The General Data Protection Regulation (GDPR) includes in its provisions Article 17, the Right to be Forgotten, which could potentially be a formidable barrier to the ubiquitous introduction of cryptographic blockchain software and technology. Despite this, there has been an investment mania for Blockchain Technology, with more money having gone into Bitcoin and other cryptocurrencies, blockchain, smart contracts and distributed ledger technology than even into Artificial Intelligence (AI). A few of these may prove to be commercially-successful, disruptive game-changers, and usher in the possibility of a new global "crypto-economy" paradigm. But so far many have tended to have been significantly fuelled by the "black cash" of drug-dealers, money-launders, traffickers and the like; and in Q2 2019, misappropriation of cryptocurrency funds netted criminals some $4.26 billion. The foundations of global digital currencies go back well before the Satoshi bitcoin paper of 2008. Those early digital e-commerce visions did not require a cryptographic blockchain "mining", or "distributed consensus", existential model, and were not intentioned of being so readily riven with the criminal black market profiteering of money-launders, scammers and fraudsters that bedevil much current cryptocurrency activity. Looking ahead, Facebook’s Libra digital currency could establish a new global e-commerce paradigm much closer to the pre-bitcoin electronic cash visions, and one more compliant with the existing norms and customs of the Rule of Law, where a responsible Trusted Third Party, in this case, Facebook, is fundamental. Cryptocurrencies apart, some blockchain applications more generally are likely here to stay, and the majority will be robust implementations by established major corporations, with most of us, as consumers, hardly needing to know any of the details. For the properly-cautious ICT expert and professional, when considering the use of blockchain for any proposed use case, the ‘fundamental things apply’. The legal status of blockchain cryptocurrency, smart contract and distributed ledger technology is not clear, or uncontentious, and in the USA, there is already ICO litigation on foot. There is always the need for Trusted Third Parties, and for probative Electronic Evidence. Crypto Dragons, the many and varied Financial Disputes over Crypto Assets have arrived. Such complaints, disagreements, conflicts, with civil and criminal claims and legal actions, are increasing, driven by the growth in crypto scams, thefts, losses and investigations, with many such disputes reaching the courts. A key point at trial will be examination of the Digital Evidence and, although a Crypto Asset may essentially be "decentralized digital vapour", a Court of Law can make a binding Order to get forensic traction on it, because of the legally well-established Obligation of Disclosure. This article concludes with a Checklist giving practical, generally applicable wording for an effective Digital Asset Disclosure exercise.
Blockchain and the Right to be Forgotten
"Blockchain technology introduces permanence and immutability into the digital world. … the technological revolution that commoditizes trust … Trust normally has to be enforced via laws, courts, … fallible institutions. Replacing these with disinterested cryptography promises a revolution in the way we enable trust. … [This brings up] the right to be forgotten. A law that grants individuals, under some circumstances, the right to demand of websites that they remove information about themselves. However, in a distributed consensus system like blockchain, enforcing the right to be forgotten becomes technically impossible. …"
Júlio Santos, November 6th, 2017.
The Right to be Forgotten could potentially be a formidable barrier to the ubiquitous introduction of computer and communications systems applications based on cryptographic blockchain software and technology. The General Data Protection Regulation (GDPR), in force from May 25, 2018, includes in its provisions Article 17:
"Right to erasure ("right to be forgotten")" ... (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; …
With the ‘permanence and immutability’ of data records written to the blockchain being emphasised as one of its fundamental, key features, in a wide range of use cases where acquisition, processing and recording of personal data is critical blockchain could possibly be structurally unable to be compliant with Article 17, Right to Erasure, of GDPR. The Commission nationale de l'informatique et des libertés (CNIL), the independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data, has identified this fundamental issue:
“… one of the characteristics of blockchains is that the data registered on a blockchain cannot be technically altered or deleted: once a block in which a transaction is recorded has been accepted by the majority of the participants, that transaction can no longer be altered in practice. … technical solutions … should be examined by stakeholders in order to solve this issue. The CNIL … questions their ability to ensure a full compliance with the GDPR. …
As a reminder, a blockchain can contain two categories of personal data:
The identifiers of participants and miners:
Each participant has an identifier comprised of a series of alphanumeric characters which look random, and which constitute the public key to the participant’s account. This public key is linked to a private key, known only by the participant…
The CNIL therefore considers that this data cannot be further minimised and that their retention periods are, by essence, in line with the blockchain’s duration of existence. Additional data (or payload):
Besides the participants’ identifiers, the additional data stored on the blockchain can contain personal data, which can potentially relate to individuals other than participants and miners.
As a reminder, the principle of data protection by design (Art 25 of GDPR) requires the data controller to choose the format with the least impact on individuals’ rights and freedoms.”
Others have proposed potential technical solutions, for example:
“The Workaround …Storing personal data on a blockchain is not an option anymore according to GDPR. A popular option to get around this problem is a very simple one: You store the personal data off-chain and store the reference to this data, along with a hash of this data and other metadata (like claims and permissions about this data), on the blockchain.”
Andries Van Humbeeck, November 21, 2017.
There is also a technician’s view that, in regard to interpreting and implementing ‘erasure’ in practice, simply ‘putting data beyond use’ electronically will satisfy the standards for GDPR data privacy. This would mean that, for example, setting record ‘delete’ flags, ‘losing’ cryptographic keys, or overwriting hash tables, will be sufficient to qualify as ‘erasure’.
However, I consider this too weak to satisfy what is intended and stipulated by Article 17 GDPR. If Article 17 had sought to provide only for ‘putting data beyond use’ it would have said so. The people doing the drafting would have been aware of, amongst other things, the established legal precedents and court orders on:
- data records, and recording media, destruction (and proof/certification thereof);
- corporate, industry and professional standards as regards Record Retention and Destruction; and
- Statutes providing Requirements and Guidelines for Public Bodies as regards Citizens’ Records Disposal.
The word chosen in Article 17 of GDPR is ‘erasure’, and its intention and meaning is something clear, stringent and strong. If GDPR had intended ‘erasure’ just to mean, or include, ‘putting data beyond use’, or even ‘deletion’, in the usual technical sense that these terms are used and implemented in electronics and computer data technology practice, it would have made that, too, clear.
GDPR was years in the drafting, with many highly-qualified legal and technical people involved, globally, in intensive discussions and reviews, before finalisation. ‘Erasure’ and ‘erased’, being the actual words carefully enacted in the GDPR, have many clear synonyms in English: ‘Erasing’: eradicating, obliterating, destroying, abolishing, removing, shredding, disposing of, wiping out, dissolving, doing away with, getting rid of...
From an expert point of view, where digital data recorded on servers, or electronically held, copied, distributed and communicated in computer and communications media, systems and networks are concerned, ‘erasing’ can even mean, for true efficacy in practice, ‘returning to a free molecular state’ by way, for example, of ‘burning, consuming in flames’.
It follows that anyone implementing applications or systems using a blockchain, given the foundational, inherent ‘permanence and immutability’ of its data records, where such records may contain personally identifiable details of a ‘data subject’, will do so at risk of not being physically or verifiably able to comply with Article 17 GDPR, and thus potentially subject to the significant financial and other penalties available and arising thereunder.
It may be considered that there will be little likelihood of requests, whether to companies or organisations holding or processing systems and databases containing personally identifiable details of ‘data subjects’, or to the courts, for applicant data subjects to be ‘forgotten’. A few years back the possibility of widespread use of such requests may have seemed fanciful, but since the Cambridge Analytica allegations - that this data analytics firm used personal information harvested from more than fifty million Facebook profiles, without the data subjects’ permission, to build a system that could target US voters with personalised political advertisements based on their psychological profile - anyone using social media, for example, is now well aware of the right not to have personal data used for purposes for which they were not originally, and freely, provided.
Furthermore, even before the coming into force of GDPR the English Courts had upheld such a critical request: www.theguardian.com/technology/2018/apr/13/google-loses-right-to-be-forgotten-case (Google loses landmark "right to be forgotten" case by Jamie Grierson Ben Quinn, Fri 13 Apr 2018: Businessman wins legal action to force removal of search results about past conviction). A businessman has won his legal action to remove search results about a criminal conviction in a landmark “right to be forgotten” case that could have wide-ranging repercussions. … the claimant … was convicted more than 10 years ago of conspiracy … .
2. The new ‘crypto-economy’ - a fraudsters’ playground?
Despite that the GDPR Article 17 risk to systems implemented using a blockchain, in use cases where personal data is to be recorded, presents a potentially serious implementation difficulty, there has been an investment mania for Crypto-Algorithmic Blockchain Technology, with far more money having gone into - gambled on - Bitcoin and other cryptocurrencies, blockchain, smart contracts and distributed ledger technology than even into Artificial Intelligence (AI). It has in the past seemed that almost every other Millennial was involved with an Initial Coin Offering (ICO) or Initial Token Offering (ITO). With just a ‘White Paper’, little or no investment due diligence, and taking advantage of a regulatory vacuum, this ‘Crypto Tribe’ raised billions in real legal tender, ‘fiat currencies’.
. . .Continue to read rest of article (PDF).