The European Parliamentary Research Service (EPRS) Report ties together the concepts of blockchain, distributed ledger technology (DLT) and the General Data Protection Regulation (GDPR). This raises important issues for companies, such as IDWorks, building Self-Sovereign Identity (SSI) solutions on decentralised networks. The Report explains that keeping personal data off-ledger is vital for blockchain and DLT to work in practice. IDWorks views this conclusion as something which reinforces its model of SSI and is an important consideration for the industry moving forward.
This article will firstly summarise the findings of the EPRS with a specific focus on the SSI, and secondly, will assess whether SSI models can be compliant with the GDPR.
Key to the concept of a blockchain or distributed ledger technology (DLT) is that there is no overarching authority or ‘data controller’. Instead, each party running a node on the platform has a stake in the decision making of the system. Therefore, the core ethos of a blockchain is at odds to the language of the General Data Protection Regulation (GDPR), which was written with centralised models in mind. This divergence potentially brings about tension with companies working in the decentralised technological sector.
“This is an era where confusion reigns”
In the EPRS report, they attempt to square this circle and highlight ways in which the GDPR can be interpreted to incorporate blockchain/DLT. A summary of the Report is set out below:
“The concrete application of the concepts of controller and processor is 'becoming increasingly complex' due to the growing complexity of contemporary data environments.”
This should be avoided at all costs because it is not compliant with the GDPR. If personal data exists on the ledger, its immutability and the complex data controller/ data processor framework does not allow data subject rights to be properly upheld.
This remains personal data unless the data is rendered anonymous. However, in practice, decryption must be possible, otherwise the data is useless. Encrypted data is only permissible on a blockchain if it is impossible for any party to decrypt.
There is a common misconception that hashed data, stored on a blockchain is not personal data. Therefore, many companies use hashed data to attempt to circumvent data controller obligations.
Hashing may potentially anonymise data when the key to unlock the has is deleted and the data is rendered useless.
Hashing can be used if the data stored merely points to where the data is stored off-chain (hash-pointer). If, however, it is possible to unlock the hash using a key, even if only one individual is the only person with that key, the hash value remains personal data.
Where data is found to classify as personal data it should, where possible, be kept off-chain and merely linked to the ledger through a hash-pointer (or in the case of SSI, using a public DID). This makes it easier for the creator of the blockchain or DLT to comply with GDPR requirements.
Off-chain storage would help with compliance with the GDPR’s subject access rights such as the right to access to personal data, right to data portability and right to be forgotten.
“This architecture would store the hashed data pointers pointing to off-chain personal data and provide guarantees that the user data has not been altered by the user or anyone else”
Off-chain storage means that no personal data is immutable or irrevocable, which is beneficial for the user and the company.
“[Off-chain storage] will enhance trust and confidence in the system to all the stakeholders such as users, service providers and data purchasers”
Social media users do qualify as controllers for the information on a personal profile, provided that their activities are not subject to the so-called 'household exemption'. This rationale could potentially be extended to credential owners in SSI models.
In short, this is an Article of the GDPR that says that there is no need to appoint a data controller if data is being used purely in the context of a personal or household activity.
The report states that this exemption is unlikely to apply when personal data is stored on the blockchain, even if it is controlled by the individual. This is because its purpose will generally be for a commercial or professional nature.
This means that it is likely that individuals with control over wallets containing personal data, or verifiable credentials, would quality as data controllers for that information.
A data subject as the data controller in relation to his/her own data could be regarded as empowering – the idea that the natural person would be 'in control of' her data in line with the GDPR's overarching rationale of ‘data sovereignty’.
However, the data subject is unlikely to understand the complexity of personal data processing implications and ecosystems and may be overburdened with responsibility and decisions.
The EPRS recommends further research is done on this specific point.
The EPRS report highlighted that blockchain and DLT can be used in compliance with the GDPR. However, the technology must be ‘purposefully designed to do so’. Public DIDs on a blockchain serve as what the Report referred to as ‘hashed data pointers to personal data’ which are compliant with the GDPR because they do not inherently contain personal data.
The solutions which the Report singles out all point towards IDWorks’ Self-Sovereign Identity (SSI) model as a viable solution, because personal data is stored off-ledger. This is crucial because SSI models can use all the benefits of blockchain/DLT (immutability, provenance, transparency, decentralisation) without contravening the requirements of the GDPR.
Yet, not all implementations of SSI exist in complete compliance with the GDPR. Some models allow more public write access, which could have adverse effects for personal privacy and data subject access rights. To read more about this see the article Public Permissioned vs. Private Permissioned Ledgers or read the EPRS report in full here.