Long reserved for cryptocurrency transactions, the blockchain is democratizing and intends to revolutionize many sectors: logistics, food industry, health, use seems unlimited.
This storage and transmission technology promises transparency and security through a protocol made up of blocks where data hosts, called minors, participate in authenticating the veracity of encrypted information by solving algorithmic calculations in order to validate each block of data. chain.
In short, during a transaction between two people, each step of the transaction is validated and hosted by the minors, then recorded in a register in order to unblock the final transaction. This complex system thus aims to guarantee the security and the non-falsification of data.
But, when we talk about data security, and especially personal data, can we talk about security with regard to the GDPR? Is there compliance?
GDPR, what are we talking about? The General Data Protection Regulation regulates the processing of personal data in the territory of the European Union to allow citizens to better control the processing of their personal data. Almost everything is personal data, from first name to bank account number. Thus, from collection to processing, companies and their subcontractors must guarantee the protection of this data.
This protection of personal data revolves around five major axes:
– data subjects must be informed and give their consent to the collection and processing of their personal data
– the use of data must be transparent and relevant with regard to their collection and processing
– data subjects must have access to their data so that they can consult, modify and delete them at any time
– the sharing and circulation of data must be supervised and limited, even contractualized – finally, personal data must be secure both in terms of IT and physical.
But then, what about securing personal data in blockchain? Can blockchain users edit and delete their personal data from the registry whenever they want? Also, what about the minors who host the data?
When we talk about blockchain, there are two types: public blockchain and private blockchain. The public, or open, blockchain can be viewed by anyone and without restriction as to participation in the network. Anyone can become a member of an open blockchain network, just download the protocol, the network’s operating charter, without even having to reveal their identity.
Even if any modification of the protocol requires an agreement from the minors, the exchanges within the network remain controlled by peer to peer. In other words, there is no predefined control organ. There is therefore no barrier to entry to this network, nor any control over transactions. In fact, minors are free to host data in the country they want.
By taking a GDPR perspective, several protocol steps of a public blockchain lack compliance. We can wonder about several points. First of all concerning the data, because, even if the data is encrypted within the network, it is not necessarily anonymous. And in the event of private data transfer, it is difficult, if not impossible, to know exactly who is accessing this data since the network is free to access. Not to mention that a public blockchain operates in a decentralized mode, it becomes even more difficult to follow the path of this data.
Unlike the public blockchain, in a private (or closed) blockchain, the members of the network are selected by a central entity, generally the creator of the network, before being able to download the protocol and therefore be able to use the services of the network. Not only is the private blockchain not decentralized, but access to its network is restricted by a supervisory body.
Question compliance we are approaching. Except that, to be fully compliant, it would be necessary to be able to erase personal data on request. In other words, erase the registry, and the data hosted by minors. The CNIL is clear, if private data is used, the blockchain must respect the principles of the GDPR. So let’s apply the private blockchain to a sensitive area: health. And more particularly in cases of transmission of electronic patient records between two practitioners.
Who says private blockchain says that a central entity creates the network, develops the protocol and restricts the downloading of the protocol to minors selected for this transmission. In theory, this blockchain makes it possible to validate all the requirements of the GDPR, except one. Indeed, what happens to the medical record once the transmission has taken place? Knowing that the very essence of a blockchain is to keep data in order to avoid falsification, can we imagine that all the stakeholders erase the medical file?
Why not. On condition that the central entity becomes a real control body and defines strict rules on the retention of data by minors. This entity could also impose dedicated servers for hosting data. The central entity would therefore be responsible for the application of the GDPR on the entire blockchain.
If by nature the blockchain does not comply with the GDPR, it is not incompatible therein. The idea is to adapt the blockchain to the type of service you want to perform. Because if today it is possible to rely on a public blockchain, based on a collaborative model, to guarantee the traceability of food products, it is another thing to rely solely on the collaboration of third parties to process personal data.