data privacy.
Consider the rights spelled out for data subjects under the GDPR: EU citizens can not only access personal information that businesses keep about them, but can also ask that such data can be transferred elsewhere, corrected or even deleted. If that information is stored on a blockchain, though, such changes or deletions would break the chain and hurt users’ ability to trust the validity of recorded data.
“The GDPR’s right to erasure (the so-called ‘right to be forgotten’) naturally poses significant compliance hurdles to the ongoing development of immutable blockchain-based solutions involving storing and transacting with data about individuals,” notes a new report from the Centre for Global Enterprise (CGE). “Some have even declared blockchain fundamentally incompatible with the GDPR. While we take a more optimistic view, their concerns are not entirely misplaced.”
The organisations behind the CGE report – the centre’s Digital Supply Chain Institute, along with the law firms of Slaughter and May and Cravath, Swaine & Moore – say it’s possible to comply with the GDPR by using a private, permissioned and well governed blockchain that avoids storing personal data. And if regulators don’t act to address blockchain’s privacy challenges, they add, advances in the technology could slow down or even end.
“The GDPR represents a paradigm shift,” says France’s data privacy regulator, the Commission nationale de l’informatique et des libertés (CNIL). “It is thus necessary to concretely assess the real necessity to use blockchain technology in light of the objectives and characteristics of each processing operation. In application of the privacy by design principle, the CNIL therefore calls for stakeholders to question, from a very early stage, the necessity of using blockchain technology, rather than an alternative technology, to carry out their processing operations.”
In a report published late last year, the CNIL notes it might be “technically possible” to comply with GDPR-related data erasure requests by deleting a keyed hash function’s secret key: the data in question would still exist on the blockchain, but it would no longer be accessible.
In another 2018 study, the US-based financial services analyst Greenwich Associates surveyed executives working on blockchain technology and found that almost two-thirds believe the privacy solution for enterprise applications will lie in using zero-knowledge proofs.
“ZKP are a recent innovation,” Greenwich Associates expert Richard Johnson said in an October press announcement. “They require an additional layer of cryptography in the consensus protocol that allows one party to prove to another that something is true without revealing any other information.”
There are different ways to implement zero-knowledge proofs.
“For example,” states a report from the EU Blockchain Observatory and Forum, “someone can produce proof that they are over 18 years old without disclosing their actual age. ZKP applications hold great promise when it comes to privacy-by-design and self-sovereign ownership of personal data. However, there are few, if any, large-scale implementations of these techniques, and many subtleties in terms of how to apply them. For instance, the fact that someone is over 18 years old is still personal data.”
Some organisations are currently exploring the use of ZKPs to address data privacy concerns. They include JPMorgan Chase, which has developed a version of Ethereum called Quorum, which features a zero-knowledge security layer that “allows for cryptographically assured, private settlement of digitised assets”; the QURAS platform for “secret contract and data protection”; and AZTEC, a zero-knowledge protocol designed to “enable private transactions”. Researchers at Stanford University have also proposed a mechanism called Zether that they say improves on current ZKP systems, and could be used in applications like voting as well as financial services.
“The privacy issues nowadays are very serious and difficult to solve,” the QURAS FAQ states. “Transactions of Bitcoin and Ethereum are exposed to third parties. The same can be said for the blockchain. It is not necessary to expose everything to everyone. Concerning privacy, QURAS gives the user the opportunity to choose whether he/she wants to disclose information or not.”