Blockchain and IoT are "irreconcilable" with GDPR

Legal experts believe there are "irreconcilable" differences between blockchain and the upcoming General Data Protection Regulation (GDPR), raising doubts as to whether the technology can achieve widespread adoption under the new data laws.

The principles of distributed ledger technologies (DLT) are said to have been the cause of "massive tension" in the legal community, which is unconvinced that the enforcement of basic provisions under GDPR, such as the identification of a data controller, which controls how personal information is stored and analysed, and the role of a data processor, which does the storing and analysing, will be possible.

Speaking at a Westminster eForum panel event in London on Tuesday, Nigel Houlden, head of technology policy at the Information Commissioner's Office (ICO), which is responsible for enforcing GDPR compliance in the UK, said he has "nightmares" about blockchain's ability to protect personal data.

"What I concern myself most with right now is things like the right to be forgotten, and how that can actually work with blockchain," said Houlden. "I'm now almost at the point where I'm convinced 'yes it can work with it'."

But he admitted he's "still got some doubts" about how practical use of blockchain technology - a distributed open ledger that allows a theoretically limitless number of actors to view and make various transactions that the ledger records - can comply with the legislation.

"To get its true efficiency it needs to be an open network, because then you have cyber resilience it's very difficult to attack 10,000 different actors," explained Houlden. But having so many actors makes it difficult to pinpoint roles under GDPR.

"The trouble then is, who is controller and who is processor?" Houlden asked, admitting: "That gives me some nightmares."

The alternative that's regularly suggested to Houlden is the use of a closed, private blockchain, where each participant is, in theory, known to every other participating node. However, he argued that by reducing the number of people to target, it makes it far more likely an attack will bring down a system.

"At this moment in time I'm not 100% convinced blockchain is a great idea," says Houlden. "The technologies under blockchain encryption, certification they are great things.

"What we need to do is maybe unwind a bit from the fascination of blockchain, and start looking at those underlying technologies, which have been around for a while and are really quite mature now."

His comments were echoed by Malcolm Dowden, legal director at Womble Bond Dickinson, who argued that blockchain was an example of technology moving too far ahead of the law.

"There is from a legal perspective, an absolutely irreconcilable tension between blockchain, or distributed ledger technology, and GDPR," said Dowden. "Everytime a new computer, a new node, joins a blockchain system, the data that's on the block is replicated to that computer. That is a data transfer."

He added that because of the lack of geographical restrictions on blockchain use, such data could be transferred to anywhere in the world, something that has data lawyers "completely panicked".

There also appears to be as-yet unaddressed complications with data collection as part of the internet of things (IoT), a technology that has often relied on the passive collection of user data that is not allowed under GDPR.

"GDPR is something that is really essential as an element of this whole debate about using IoT," said Dowden.

"It's a particular challenge because the law was written with a model of primarily provided data consciously provided data. The IoT is at least as concerned with inferred or derived data. So there are tensions within the way the law has been written."

He added that there are further complications when it comes to the activities that go on once data has been collected through the IoT.

"It very quickly becomes profiling, which is one of the points of significant regulatory concern under GDPR. It also then leads on to automated decision making, which is again a huge focus of twitchiness and concern."

It was suggested that the government should to look to the international community for help with issues around emergent technology, and that any decisions should involve academia.

"One model that is really worth looking at is what's happening in the Netherlands, with organisations like the I-Interim Rijk," said Dowden. "Cross-government, multidisciplinary, project management and sectoral expertise, being brought to bear, in a concerted fashion."

He added that there was an urgent need for government departments and the tech industry to work together to "arrive at something that's a workable solution".

Image: Shutterstock

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.