[Jishnu M Nair is an Attorney at IBM India/South Asia. The opinions are personal views of the author and do not necessarily represent IBM’s positions, strategies or opinions.]
The right to be forgotten is one of the key requirements of the recently released draft of India’s personal data protection law. Can blockchain adapt to this key concept?
In Mario Costeja Gonzalez[i], the Court of Justice of the European Union (CJEU) held that, upon request, search engines must remove search results that are “inadequate, irrelevant or excessive in the light of time” from its search results. This came to be known as ‘the right to be forgotten’. While this principle is replicated in the form of “the right to erasure” under EU General Data Protection Regulation (GDPR), it seems that the Indian legal framework for data protection (which is still at a draft stage!) is slowly trudging towards the same. Although GDPR talks about right to be forgotten through the concept of right to erasure, the Indian Draft Bill[ii] directly addresses the issue of right to be forgotten.
Section 27 of the Bill does allow for the right to restrict or prevent continuing disclosure of personal data by a data fiduciary,[iii] where (a) such disclosure is no longer necessary, (b) the consent was withdrawn or (c) was made contrary to any provisions of law. This key concept, however, seems to be counter to the fundamentals behind blockchain. In this post, I seek to put together some existing thoughts within the market and an analysis from an Indian perspective.
Effects on Blockchain
Blockchain works on the fundamental principle of immutability of the ledgers, which essentially provides for data integrity of any data that might be fed into this platform. The blocks that are once created cannot be tampered with at a later point in time. This is the basic selling point for any blockchain solution.
However, the requirement from the Bill seems to be to create an ability for any system, including blockchain, to forget personal data upon request. The trust of this personal data that is stored on the blockchain will be affected if it allows for any change in any kind of data that might be fed in. While the Bill was not drafted with any particular platform in mind, it needs to be pondered whether there needs to be an intervention with the government on this.
Data Fiduciary vs. Data Processor in Blockchain
The very root of data protection compliance lies in identifying the roles for each party. As for blockchain systems, it is difficult to identify a central operator or owner responsible for the system. The chain is operated by all its users in a peer-to-peer network environment. The words “data fiduciary” and “data processor” can be attributed interchangeably and it will mean that every participant in the blockchain is a data controller for himself, and a data processor for others. At the outset, it fails at assigning the vitally important step of designation of roles. Enterprise blockchains, on the other hand, are mostly permissioned and hence there is a possibility of assignment of a central operator. The assignment of responsibility, however, does not rectify the concern around enterprise platforms inability to modify transaction nodes.
Solutions
Keeping the above challenges in mind, there are certain technical solutions that the market has deliberated due to the right to erasure requirement under the GDPR. These solutions can be replicated in the Indian context too. One of them is to provide an offchain storage solution wherein the personally identifiable information (“PII”) will be kept on a server outside the blockchain. This solution is more suitable for an enterprise blockchain, as a centralized back-end system would make more sense in a contained environment. Again, this fails to address a fundamental characteristic of a blockchain around security features. By bringing any data to an offchain, one is opening up the system to more vulnerability and the features of security are diluted. Another suggested approach is pseudonymization, which essentially injects the data so deep in the system that one would need additional information to identify this data. This can be achieved through the existing techniques such as scrambling, masking, tokenization or data blurring. This would not sit right with the principle of right to be forgotten, as there is additional information that can lead a pointer back to the PII.
The European regulator through the CJEU has touched upon the concept of pseudonymization in its judgement on Patrick Breyer v. Bundesrepublik Deutschland[iv]. The CJEU ascertained that the online media services provider has the means, which may likely reasonably be used in order to identify the data subject with the assistance of other persons, namely the competent authority and the internet service provider, on the basis of the IP addresses stored. The Advocate General stated that the risk of identification appears in reality to be insignificant owing to the disproportionate effort in terms of time, cost and man-power. If additional data can link pseudonymized data to an individual, it would remain within the definitions of personal data. It has to be seen if the Indian Data Protection Authority would accept pseudonymization as a solution.
While an adjustment to this idea would be to encrypt the information and on a request of ‘right to be forgotten’, one would go ahead and delete these encryption keys. The data will then be lost within the chain and will make it irretrievable. Ultimately, it is up to the regulator and actual technical deliberations to determine the plausibility of this solution.
The safest option for compliance within the existing requirements for blockchain would be to move towards a system where the PII is stored in an offchain system while compromising one of the most essential features of blockchain. Although the regulations were not made keeping any one particular offering in mind, it seems there needs to be a conversation with the policy-making bodies in India as the market moves forward on this technology. A technology disruptor like blockchain needs to be given the right amount of leeway for it to flourish.
– Jishnu M Nair
[i] Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González ( CJEU-C-131/12)
[ii] Indian Personal Data Protection Bill- http://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
[iii] The definitions of Data Principal, Data Fiduciary and Data Processor under the Bill are similar to those of data subject, data controller and data processor as used under the GDPR.
[iv] Patrick Breyer v. Bundesrepublik Deutschland (CJEU-C-582/14)