Banking: Is blockchain GDPR compliant – yes or no?

Banking: Is blockchain GDPR compliant – yes or no?

A blockchain provider contradicted itself when asked by Internet of Business about its banking solution’s GDPR compliance. The company’s response reinforces the complexity of the challenges facing the sector, says Chris Middleton.

Internet of Business has published a number of recent reports on blockchain in the banking and financial services sector, with several recent solutions claiming to be GDPR compliant.

However, as we also reported recently, a number of commentators have suggested that blockchain and GDPR contain irreconcilable differences, a factor of the underlying design of blockchain-based systems: immutable ledgers of data, with each ‘block’ containing a hash of the preceding one.

For example, Nigel Houlden, head of technology policy at the Information Commissioner’s Office (ICO) – the body responsible for enforcing data privacy regulations in the UK – said last month that he has “nightmares” about the future relationship between blockchain and some of GDPR’s core principles.

At the core of Houlden’s ongoing problem is the so-called ‘right to be forgotten’: the right for citizens to request that their data is permanently erased from an enterprise’s systems – assuming that this doesn’t clash with some organisations’ legal, fiscal, and regulatory requirements to retain certain data for auditing, tax, and accounting purposes. (Another GDPR question mark, which suggests that new forms of complex fraud could take place in the grey area between these irreconcilable demands.)

Immutable records

The tension is centred on the ability that citizens – and, in turn, data controllers – need to permanently remove data from a given database. If personal information is stored on an immutable, open blockchain, in which each block of data contains a hash of the previous one, then that level of flexibility does not exist by design.

In theory, this is the core advantage of open blockchains and similar distributed ledger technologies: the inviolable nature of the data they contain means that people can’t simply remove inconvenient information at will.

As previously reported, storing encrypted data on the blockchain and destroying the key doesn’t solve the GDPR challenge, as the right to be forgotten requires that the data is erased.

Meanwhile, hashing can be used to verify that data on a chain has, or has not, been modified – because any altered data would result in a different hash. However, this means that a hash itself could still be considered personal data if it could be linked to a person and traced across a distributed system, even if the original data is inaccessible.

So do blockchain systems that claim to be GDPR compliant actually conform to the letter of the law, or merely the spirit?

Obfuscating the details

In May, Poland became the first country to move banking records en masse onto blockchain. Biuro Informacji Kredytowej (BIK), the largest credit bureau in Central and Eastern Europe, partnered with distributed ledger specialist Billon to deploy a blockchain system for storing and securing access to over 140 million credit records, relating to 1.2 million businesses and 24 million citizens in Poland.

A key point of the announcement was that the system is “fully GDPR compliant”, with the on-chain data storage system including “a mechanism enabling the right to erase personal data”.

How data is “erased” was not clear in Billon’s original announcement, which also said, “once published, every document is retained regardless of what happens to the original publisher, so that the guarantee of long-term duration of storage time and unblockable access to information are independent from the status of the contractual relationship between the service provider and the user”.

Internet of Business asked Billon for clarification of how the blockchain could be made GDPR compliant with regard to the right to be forgotten. The company responded to us this morning:

“The right to be forgotten is exercised by a patented technology solution that permanently destroys the ability for any party to access the private data in question. The data (and hash) remain on the blockchain without alteration or deletion, however no party can ever read the original content again.

“The blockchain retains a publicly verifiable record of all steps made by each party involved in the ‘right to be forgotten’ process, so you can check a document was uploaded and later made unreadable, but have no way of viewing the content of that document.”

Clearly, this contradicts Billon’s original claim that the system enables the erasure of personal data. Most significantly, Internet of Business believes that the right to be forgotten stipulates that data should be permanently deleted, and not merely rendered inaccessible.

This remains a problem with blockchains, therefore, because (as outlined above) a hash of all the original data would be identifiably different to a hash in which a citizen’s data had been erased under the right to be forgotten.

As a result, it would be possible to infer that the original data still exists by comparing the hashes. In this sense, a hash could still be considered personal data. So while Billon’s solution certainly conforms to the spirit of GDPR, on the face of it is not compliant. We have put this further point to the company and await its response.

However, the company then made a second point about its technology:

“The right is executed by a multi-stage approval process that requires agreement from a sufficient number of authorised parties (typically two, a citizen and a publisher, e.g. a bank). Our solution is digital, so in principle the entire right to be forgotten process can occur online. It’s up to the bank to define that process according to their own risk and compliance requirements. Some banks may require the client to call or physically come into a physical bank in order to prove their identity.”

This suggests that Billon believes that a number of authorised parties all need to agree to erase a citizen’s data, should he or she request it, which surely replaces a fundamental right with a complex negotiation process – which could result in refusal.

Again, this reveals that GDPR’s citizen focus clashes with many organisations’ own regulatory requirements. Meanwhile, other organisations may simply refuse to comply and resort to legalese and obfuscation of their own to justify retaining data. Bureaucracy is, after all, a known counterbalance to progress.

Get some backbone

Into the breach comes yet another new organisation, Last month, it announced the launch of the LegalThingsOne platform, which it claimed could be a new blockchain-based digital backbone for all GDPR-compliant processing.

LegalThings One creates a what it calls a “private miniature chain” for each process. Only the nodes selected by the parties involved have this chain, similar to other distributed systems, such as Git. To safeguard the integrity of these miniature chains, each event is anchored in the Waves public blockchain – a chain of miniature chains, in other words.

When requested, nodes can erase specific processes. And because GDPR states that data cannot be kept indefinitely – surely another existential challenge to blockchain systems – this happens automatically after a specified retention period. Should laws require data to be stored for a longer period, then data can be extracted before the chain’s erasure, said the organisation in its announcement last month.

Using blockchain to ensure compliance?

In an ironic twist, a US startup is promising to apply blockchain technology to help companies adhere to GDPR. Blockchain solutions provider ULedger has launched a set of tools that can be plugged into an organisation’s existing data management system to both harness blockchain technology and meet the new standards.

ULedger CEO Josh McIver said, “Many technology systems in their current form are not capable of meeting the regulatory requirements of GDPR, and as with other regulations, compliance can sometimes be time-consuming, expensive, and confusing.

“Our GDPR tool is designed to leverage ULedger’s API in a way that provides companies with immediate GDPR compliance, and allows them to realise the many benefits that come with blockchain technology, such as security and transparency of data.”

ULedger’s Blockchain GDPR compliance tool enables companies to “create and maintain a complete, immutable history of the company’s data, including email communications, photos, bank details, and any other data type pertaining to a person’s private, public or professional data.”

GDPR and hybrid, off-chain solutions

Again, it was not immediately clear how ULedger’s supposedly immutable system supports GDPR’s right to be forgotten, despite its privacy benefits.

But a comment from ULedger’s VP of compliance, Dave Otander, shed more light on the issue, and pointed to either a system that puts only metadata on the blockchain, or uses a hybrid of blockchain and traditional encrypted data storage.

“By virtue of ULedger’s hybrid blockchain approach, an EU-based company can host their ULedger powered blockchain on-premise with the hashing and time-stamping of the metadata for data immutability, and consensus amongst participating nodes,” he said.

“We can be thought of as a permissioned solution, whereby the customer that is regulated under GDPR remains the data controller. Our customers get the best of both worlds by keeping their information secure and private, while achieving consensus by the cryptographic hash of the encrypted metadata.”

This is the point at which a customer’s right to see their personal data, or to be forgotten, can be implemented, it seems – but arguably, vendor IP and system complexity are beginning to mitigate against transparency.

Otander admitted, “To date, many are struggling with what a GDPR compliant blockchain is. Clearly, GDPR was shaped during the timeframe when data was collected, processed, and stored in a centralised manner.”

Indeed. With some data in the cloud, and other information in a computing mesh, a distributed network, at the edge, or – increasingly for big number-crunching tasks – once again on premise, the challenges facing GDPR compliance in many organisations are far more complex than they might appear.

Agreeing with the ICO’s Houlden, Otander said that this central truth is why a public blockchain approach is very likely not a long-term solution to anything. “Rather, a hybrid solution or a mix of off-chain applications for private data – to meet the right of erasure requirement – may become the standard,” he said.

Internet of Business says

The debate offers few clear solutions to the ICO’s problems, and replaces the former clarity of data storage and processing with a tangle of often obscure, complex, competing systems, along with a fog of claims that are either not backed with clear explanations, or suggest that data is being obfuscated, not deleted.

Replacing simplicity and trust with overwhelming complexity – a simple storage box with a Pandora’s Box of technology options – is, on the face of it, a bad idea. And that’s the key issue, certainly for regulators and investigators.

It is hard to avoid the impression that in some industries, such as financial services, there is a serious risk that processing complexity may become a deterrent to regulatory investigation – and that means any kind of investigation, including simple auditing.

In such a world, fraud and criminal behaviour may become much harder to detect, not easier, thanks to blockchain.

But at heart there may be a simple kernel of fact: pure, open blockchain solutions and GDPR are mutually exclusive concepts, because data can’t be deleted from them, merely rendered inaccessible.

Given the wholesale investment in these technologies across many industries, it may be that GDPR has to bend a little to accommodate the technology. But a world in which data is obfuscated is very different to one in which it is erased.

Editor’s note: This article reuses several content elements from an earlier report, which has itself been updated to include Billon’s response.