Is the General Data Protection Regulation, or the famous GDPR which has been talked about so much for years, finally reconcilable with distributed ledger technologies such as blockchain or DAGs? The issues around data are now more prominent than ever, and the evolution of its operation and regulation is a reflection of the direction that the digital world of tomorrow is taking. To address this issue, we are pleased to discuss with Nesrine Benyahia Doctor of Law and President and Founder of Dr. Data, a company dedicated to the protection and valuation of data using blockchain technologies.
Hello Nesrine! Could you briefly elaborate on the challenges of the GDPR (General Data Protection Regulation) at the present time?
The major challenges lie in the integrity of the data. Indeed, the GDPR but also the national IT and freedom law across our territory, very clearly require us that there must be no unwanted changes to the data.
In other words, there must be no illegitimate exploitations of these, potentially directed with a malicious character or a will to harm. Indeed, this need for data integrity takes on particular meaning in certain sectors where the impact of non-integrated or unreliable data can be very serious, I am thinking in particular of the health sector: erroneous data can cause physical harm up to death.
In the digital age, there is a real obligation of integrity, and this data prevails a mirrored risk of which it reflects the sensitive nature of the data, because all data is obviously not of the same importance. I would add to this that there is a major issue in the transmission of data, and more particularly in terms of its traceability. These elements that I have just cited are at the heart of the debates posed by the GDPR.
How does the blockchain relate to the GDPR? Do we have a real synergy?
First of all, a real limit to the collaboration between blockchain and GDPR is the inherent immutability of distributed ledgers. Any data recorded on a blockchain is immutable, while the GDPR gives, for example, the right to withdraw consent to the processing of personal data, the right to object, and highlights the principle of limited retention of personal data.
In reality, there is a real dependence on the use-case to consider a possible synergy between blockchain & GDPR. Once the use case has been developed and theorized in accordance with the regulations, it is therefore necessary to test the reliability of the blockchain in order to maintain the integrity of the data. We must therefore look at this from a broader perspective, and consider technologies to support this blockchain & RGDP collaboration, and in particular encryption technologies (SHA-256 for example) and secure authentication, because we never say that. enough, the blockchain makes the data reliable but does not secure it!
Could you name some sensitive use-cases of the blockchain & GDPR synergy?
Of course, there are many. A particularly revealing example is voting. In the context of a suffrage, 3 major issues must be resolved. First, you have to make sure that the vote has been cast; for that, no subject, the currently existing technologies are more than sufficient to meet this criterion, no need for a blockchain here. Subsequently, the content of the vote must be inaccessible, this complicates the situation from a technological point of view because it actually requires potentially very complicated hash mechanisms. Ultimately, these previous characteristics of the data (here the vote) must be immutable and incorruptible, and this is where the blockchain finds its use. It is quite possible to imagine today a dematerialized vote via a blockchain process respecting the GDPR. The main obstacle is the generational and cultural mistrust of digitalization despite the many advantages, in particular the traceability of the vote.
We can also cite the case of taxation. When you want to use a blockchain to frame data, it is always a matter of trust or transparency. One can easily imagine a new approach to the traceability of taxes and contributions, which are often sources of tensions and increased social crises in a context of fake news. It is therefore quite conceivable in 2020 to operate a blockchain for these purposes while respecting the GDPR. The technology is no longer a limit, but it is nevertheless necessary to frame things in a coherent way, in particular on the very basis of the blockchain to be exploited in such circumstances (public, private, consortium …).
Finally, a major area where blockchain & GDPR are entangled is, and I’m not teaching you anything, the health sector. If we take the example of the health crisis and the publication of The Lancet, yet a prestigious journal in the community, which used data whose traceability is particularly doubtful in the context of a study and thus guided decisions major policies at the global level, we really emphasize the need for traceability, transparency and even controlled quality of the data.
Thus, for an optimum use of the blockchain in accordance with the regulations, it is also necessary to associate a real mastery of the workflow and of the processes used in the case of use. For example, Dr Data, works on issues of health data traceability by operating a blockchain in compliance with regulations, but this implies a real understanding of the medical data ecosystem. Finally, I would add that we are going through a period where we must all understand that the challenges of data on a daily basis are in the revaluation of it, because when we do not pay for a service, we are often the product, and by that I naturally mean our personal data.
Finally, in your opinion what are the challenges of joint development of the blockchain and the GDPR?
Two things. First of all, the GDPR is not an obstacle to the development and democratization of the blockchain, but only a necessary framework. Once again, when we don’t pay, we ultimately pay at the cost of our data. It was initially the vocation of the GDPR to limit these unwanted data exploitation practices. Indeed, how many of us press “accept cookies” without even knowing what it entails? Too many, because these behaviors are strongly mediated by a desire to popularize the importance of cookies, and often associated with UX practices (how the elements of a web page are arranged) which are sometimes a scam …
Today, consent is treated as mere information, with the blockchain consent will have real value.
Then, it is absolutely necessary to revalue our data while having a real control, a real consent on the way in which our data is used. Personal data in the digital age is nothing more than an extension of human dignity. The evolution of the GDPR is intrinsically linked to this awareness of the value of our data. In addition, blockchain is a technology that allows you to have real control over data, which opens up many new, more transparent and ethical data exploitation prospects. But once again, these developments must be supervised, regulators have a major role because blockchain is ultimately just a tool. We can now imagine that in some time, while respecting the GDPR, blockchain systems make it possible to value data in a controlled manner by their authorized custodian, in particular in accordance with the exercise of the right to portability which defines that a user is in control of the use of his data and of his movements.
Europe should not be taken aback by these challenges because they are associated with strong economic and societal impacts.
Blockchain & GDPR therefore have real cohesive potential, which will however be modulated by regulatory decision-making. However, this association could be the key to a world where we are sovereign over our own data and therefore over the use that is made of it. Case to follow very carefully!
Coming from the medical world, I am passionate about cryptocurrencies and blockchain technologies. I am deeply convinced that these technologies will be a real pivotal axis in the years to come with regard to the various ethical uprisings relating to data, and more particularly to transparency. I am also a big fan of DeFi. In addition, I am attached to the University of Paris.