When a transaction is once recorded on a public ledger, it can never be altered or deleted. This poses the question: If data regulations like GDPR provide the right to be forgotten and personal data should be able to be deleted, what happens to the core nature of a public blockchain?
Public blockchains are meant to be transparent. All transactions that happen on a public blockchain can be traced and tracked, including wallet addresses, transaction amounts and even timestamps. Transparency allows the verification of a transaction and that it happens legitimately, as intended. In exchanges that don’t use any intermediaries, so-called peer-to-peer transactions, transparency is one of the key factors in creating trust between the parties. There are, however, privacy concerns when it comes to anyone being able to view and trace a transaction that happens on a public blockchain. No one is fully anonymous and personal identities can be uncovered. The balance between a transparent blockchain and data privacy laws is yet to be figured out.
Public blockchains are accessible for anybody anywhere, private blockchains require verification from each user on enter
What's the difference between public and private blockchains?
The main difference between public and private blockchains is who can access them. Public blockchains, like Bitcoin or Ethereum, are built on open source and anyone can view, audit, and participate in the network’s activities. Private blockchains, on the other hand, verify each user. Private networks are usually used in company operations as a highly advanced verification system, for example for sensitive healthcare data or supply-chain documentation. A distributed ledger avoids instances with duplicated data, management issues and creates a trusted network because nothing can be altered later.
Data in blockchain is accessible everywhere - but GDPR doesn't allow it
Data regulations like GDPR clash with the concept of public blockchains in many ways, simply because their principals are based on different values. To ensure compliance, GDPR requires identifying a ‘data controller’ who is essentially responsible for safeguarding the data and paying the massive fines in case of regulative violations. The entire concept of decentralization, however, is based on not relying on any data controllers and pointing fingers inside a blockchain is tricky. This is the first conflict that data regulators face with public blockchains.
Storing sensitive data in data centers rather than on-chain is one option for achieving GDPR-compliance
Secondly, blockchain nodes are distributed worldwide and its data is not geographically tied but transferred and replicated across borders. This is a direct violation of GDPR guidelines stating that personal data cannot be transferred outside the EAA area without proper protection measures. One solution for this is instead of storing personal data directly on the blockchain, it is kept off-chain in GDPR-compliant data centers, with only a cryptographic hash or reference stored on the blockchain. This method requires some centralization (data centers) but might work as a solid compromise for added on-chain privacy.
Zero-Knowledge Proofs as a data security measure
Zero-Knowledge Proofs (ZKPs) allow sensitive information to be verified without revealing any actual data. This is one solution to verify transactions to make sure that one has enough funds in their wallet without revealing the exact value of their wallet, for example. When transparency conflicts with privacy needs in decentralized systems, ZKPs offers anonymity and security, like verifying that the user is above 18 or lives in a certain country without them having to reveal their passport. The sensitive data stays safe, but the goal – identity verification – is achieved.
Conclusion?
Data laws and blockchain technology have somewhat advanced separately, when in reality they are very much intertwined and should evolve together. The society is still finding ways to regulate decentralized internet without suffocating its purpose – transparency, traceability, non-governance – while keeping data as private and secure as possible. Regulations and laws are made to protect humans, but if they keep clashing with the core nature of public blockchains, one of the parties is in for a heavy disappointment. Compromises need to be found, because decentralization shouldn't exclude data privacy - and vice versa.
Sanni S
Sources:
Comments