Loading . . .

Consortium Blockchains, Private Chains and GDPR

Blockchain has impacted a variety of sectors including government, banks, financial institutions, the real estate industry, healthcare and in myriad ways including the manner in which business is conducted, contracts are enforced and assets are managed. Blockchain, in simple words, is a distributed database of records[1] shared on a decentralized network. The information stored on the blocks is viewed, analyzed and verified by computers (called nodes) connected to the network. Once information gets stored and verified, it is not practically possible to change, modify or corrupt it. Immutability, transparency and data storage are the features that set blockchain technology apart from other traditional distributed databases. These features, however, are not necessarily supported by the European Union (“EU”) new framework of data protection law, General Data Protection Regulation (“GDPR”) which regulates the processing of personal data by individuals, company and organizations.[2] GDPR came into force on May 25, 2018 and since then various workarounds have been proposed for making blockchain technology compliant with the GDPR.

One of the many solutions makes a classification between different blockchains on the basis of permission levels for different categories of participants.[3]  In this regard, a blockchain technology can generally be divided into two broad categories: Public blockchains like Bitcoin and Ethereum and permissioned blockchains like Hyperledger, R3 Corda etc. Permissioned blockchains can be further grouped into two categories on the basis of the number of entities governing the system. These are - Private blockchains and Consortium blockchains. While private blockchains feature a centralized infrastructure governed by a single entity, consortium blockchains involve several owners or companies which share the authority of governance against them. Validity in case of a consortium blockchain is provided by the known and identified members of the limited network and in a private chain, it is the single entity only which has the power to write on the blockchain.  Use cases of private blockchain and consortium blockchains involve J.P. Morgan’s Interbank Information Network (IIN), which facilitates cross-border payments; Voltron, a consortium of banks with a purpose to simplify data sharing through digitization and decentralization; Marco Polo, a consortium chain which simplifies trade by moving the supply chain issues on to the blockchain platform.

Though consortium and private chains provide enhanced data security as transactions are not made public, certain grounds mentioned below should be taken into consideration by organisations before employing the said technology.

1) Personal data in GDPR means “any information relating to an identified or identifiable natural person”[4] and thus encompasses within its scope a wide range of personal identifiers to constitute personal data.  Both consortium and private chains involve the use of  “hashed data”. Hash is regarded as a one-way function which cannot be reverse-engineered but when seen through the lens of GDPR, it's considered to be a  pseudonymization technique which means that there is an inherent link between the hashed personal data and the data subject.[5] And if personal data is being processed, then GDPR needs to be complied with.

2) The GDPR defines a ‘data controller’ in Article 4(6) as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. GDPR envisages a data controller as it was framed keeping in consideration traditional databases which are in control of a central governing authority. In this context, a blockchain significantly differs in the way that it’s a distributed ledger technology which any organization decides to go for and the means and ways of data processing are already clear for that organisation. Further, several participants join the network in different capacities thus making the task of identifying a data controller difficult. However, it has been argued that since in a private blockchain and consortium blockchain, there are defined entities which manage the network, responsibility to comply with GDPR requirements can be pinned on such entities as these have been granted permission to write on the blockchain, and make decisions with respect to sending data for validation to other blockchain participants.[6]

3) Due to the immutability of the data stored on a blockchain network, rights like ‘right to be forgotten’[7] and ‘right to rectification’[8] of the data subject come in direct conflict with blockchain. Each block in the blockchain contains a cryptographic hash of the previous block and to modify or remove the data recorded in a particular block, all the blocks following that block need to be rebuilt and rehashed. It is not considered feasible in a public blockchain because of the underlying consensus algorithm. This characteristic renders immutability feature to the blockchain. However, in cases of consortium chains, a consensus algorithm which allows for modification of data can be adopted. For example, Hyperledger utilizes Practical Byzantine Fault Tolerance (“PBFT”) as its underlying consensus mechanism.[9] In PBFT, the proposed block which is committed to the chain is the most agreed block and thus help consortium chain members to come to an agreement to alter the previous blocks.[10] Such consensus is redundant in case of a private blockchain as one central entity controlling the transaction execution permissions can alter/erase data in a manner similar to the traditional databases.[11]

4) Data protection ‘by design’  is embodied in Art. 25 of the GDPR which requires that certain principles like data minimization, storage limitation, and pseudonymisation techniques be adopted by the data controller. In permissioned blockchains, the identified data controller should provide the purposes for which the data is to be used as well as limit the use to its purposes. However, the principle of storage limitation which provides that data should not be stored for longer than it is needed runs into a problem with consortium and private chains as these keep a history of records.

5)Article 46 of the GDPR states that personal data may be transferred to a third country or an international organisation if appropriate safeguards are available. To tackle this, participants in a permissioned blockchain could be required to sign an agreement incorporating certain standard contractual clauses concerning transfer of data across jurisdictions as a condition of participation.[12]

The points and solutions laid down above suggest that consortium and private blockchains  may still be able to provide for the coexistence of GDPR and blockchain, which were once considered fundamentally incompatible.

 

 

______________ 

[1] Blockchain Technology, Sutardja Center for Entrepreneurship & Technology Technical Report, available at http://scet.berkeley.edu/wp-content/uploads/BlockchainPaper.pdf.

[2] What does the General Data Protection Regulation (GDPR) govern?, European Commission, available at https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en.

[3] Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data, Commission Nationale Informatique & Libertés (CNIL), 2018, available at https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf.

[4] Article 4(1) of the GDPR.

[5] Anisha Mirchandani, The GDPR-Blockchain Paradox: Exempting Permissioned Blockchains from the GDPR, 29 Fordham Intell. Prop. Media & Ent. L.J. 1201 (2019), available at https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1730&context=iplj.

[6] Blockchain and the GDPR: Solutions for a responsible use of the blockchain in the context of personal data, Commission Nationale Informatique & Libertés (CNIL), 2018, available at https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf.

[7] Article 17 of the GDPR.

[8] Article 16 of the GDPR.

[9] Lawrence J. Trautman & Mason J. Molesky, A Primer for Blockchain, 88 UMKC L. Rev. 239 (2019). Another platform, Quorum uses IstanbulBFT which is an adaption of PBFT for blockchains.

[10] Omar Dib, Kei-Leo Brousmiche, et al., Consortium Blockchains: Overview, Applications and Challenges, 11 International Journal on Advances in Telecommunications (2018).

[11] Anisha Mirchandani, The GDPR-Blockchain Paradox: Exempting Permissioned Blockchains from the GDPR, 29 Fordham Intell. Prop. Media & Ent. L.J. 1201 (2019), available at https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=1730&context=iplj.

[12] John Timmons & Tim Hickman, Blockchain and the GDPR: Co-existing in contradiction?, White & Case,  available at https://www.globallegalinsights.com/practice-areas/blockchain-laws-and-regulations/16-blockchain-and-the-gdpr-co-existing-in-contradiction.

 

Authored by Muskan Agarwal (Virtual Intern) with inputs from Kokila Alagh and Akshata Namjoshi. 

To stay updated,

subscribe to our newsletter