By definition, blockchains are immutable. Good, but do they match the requirements of the GDPR?
If any personal information is stored on them, simply no.
So, how should a blockchain service be designed and what should users take care of?
The New Chained Blog Community service offers its users the possibility to post blog entries and comments on the blockchain. The name of the users is also part of the stored information. The platform offers attractive features and advantages, like digital token rewards.
After some time a user decides to exercise the right to be forgotten, a fundamental provision of the GDPR.
How can the service provider comply to this user’s request? In no way.
The result of this single request is the death of the service. Since no block in the chain can be altered, the authorities would probably go after full nodes to take them offline, and the platform would eventually fail.
Yes, one single user request to be forgotten and the whole service could be out of … service.
The right to be forgotten, outlined in the article 17 of the GDPR, entitles the data subject to have the data controller erase their personal data and the data processor to stop processing the data.
Consent alone doesn’t exempt from complying with the request, yet the GDPR allows for some exceptions concerning higher rights, legal requirements and public interest.
Users should be careful in not accepting any waiver of their rights. The service provider could for example warn the user at registration and outline in their policy that the user is responsible for the content stored on the blockchain, that this is immutable, and that by using the service the user’s waiving their right to be forgotten.
While such notes are probably not even legal, data controllers and data processors may not remove user’s rights, it’s anyway a wise thing to reject them.
The GDPR doesn’t make a New Chained Blog Community service impossible, it just requires a thoughtful solution.
One possibility would be to store on the blockchain only the information needed to reach the data, which would be stored somewhere else. This solution would have the advantage of giving the users full control on their data, since they could even pick and remove single items without interfering with the blockchain. On the other hand it would mean to manage one or more traditional databases in addition to the blockchain.
Another possible approach would be to have the data encrypted with a user key and giving the user the possibility to revoke the key at will, making the data unavailable. While compliant, this solution would require managing the public keys of the users and would not give the user the granularity of the previous option.
Whatever solution one might consider, it’s worth noting that, as required by the GDPR, it must have data protection by design and by default.
If you’re approaching the design of a blockchain service that could potentially manage personal data, what is your thoughtful solution?
If you’re a user of such a service, have you thought about this?