The Right to be Forgotten and the Immutability of Blockchain Technology
Written by Shrisha Sapkota
Blogger
To understand why it is difficult to erase data from a blockchain, the process of data storage and cryptography in a blockchain needs to be understood. In a blockchain, data is grouped into blocks that, upon reaching a certain size, are chained to the existing ledger through a hash[1]. The hash in a blockchain is created from the data that was in the previous block. The hash is a fingerprint of this data and locks blocks in order and time[2]. Hence, the ledger’s blocks have different key components, including the hash of all transactions contained in the block (its ‘fingerprint’), a timestamp and a hash of the previous block which creates the sequential chain of blocks[3]. Indeed, as one block is linked by a hash to another, changes in one block change the hash of that block, as well as of all subsequent blocks. Every ten minutes, all the transactions conducted are verified, cleared and stored in a block that is linked to the preceding block and each block must refer to the preceding block to be valid[4]. This structure permanently time-stamps and stores exchanges of value, preventing anyone from altering the ledger[5].
Mining is the process of adding transactions to a blockchain ledger by miners who secure and validate the transactions[6]. Data are chronologically ordered in a manner that makes it difficult to tamper with information without altering subsequent blocks due to which blockchains are often stated as ‘immutable’[7]. As blocks are continuously added but never removed, a blockchain can be qualified as an append-only data structure.[8]
Rather than storing data in ledger in plain text, it is usually encrypted or hashed before it is added to a blockchain[9]. Two cryptographic tools are particularly important in the context of the DLT: public key infrastructure (PKI) and hash functions. In the public key infrastructure, the blockchain is encrypted through public and private keys. Every user has a public key representing the user, best thought of as an account number, that is shared with others to enable transactions and a private key, which is best thought of as a password that must never be shared with others. A public key allows the user to receive encrypted data and the private key can decrypt it to allow access to the data. In this process, encrypted data can be ‘unlocked’ and reverted to its original state with the right cryptographic key. Data can also be encrypted using the hash functions. A cryptographic hash is a one-way function that cannot be reverse-engineered, meaning that no key can unlock data that has been hashed. Due to this type of technical structure, it is not possible to remove data stored on a blockchain, which has its own added benefit such as untampered data, lack of need of intermediary for transactions and faster and cheaper transactions etc. Thus, tampering evidence is regarded as one of the most heralded features of a blockchain.
Article 17 GDPR
According to Article 17(1) GDPR, a data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing.
The data subject objects to the processing and there are no overriding legitimate grounds for the processing.
The personal data have been unlawfully processed.
The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
The personal data of a child under sixteen years of age has been collected to offer them information society services.
The right to be forgotten derives from the case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González (2014) and was codified for the first time in the General Data Protection Regulation (GDPR)[10]. In the case, the Court of Justice of the European Union (CJEU), based on Directive 95/46 decided that Google must erase links to personal information from search results at the request of a data subject[11]. According to the decision, although data may be processed lawfully initially, it becomes incompatible with the directive where, the data appears to be inadequate, irrelevant or excessive to the purposes for which they were processed and in the light of the time that has elapsed[12].
Interpreting Article 17 GDPR
The Article aims to provide the data subject with control over personal data that directly or indirectly relates to them. Nonetheless, it is unclear whether data that belongs to a chain, which is important for the chain to function but not important in its independent identity, still serves the ‘purpose’ as mentioned in the GDPR.
According to Article 29 Working Party, in the context of cloud computing, personal data is ‘kept redundantly on different servers at different locations, it must be ensured that each instance of them is erased irretrievably[13]. This means that for the effective compliance of Article 17 GDPR, where a data subject requests for erasure of data, the controller should remove personal data from all nodes in the network. The precise meaning of ‘erasure’ is not defined in the GDPR, opening the door to interpretations other than absolute deletion[14]. In the case of Nowak, the CJEU has indicated that the destruction of personal data equals erasure[15] but deleting or destructing data from DLT is burdensome as these networks are often purposefully designed to make the unilateral modification of data difficult[16]. Ideally, for enabling data deletion, the participants of a blockchain would have to agree on an effective process to jointly execute a lawful request to erase personal data from the decentralised ledgers[17]. To falsify or alter data on a blockchain, control of at least fifty per cent of the nodes would be required[18]. If old transactions are to be removed retroactively, the majority of all connected nodes would have to verify the legitimacy of every affected transaction backward again, unbuild the entire blockchain and rebuild it afterwards [19]. There would be a computational limit to erase or falsify data if the blockchain follows the typical distributed architecture, due to the exponential increase in computational capacity needed to reverse modify the chain, from the last block to the first which renders it unfeasible[20]. Moreover, as nodes are rewarded for their consistent control and validity of each block, the process becomes uneconomic[21]. According to Article 17(2), when the controller is obliged to erase the personal data, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing, copying or replicating the personal data that the data subject has requested the erasure[22]. It is unclear about what could be regarded as ‘reasonable steps’ taken by a controller but the cost of implementation would be too expensive and the limited computational capacity of blockchains’ or their technical limitations could be regarded as a lack of ‘available technology’. Hence, the question arises as to whether the reference to these factors could lead to an interpretation of the GDPR in favour of an alternative solution[23].
However, national data protection authorities have considered that erasure does not necessarily equal destruction. For example, the Austrian Data Protection Authority has recognised that the data controller can flexibly decide regarding the technical means of realising erasure and that anonymization can be seen as a means to realise erasure[24]. Moreover, the UK Information Commissioner’s Office has argued that where data is ‘put beyond use’ may be satisfactory[25]. However, there is no consistent approach to interpret the meaning of erasure and hence it is clear that regulatory guidance is essential to clarify the meaning of ‘erasure’ in the context of blockchains. Moreover, although it has been mentioned that the data should be erased, without undue delay, a particular time for erasure or retention of the data has not been determined.
Furthermore, the significance of Article 17(3) to DLT is unclear as the provision specifies that the right to be forgotten does not apply when the continued processing of data is required to comply with a legal obligation[26]. This raises the question of whether some transactions can be legally qualified as financial data and whether related obligations to store financial data could be applied in this context[27].
The Data Controller
According to article 4(7) GDPR, a controller means the natural or legal person, public authority, agency or other body, which determines the purposes and means of the processing of personal data[28]. In the Wirtschaftsakademie case, it was decided by the CJEU that the concept of the controller has to be defined broadly, not necessarily referring to a single entity[29]. However, in a blockchain, one entity does not determine both the purposes and means of processing personal data. In private blockchains, a central intermediary can be identified and qualified as the data controller to whom the data subject’s claims would be addressed ,but for other DLTs, there is no central point of control, as the network is operated by all nodes in a decentralised fashion[30]. Permissionless blockchains are distributed and decentralised peer-to-peer networks that everyone can participate in to interact with unknown or untrusted counterparties which makes it difficult to identify a particular controller[31]. As every node of the system will process all data on blockchain simultaneously in a public blockchain, if the notion of data controller implies any actual control over the information, either no node would qualify as such as there is no individual control over the distributed blockchain or every node where blockchain copies are technically processed would qualify[32]. If every node where blockchain copies are technically processed is regarded as a controller, then the concept of a joint controller as mentioned in Article 26(1) GDPR would apply. However, the nodes would fail to fulfil the requirements of Article 26(1) GDPR as it requires a transparent and clear allocation of responsibilities[33]. Additionally, in permissionless networks, the network nodes cannot be considered controllers as they do not decide about the purposes of data processing, but they merely perform technical activities abstracted from the contents of data contained in the processed transactions[34].
According to the CNIL, blockchain participants who have the right to write on the chain and who decide to send data for validation by the miners can be considered as data controllers as they define the objectives pursued by the processing or the purpose and the means such as data format, use of blockchain technology, etc. of the processing[35]. More specifically, the CNIL considers that the participant is a data controller when the said participant is a natural person and that the personal data processing operation is related to the professional or commercial activity (i.e. when the activity is not strictly personal) and when that participant is a legal person who registers personal data in a blockchain[36]. For example, if a notary records his or her client’s property deed on a blockchain, the said notary is a data controller or if a bank enters its clients’ data onto a blockchain as part of its client management processing, it is a data controller[37].
Hence, it might be possible to identify a central intermediary that can qualify as the data controller in permissioned blockchains but it is near to impossible to establish a data controller in public blockchains. So far, guidelines or solutions to identify a data controller in public blockchain from a trusted source cannot be found.
Conclusion
Overall, it has been clear that there is a conflict between the right to be forgotten and the immutability of a blockchain. Immutability is a fundamental property of blockchain which certifies that transaction data residing in blockchains are tamper-proof, i.e. they can neither be removed nor mutated[38]. This append-only data structure signifies the permanent storage and availability of the stored information to everyone in blockchain network, which guarantees transparency, security, transactional integrity, etc on blockchain technology[39]. However, it stands in tension with the right to be forgotten that allows the data subjects’ protection of privacy and it is difficult to interpret Article 17 GDPR in terms of blockchain technology. Thus, there is a conflict between Article 17 GDPR or the right to be forgotten and blockchain technology.
References
[1] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p 7.
[2] Tiana Laurence, Blockchain for Dummies (2nd edn, John Wiley & Sons 2019), p 11.
[3][3] Finck (n 1) 7.
[4] D Tapscott and A Tapscott, Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World (Penguin Canada 2016).
[5] Ibid
[6] ‘What Is Mining? – Definition from Techopedia’ (Techopedia.com) <http://www.techopedia.com/definition/32530/mining-blockchain> accessed 1 October 2021.
[7] Finck (n 1) 90.
[8] Finck (n 1) 7.
[9] Michèle Finck, ‘Blockchains and Data Protection in the European Union’ (2018) 4 European Data Protection Law Review <https://doi.org/10.21552/edpl/2018/1/6> accessed 21 November 2021, p 13.
[10] ‘Right to Be Forgotten’ (General Data Protection Regulation (GDPR)) <https://gdpr-info.eu/issues/right-to-be-forgotten/> accessed 17 November 2021.
[11] Case C‑131/12 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González [2014] ECLI:EU:C:2014:317, para 100.
[12] Ibid
[13] Article 29 Data Protection Working Party, ‘Opinion 05/2012 on Cloud Computing’ (WP 196, 1 July 2012).
[14] Finck (n 1) 108.
[15] Case C-434/16 Peter Nowak v Data Protection Commissioner [2017] EU:C:2017:994, para 55.
[16] Michèle Finck, ‘Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?’ (Panel for the Future of Science and Technology, July 2019) 75.
[17] Eugenia Politou and others, ‘Blockchain Mutability: Challenges and Proposed Solutions’ (2019) PP IEEE Transactions on Emerging Topics in Computing, pp.6.
[18] Gianluigi Maria Riva, ‘What Happens in Blockchain Stays in Blockchain. A Legal Solution to Conflicts Between Digital Ledgers and Privacy Rights’ (2020) 3 Frontiers in Blockchain 36, p. 3.
[19] Matthias Berberich, Malgorzata Steiner, ‘Blockchain Technology and the GDPR – How to Reconcile Privacy and Distributed Ledgers?’ (2016) 2 European Data Protection Law Review 17, pp. 17 – 35.
<https://doi.org/10.21552/EDPL/2016/3/21> accessed 12 September 2021.
[20] Gianluigi Maria Riva, ‘What Happens in Blockchain Stays in Blockchain. A Legal Solution to Conflicts Between Digital Ledgers and Privacy Rights’ (2020) 3 Frontiers in Blockchain 36, pp 3-4.
[21] Ibid
[22] General Data Protection Regulation, art 17(3).
[23] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p 107.
[24] Golden Data Law, ‘Austrian Data Protection Authority: The Erasure of Personal Data Is Also Possible Through anonymization’ (Golden Data, 5 February 2019) <https://medium.com/golden-data/austrian-data-protection-authority-the-erasure-of-personal-data-is-also-possible-through-4e61b882e4ad> accessed 9 October 2021.
[25] ‘Right to Erasure’ (5 October 2021) <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/> accessed 9 October 2021.
[26] General Data Protection Regulation, art 17(3).
[27] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p. 107.
[28] General Data Protection Regulation, art 4(7).
[29] Case C‑210/16 Wirtschaftsakademie Schleswig-Holstein GmbH v Facebook Ireland Ltd [2018] ECLI:EU:C:2018:388, para 26–29
[30] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p. 99.
[31] Ibid 100.
[32] Matthias Berberich, Malgorzata Steiner, ‘Blockchain Technology and the GDPR – How to Reconcile Privacy and Distributed Ledgers?’ (2016) 2 European Data Protection Law Review 17, p. 424.
[33] General Data Protection Regulation, Recital 79.
[34] The GDPR and the Blockchain Technology (n 20).
[35] ‘Solutions for a Responsible Use of the Blockchain in the Context of Personal Data’ (CNIL, September 2018)
[36] Ibid
[37] Ibid
[38] Eugenia Politou and others, ‘Blockchain Mutability: Challenges and Proposed Solutions’ (2019) PP IEEE Transactions on Emerging Topics in Computing, pp. 1-1.
[39] Ibid