Blockchains and user rights under EU data protection
Growing concerns about censorship, bias and unaccountable content management across social media platforms such as Facebook and Twitter are fueling the demand for decentralised and censorship-resistant social media platforms. To achieve such goals, some social media platform developers are turning towards blockchain technologies. However, questions about how those technologies can serve the principles of privacy and user control over their own data still remain to be answered.
While designing a blockchain-based decentralised social media platform, content storage is a central issue. Personal data collected and stored on-chain requires access control mechanisms for the usage of content that is restricted by the content owner’s authorization. The lack of such access and usage control standard mechanisms within conventional blockchains exposes the limitations of this technology with regards to privacy principles.
In this article, we narrow down our discussion to one of the conventional blockchain variants, permissioned blockchains, and discuss its limitations and benefits for GDPR compliance.
Permissioned Blockchains and GDPR compliance
One of the primary goals behind blockchain-based decentralised platforms (e.g. social media) is the GDPR compliance, especially for European markets if the solution aims to manage personal information. Its design should also allow end-users to decide what data should be shared and with whom, which also complies with the spirit of GDPR. However, there are disadvantages to the usage of some variants of the blockchain (for e.g. permissioned blockchains). Permissioned blockchain networks make use of centralised entities for access and permission control decisions. These centralised authorities are usually network administrators responsible for initialising and revoking permissions or certificates to end-users. In such cases, a single and final decision-making entity manages personal data and its privacy repercussions, which amounts to a single point of failure and thus allows content hampering or hacking. In this context, network administrators would be accountable for leaks of personal or sensitive information due to the access control they exercise over user data.
To eradicate such limitations of permissioned blockchain and abide by GDPR principles, certification entities may use content-encryption tools (by end-users) instead of managing direct access to the content itself. This enables end-users to decide how their data can be accessed. Such mechanisms might not only improve data security through certification and encryption but also enhance a data access control structure through which end users make the final decision regarding privacy control instead of network administrators.
Another point of concern related to the usage of permissioned blockchain technology for decentralised social media platforms is related to the right to be forgotten. By default, blockchain is immutable: the information stored on-chain cannot be changed or tampered throughout the network life-cycle. Immutability raises major issues regarding the storage of personal content on the blockchain. The following questions reflect some of those challenges:
Again, encryption comes to the rescue. Obviously, the information stored across the blockchain cannot be erased due to the basic principles of this technology. However, with user-side encryption policies in place, even if the information remains in the chain, any entity cannot access the information in case of revoked permission handled by the concerned user.
Another permissioned blockchain aspect needing consideration for personal content management is storage location. Current blockchain implementations define multiple ways to store personal content across multiple locations based on consensually applied replication policies. In such cases, content is automatically replicated across nodes within the network, where the selected location of nodes is decided by cost instead of their physical presence. Additionally, in such situations, the EU’s GDPR clearly states that any piece of personal information cannot be stored or transferred outside EU countries until and unless explicitly specified by the user. Moreover, such restrictions apply to all sorts of data transfers, no matter the size or how often such a process is carried out. This brings us to another specific implementation issue across decentralised social media platforms realisation using blockchain.
In the case of existing public blockchain implementations, such mechanisms don’t exist: nodes are added without any restriction to increase the computing power of the network by increasing the number of resources, hence failing to comply with GDPR. However, permissioned networks can be advantageous: by availing network administrators as centralised entities to control the resource requirements of the network, it is possible to choose only those resources residing within EU geographical boundaries. Such a solution would provide an impetus to ensure that, independent of the consensus, any piece of information will remain in the EU countries as defined by the administrator – thus in compliance to GDPR guidelines.
Taking into consideration the aforementioned issues and probable solutions of a permissioned blockchain technology, ARTICONF envisions its goals based on a series of building blocks for realising decentralised platforms. This entails proving technological solutions for the following questions regarding the market adaptation of ARTICONF’s final products.
How can a permissioned blockchain system avoid the pitfalls associated with centralized entities?
How can permissioned blockchain get the access control back to the end-users, and be compliant to GDPR?
Can the right to be forgotten be compatible with the immutability feature provided by blockchain technology?
Does data consensus and data replication in blockchain affect cross-border transfer rules, if yes how can we overcome it?
This Knowledge Base Resource was developed by University of Klagenfurt and Agilia Center. Our goal was to raise awareness related to the topics of anonymity and privacy, content ownership, user control of data and GDPR.
< Thanks for reading. We are curious to hear from you. Get in touch with us and let us know what you think. >