The European GDPR regulation was not “designed” for decentralized systems. How to exercise the right to change and delete data in an “irreversible” system? The Guarantors will inevitably have to face the matter.
On September 27, 2018, Italy also joined the European Blockchain Partnership , the alliance to which all EU countries and Norway had already joined. The aim of the initiative is to increase and improve security and privacy standards by leveraging the sharing and exchange of experience and skills in the technical and regulatory field in both the public and private sectors.
The fields of application of Blockchain technology are varied in strategic sectors such as banking & finance, healthcare, insurance, industry. From smart contracts to real estate sales to online voting in the context of political elections: these are some of the activities on which the market spotlights have turned. What sets Blockchain technology apart it is its “decentralized” nature: data and / or transactions are contained in a database distributed on a peer-to-peer network, where any participant in the network can view, collect and exploit its content. This avoids the need to centralize the storage / management of data transactions to one or more individual entities. In “centralized” systems, on the other hand, only the owners / owners of the system have access and control to the database and consequently to the data it contains collected by users. And in exchange for the services offered, they can also exploit these data economically. This is the case for Google and Facebookboth “centralized” platforms, that is, which have control over the data and information relating to the individual members. Social platforms based on Blockchai n technology are currently being tested : the beta version of “Ono” – the social made in China – is the first to exploit Blockchain technology . And it already has 3 million users.
Why the need for a decentralized system?
The need for decentralization lies in users’ increasingly growing concern regarding the loss of control over their personal data and information that travels on the internet.
In centralized systems, access, control and use of personal data are fundamental: for web companies, they represent the key to generating profits. Google and Facebook , but Amazon can also be added , have such a large amount of information on Internet users that they actually have control of the Web.
This creates inefficiencies and economic inequalities, since it effectively prevents new entrants from landing on the market : competing with these giants is practically impossible, with all the implications of the case in terms of competition. Users also cannot even count on the “security” of their data: news on data leaks and hacker attacks are on the agenda .
Google’s decision to block the consumer version of Google+ due to a bug that in March would have undermined the data security of over 500,000 accounts is recent news . Equally recent was the announcement of a “security flaw” on Facebook that would have put more than 50 million accounts at risk and allowed hackers not only to access social users’ data but also to recover those present on other “connected” platforms such as Instagram, Tinder, Spotify to name a few. And those users who use Facebook credentials to access other platforms would have been exposed in particular .
The advantage of using a decentralized system lies in the fact that individuals-users are given, or perhaps it would be more correct to say “returned”, the power to manage and control their data. And therefore it is the individual-user who decides which data to share and with which service provider . The data shared and therefore generated and collected by the individual-user, and therefore no longer exclusively for the web companies , could be made available and transferred for “common” purposes and consequently also usable by third parties. Like what happens with open data.
In essence it would be a return to the original “vision” of Tim Berners Lee, co-inventor of the World Wide We b, that of allowing people to exchange information and knowledge in a free and democratic way: the decentralization of data would ideally allow the dismantling of the excessive power of Google & co .
Does Blockchain technology comply with the GDPR ?
The problem now arises of the compliance of Blockchain technology with EU Regulation 679/2016 on the protection of personal data, better known as GDPR . The question is certainly pertinent when it is considered that the aforementioned technology by its nature and design would not allow the deletion of data. Without entering the technical-IT specifications as soon as a data is entered and shared in the network it cannot be eliminated without this compromising the reliability, security and validity of the Blockchain system itself . The entry of the data is therefore an irreversible process.
Among the rights of the interested party, pursuant to the regulation, there are those of cancellation, correction and modification of personal data. In a centralized system, the interested party can exercise these rights by contacting the data controller. Now the question is: how does the person concerned exercise these rights in a decentralized system, in which the data cannot be erased and moreover public and usable by anyone?
To date there is no single answer. In fact, there is no “solution of solutions” that is compliant with the regulation. However, the developers of Blockchain technology have already advanced some technical hypotheses such as the so-called “off-chain storage” or the “destruction of encryption keys”.
It should be added that the European regulation was not “designed” for application on decentralized systems. Therefore the interpretation of the regulation by the Guarantors in terms of compliance or not with technology will be decisive.