Right to be forgotten
Second, the challenge arises with respect to Article 17 of the GDPR, which is the right to be forgotten. This right entails that a data subject should have the right to have her personal data erased, where the personal data is no longer necessary in relation to the purposes for which the data was collected or where the data subject withdraws consent to the processing of her personal data, or where the processing of personal data does not comply with the GDPR. The right to be forgotten is not an absolute right, but is exercisable by a data subject under certain specific circumstances as outlined in Article 17.
In a blockchain, it is difficult to realise such rights as by its very nature, a blockchain is an immutable ledger of information. Any change purported to be made in one block will also lead to change in the preceding blocks and therefore, destroy the integrity of the data. As an illustration, think of a blockchain providing a ledger of medical records to allow easy portability across hospitals, doctors, insurance companies and the patient. In this blockchain, X logs her medical records voluntarily in the blockchain for the purpose of obtaining health insurance from a private health provider. This validated record is available to the insurance company after she provides it with the necessary access. Let’s say, after a few years she desires to have her medical records taken off the blockchain as she wants to move to another insurance company. However, the very nature of blockchain does not allow her to remove her records. How can she then realise her right to be forgotten? Given the stage at which the technology exists, it appears that it would be difficult for her to remove her medical data from the blockchain though she is free to move to another company for her insurance needs. In a permissioned blockchain, removal of records is also a challenge, albeit
Fundamentally, there needs to be clarity about what does it mean for data to be erased? Does it mean that the data should cease to exist on the platform or mere inaccessibility to data would render the compliance sufficient? These are some of the questions that will need to be answered in due course of time.
In order to make the blockchain compliant with the GDPR, there have been attempts to use a model wherein the data is stored off-chain while only the hash and metadata of the personal data is stored on the blockchain. While this means that personal data can be modified/erased at will, it reduces the accountability that is in-built in a blockchain. Balancing trust and privacy is a tight rope that blockchain solutions will need to walk in the coming years. It is, therefore, a conundrum that the very technology sought to maintain the integrity of data is at odds with the law that endeavours to protect personal data. Is the answer then centralised databases where the GDPR is far easily implementable? But isn’t that exactly what blockchain intended to avoid? Centralised authorities? With the enactment of GDPR and similar laws across the globe, it appears a Rubicon has been crossed, but how it will engage with existing and future technologies, only time will tell.
The writer is ex-judge and technology lawyer