Because blockchain is immutable, it has defied the EU’s General Data Protection Regulation (GDPR) — which demands the right for users to be “forgotten”

There is a tremendous potential in the application of blockchain across different industries from supply chain to banking sectors. Over the years, this prevalent technology has proven its massive influence on the financial world through the rise of cryptocurrencies such as Bitcoin (BTC) and Ether (ETH). In spite of the disruptive innovation, there are some improvements to be made before it could achieve mass adoption. One area of concern is the privacy implication users have faced while dealing with an immutable and transparent public ledger. Blockchain was well-built to prevent data alteration and foster a decentralised and trustless system that could be used for many instances. However, the privacy concern was omitted in its design process.

In today’s world, the majority of the population and institutions depend heavily on the internet for day-to-day transactions, social interactions and acquiring new knowledge. Thanks to various reports on high profile data breaches and alleged surveillance performed by big tech companies, people are placing a greater importance on securing personal privacy protection in the face of an interconnected online world. Although various initiatives such as the EU’s General Data Protection Regulation (GDPR) were created to protect user’s privacy online, it has failed to stop corporations and governments from compromising the privacy rights of users.  As an up-and-coming technology, blockchain could play a vital role in enforcing the rights of personal privacy through its implementation, and even possibly, transform the concept of privacy itself to protect the interest of individuals.

The technology gap

In recent years, the onset of privacy issues pertaining to governments and corporations may be largely caused by the inability to quickly ‘make sense’ of the collected data. The National Security Agency (NSA) could be a good example of this issue. William Binney, a former NSA official had revealed back in 2015 that the US government's mass surveillance programs have become so engorged with data that they are no longer effective, losing vital intelligence in the fray. Similar problems occurred to reputable social media platforms and google earth, in which users’ data were collected at an exponential rate, while impeding the ability to make sense of the data as quickly as they were collected.

The risks involved could be consequential, as seen in the Facebook-Cambridge Analytica data leak scandal in early 2018. This technology gap may have allowed the issue to be left undetected for a long time, as more data accrues. However, relevant application of blockchain such as smart contracts could bridge the gap of the ongoing battle for personal privacy protection, eradicating the issue completely as a result.

Privacy with Blockchain

Contrary to popular belief, privacy and protection are two different aspects while trying to develop personal privacy protection with blockchain. Privacy is the right of the user, and could be defined as the ability of the individual to wholly decide on what kind of information about them should be collected. An individual should have the right to decide on which data a website should extract based on an individual’s browsing activity. For instance, the types of products that the user has browsed, the types of songs that the user listens to on music streaming platforms, as well as the timestamps of the pages browsed by the user. On the other hand, protection offered by the data extractor is the ability of the entity (the data extractor) to secure the collected data away from unwanted parties. Judging from both definitions, they are equally important to preserving the foundational privacy right of the user.

Since the implementation of the European Union’s GDPR in 2018, there has been a growing interest in the deployment of blockchain-based data security and user identity systems to tackle the privacy issue. Theoretically speaking, the decentralised and open source security measure could be an effective way of storing personal data. Given the current centralised-based system, data processed through a central authority has been proven to be susceptible to security compromises by third-parties. Thus, blockchain-based identity systems could grant individual users full autonomy over their own data, which can then be verified by the user as appropriate before sending the required data to the system. Due to the market’s demand for a long-term solution, numerous blockchain projects and organisations have been in the midst of development. One of the leading blockchain projects, Ethereum, has been working on creating new identification standards with their proprietary smart contract protocols as a top priority. Similarly, big tech companies such as Microsoft are also developing their own blockchain identification systems to cater the needs to fulfill the privacy obligation of individuals.

Decentralising digital identities

Principal program manager of Microsoft’s Identity Division, Ankur Patel has explained in 2018 that Microsoft is envisioning a future where digital identities would be decentralised, and through the use of blockchain, users can own their digital identity safely and privately. He further added that the self-owned identity must be user-friendly and allow users complete autonomy over how the identity data is accessed and utilised. Instead of having the data stored across numerous providers, the ideal scenario would be that of the storage of the user’s data over a secure encrypted digital hub, and the users will decide which apps and services they will wish to release their information seamlessly. Until the blockchain and wider technology community have developed and implemented the decentralised solution for a widespread usage, governments have to tighten the regulations which are already in place to protect the user’s privacy. For instance, fines for GDPR violations were increased to a hefty €20 million in the hope of putting off online entities from holding users’ data without their permission.

Two-sided Benefits

While the blockchain-based identification system was developed with the user in mind, it could also benefit companies that relied heavily on acquiring users’ data for advertising, verification, research or other purposes. With a suitable smart contract in place within the identification system, users can opt to reveal certain verified data points anonymously, without revealing their identities to the companies that are seeking the data. This system enhances the existing model of data collection and enables any company to still take advantage of user data without actually touching or storing unwarranted data, risking them with serious legal implications.

Additionally, the decentralised system may also satisfy the contentious right to be “forgotten” requirement of GDPR. This means that companies have to comply with the user’s decision to permanently erase the user data when requested, or if the data is no longer required for any purposes.

Although transactions stored on the blockchain are immutable and transparent, additional measures can be implemented to the identification system, which could facilitate securing of other elements that are in question today.

Moving forward with a fully decentralised privacy protection

In today’s marketplace, data is value. Every single search performed by the user on Google and items searched on ecommerce marketplaces—all of this information is being tracked because it is worth something to companies. The widespread usage of emerging technologies like The Internet of Things (IoT), and the network of billions of connected devices that users are sharing, will be providing exponentially more information (data) about users to companies looking into collecting. This will be the moment where blockchain holds the most personal privacy protection potential.

Blockchain represents the ability to empower users to decide which data they are willing to share, and with whom. Users would be unable to delete data collected based on their browsing activities. However, they could turn off access to that node of the blockchain to ensure that no one would be able to track the browsing records. Therefore, there is a tremendous potential for personal privacy and data protection with blockchain.

The first shift was a recognition that the question of withholding personal information was off the table, and largely incompatible with the digital world. From there it shifted towards discussion of exactly which data should and should not be shared, and how data needs to be protected. Blockchain, while introducing transparent and immutable decentralised ledgers to a widespread public usage, could potentially complement the demands of an ever changing needs for personal privacy with smart contract, oracles and other appropriate protocols in place to bridge the gap for both individuals and companies.