It is vital that blockchain, as with all new economic foundations, grows in tandem with standards. Zaisan has developed a systematic solution to enable GDPR-compliant blockchain services that adhere to these standards.
Blockchain was not the focus of the people that drafted the General Data Protection Regulation (GDPR) framework. The technology was not widely available yet.
GDPR regulations are written with some sort of centralised control in mind. This is the opposite of how blockchain technology is supposed to work. The opportunities that arise because of this new technology, the potential drawbacks, and the way Zaisan deals with these drawbacks are detailed in this article.
Understanding Data Controllers
One can give many rights to a human, but without knowing against whom they can be revoked, these rights lack meaning.
Therefore, the GDPR regulations introduce a “data controller” role. This is a person towards whom the people may turn if they want to invoke their rights. A GDPR “data controller” is, as the name suggests, the person or entity which controls the data. It determines what data can be used, and how.
For example, if a company stores and uses data to communicate with its clients, that company “controls” such use, making them the data controller.
If a controller decides to hire third parties to help with the processing of data, these third parties are referred to as “data processors”. “Use”, “store” and many other actions regarding data are called “processing” in the GDPR.
How does this work with blockchain technology?
If a company uses blockchain to run software (decentralised application -dApps-), that company is the controller for the data which the dApp processes.
But how about a public blockchain? Is the blockchain the hired hand? The “data processor”?
There is no contract between a dApp and the “blockchain”. The blockchain is not a single entity, rather, it is software that runs in a decentralised way. Node operators are often anonymous, and the company just launches the dApp. So it is unclear. Yet, the blockchain is not a controller: it merely performs instructions it gets from the dApp.
What about data blockchain processes without dApps?
How about processes such as transferring tokens and storing transactions? The blockchain should be the data controller. But yet again, the blockchain is not an entity. In this event, are all the nodes controllers? But they don’t “control”. They just “mine” transactions.
How could they be controllers? Blockchain is designed in a decentralised way.
It is, therefore, safe to say, that it is impossible for a public, permissionless blockchain, to establish or even determine a data controller and processor. For this reason alone, such a blockchain can never be compliant with GDPR.
GDPR-compliant public blockchains
A GDPR-compliant public blockchain is possible, but it needs some form of centralisation and control. There has to be an entity where the people can turn to with their questions and demands. Additionally, this entity needs to ensure that sensitive personal data is not stored on-chain. This entity needs to have enough power to ensure GDPR compatibility of the blockchain, but not enough that it could tamper with the blockchain’s immutability, and threaten the very core of blockchain technology.
There are many blockchains that have central entities involved to some degree. Often, it is a foundation that decides on code upgrades or similar matters. It is possible to give that entity enough controlling powers to make it the controller – if the software and its concrete setup allow it.
Europechain by Zaisan, built on delegated proof of stake (DPoS) software, is an example of a setup that is compatible in this respect.
As with everywhere else, with Europechain the dApps are data controllers. They must conclude a processing agreement with Europechain, which will be the data processor. Before dApps are allowed to deploy on the Europechain public blockchain, they will have to prove that they will not store sensitive data on-chain.
Europechain concludes sub-processor agreements with all the nodes (the block producers). Without concluding a (sub)processor agreement, a party cannot run a dApp or become a node.
If there is no dApp involved in the transaction (for instance, in the event of token transfers on the base layer) Europechain is the controller. In that event, the nodes are not sub-processors but processors. The agreements are drafted such that they allow for that.
These agreements have dispute resolutions in them so that the powers of Europechain are in check and the nodes can be easily forced to comply with Europechain’s instructions.
This setup allows for adequate control to ensure the people are informed and are able to submit their requests to a competent and compliant entity. Furthermore, this allows for the contractual infrastructure required under the GDPR.
Given that the powers of Europechain have been tailored to the position of a data controller and given that they are kept in check by the dispute resolution system, there is no way Europechain’s position may endanger the blockchain core values.
Europechain’s setup proves it is possible to find the right balance. A balance that is necessary for blockchain to become a mainstream infrastructure.
- It is impossible for a public, permissionless blockchain, to establish or even determine a data controller and processor
- With Europechain, Zaisan has developed a systematic solution to enable GDPR-compliant blockchain services that adhere to economic foundation standards
- GDPR regulations introduce a “data controller” role, a person towards whom the people may turn if they want to invoke their rights.
- A GDPR-compliant public blockchain is possible, but it needs some form of centralisation and control
- In the Europechain environment, the dApps act as data controllers
1. Garner report, “Forecast: Blockchain Business Value, Worldwide, 2017-2030.”