Can Blockchain and GDPR Co-Exist in Light of Electronic Archiving and Digital Preservation? A Look at the Challenges and Opportunities

The introduction of the European Union's General Data Protection Regulation (GDPR) has posed significant challenges for the blockchain sector, particularly within Europe, where GDPR compliance is mandatory, especially for Electronic Archiving solutions. At first glance, some of the fundamental principles of GDPR seem to directly conflict with blockchain technology’s core features, raising an important question: Can a Distributed Ledger (let's use the term Blockchain, to keep things simple) and GDPR coexist without compromising their respective purposes?

And can Blockchain be a viable component of an Electronic Archiving solution, i.e. Digital Preservation of Information primarily during the legal retention period, which is introduced as a new Trust Service by Regulation 2024/1183 in Europe.?

GDPR and Its Requirements

The GDPR aims to enhance privacy and personal data protection for individuals in the EU, giving them greater control over their data and requiring businesses to be transparent about data usage. The regulation covers key aspects like data minimization, transparency, and the "Right to Erasure" (also often called the "Right to be Forgotten") – this is a particularly thorny issue for blockchain. Fines for non-compliance are hefty, making adherence crucial for businesses.

One of the GDPR’s key requirements is the "Right to be Forgotten", which gives individuals the power to request deletion of their personal data. This provision seems to conflict with the blockchain’s immutability – an unchangeable, distributed ledger system that ensures transparency and data integrity but makes data deletion practically impossible.

Where GDPR and Blockchain Clash

Data Immutability vs. Right to Be Forgotten

The biggest conflict arises from blockchain’s inherent immutability. Blockchain was designed to be a tamper-proof and permanent ledger, with data that cannot be altered or erased. This is great for security and trust but becomes problematic when an individual wants their personal information deleted in compliance with GDPR. Essentially, blockchain's "Right to Never Forget" conflicts with GDPR’s "right to be forgotten."

Decentralized Data Controllers

Another key tension between blockchain and GDPR lies in the role of the data controller. GDPR places significant accountability on data controllers, making them responsible for handling personal data in line with the regulation. But in a blockchain network, data is stored and processed across multiple nodes with no central authority. This raises the question of who is the data controller – is it the blockchain developers, individual nodes, or everyone participating in the network? With no clear answer, ensuring compliance becomes a daunting task.

Blockchain in Electronic Archiving and Digital Preservation

Blockchain is often being explored for use in electronic archiving and digital preservation solutions, including functionalities like audit trails. Electronic archiving has been introduced as a new Trust Service under Regulation 2024/1183 in the European Union. In these contexts, blockchain’s immutability can be both a strength and a challenge.

Audit Trails and Blockchain

Blockchain’s immutability makes it highly suitable for creating reliable and tamper-proof audit trails. In electronic archiving, an audit trail ensures the integrity and authenticity of archived records, providing a transparent history of actions taken. The distributed nature of blockchain means that the audit trail is not controlled by a single entity, which can enhance trustworthiness and accountability.

However, this immutability also poses compliance challenges under GDPR, particularly during the legal retention period when personal data must be managed carefully. If an audit trail contains personal data or references to personal information, the inability to alter or delete records conflicts directly with GDPR’s requirements for data erasure. This means that using blockchain as an audit trail for personal data could put organisations at risk of non-compliance if individuals execute their right to be forgotten.

Challenges in Digital Preservation

In digital preservation, blockchain can help ensure that archived data remains secure, intact, and verifiable over long periods of time. The transparency and resistance to tampering make blockchain an attractive option for maintaining the authenticity of digital records. However, as with audit trails, the problem arises when personal data is involved. GDPR mandates that personal information must be deletable if requested, but blockchain’s design inherently prevents data from being erased. This creates a fundamental conflict for digital preservation solutions that need to comply with GDPR while leveraging blockchain’s strengths.

This challenge is similar to issues faced with WORM (Write Once, Read Many) storage. WORM storage, like blockchain, is designed to ensure data cannot be modified or deleted after it is written, making it ideal for preserving data integrity. However, this feature also makes WORM storage incompatible with GDPR’s "Right to be Forgotten"-requirements, as it is impossible to erase specific data entries once they have been archived. Both blockchain and WORM storage offer significant advantages in terms of ensuring data authenticity and security but require careful consideration when used in contexts involving personal data and GDPR compliance.

Impact on Preservation Actions

One critical aspect of digital preservation is the ability to perform preservation actions, such as migration, format conversion, or integrity checks, to ensure the long-term usability and accessibility of archived objects. When blockchain is used for digital preservation, these actions can be challenging due to the immutable nature of the ledger. Any changes to the archived objects, even if intended to preserve the content, may not be easily documented or reflected in the blockchain without adding new blocks, potentially creating a complex chain of updates that may complicate data retrieval.

For WORM storage, similar issues exist. Preservation actions that require modification of the data are not feasible, meaning that alternative strategies must be employed to ensure long-term accessibility, such as maintaining a parallel system for managing metadata and changes to the data.

Potential Solutions for Coexistence

Private and Permissioned Blockchains

One potential solution is focusing on private or permissioned blockchains, which have defined participants and more control over data handling. Unlike public blockchains, these systems allow for governance structures that can help meet GDPR requirements, including identifying a responsible party for data processing.

Off-Chain Storage

Another workaround could be the use of off-chain storage. This involves keeping personally identifiable information (PII) in a separate database while only storing a reference to the data (such as a hash) on the blockchain. By doing so, it’s possible to delete personal data upon request, complying with GDPR’s requirements while maintaining blockchain’s integrity. However, this approach sacrifices some of blockchain’s transparency and security features.

Encryption and Key Deletion

Encrypting personal data before adding it to the blockchain, with the option to delete the encryption keys, is another possible solution. If the data subject wishes to exercise their right to be forgotten, the encryption key could be deleted, rendering the data unreadable. It remains unclear, though, whether this will be acceptable to regulators, as GDPR explicitly requires erasure, not just inaccessibility.

Use of Blockcerts

Blockcerts, a blockchain-based certificate creation system, could offer a creative approach for digital preservation and audit trails. Blockcerts use blockchain to store hashes of digital credentials, ensuring their authenticity without storing the actual personal data on-chain. This approach could be extended to digital preservation by storing only the proof of existence or integrity of archived objects on the blockchain, while the actual data resides off-chain. This way, GDPR compliance could be better achieved, as personal data could still be managed and deleted off-chain if needed, while blockchain provides an immutable record of the data's integrity.

The Path Forward

GDPR and blockchain appear to be at odds, but they also share common objectives: improving privacy, enhancing data security, and giving individuals control over their data. Regulators and blockchain developers need to engage in constructive dialogue to strike the right balance between data privacy rights and technological innovation. Flexible regulatory guidance could help ensure that blockchain solutions are compliant while still preserving their unique benefits.

Ultimately, a case-by-case assessment is needed to determine whether a blockchain use case can comply with GDPR requirements. It is also important to note that implementing a compliant blockchain-based solution, especially for electronic archiving use cases, can be highly costly and complex due to the need for regulatory compliance, infrastructure, and specialized expertise. While public and permissionless blockchains face considerable challenges, private and permissioned versions offer more possibilities for achieving compliance. Regulators need to clarify their stance, and blockchain projects must prioritize GDPR considerations in their designs.

Can it be done?

It’s clear that the journey to harmonize GDPR and blockchain is complex. However, with thoughtful approaches and open dialogue, there’s potential for both to coexist and even enhance each other’s goals. By aligning blockchain’s transparency and security with GDPR’s privacy requirements, we can pave the way for responsible innovation that respects individuals’ rights. However, it is important to note that while theoretically possible, the implementation of blockchain for digital preservation in line with GDPR will be costly and complex, requiring significant resources.

More information:

• Study from the European Parliament about the Co-existence of Blockchain and GDPR.
• Statement from the French DPA on Blockchain and Data Privacy.