• Advokat Jeppe R. Stokholm

How to protect Data Privacy in a Blockchain?

Updated: Apr 21, 2018


In ancient Roman religion and myth, Janus is the God of Duality. Depicted with two faces, Janus is able to overlook both the future and the past, and Janus preside both beginnings and endings. Like Janus the two-faced god, the #Blockchain has visible flip-sides when it comes to #DataPrivacy.

When information is distributed in a decentralized ledger, it is positive from a Data Protection point of view that:

  1. it is almost impossible to identify and expose the encrypted personal data involved, including the content of the encrypted data, since the sensible information is not subject to a central database with third party access. An encrypted decentralized ledger prevents leaks from centralized and trusted third parties and is less fragile against cybercrime, since cybercrime often occur in the form of a targeted attack on a specific entity. Just recall the damage related to the publicly known cyberattacks on Equifax (2017), Ashley Madison (2015) and Yahoo (2013) and you get the point.

  2. it is up to the individual person to decide, what kind of personal information the individual want to share with the public in a specific transaction. If only your name and address is needed to conduct a transaction, you can opt to share only that specific part of information instead of publishing a full copy of your personal ID (passport, driver’s license etc.).

  3. if you only trust a private, closed and encrypted ledger, it can be arranged inter-partes.

The negative flip-side of these benefits are:

  • there is no central server

  • all personal data and meta-data is (in principle) accessible to everyone, and

  • it is close to impossible to do a “claw back” and censor sensible information

The problem with no central server is, that to turn back time and to censor previous validated information in the Blockchain, would not only be close to impossible to coordinate, facilitate and implement. It would also require a change to the whole protocol, wherein previously valid blocks and/or transactions would be made invalid.

For that purpose, it would be necessary to initiate the use of a #softfork, i.e. a backwards compatible change of the protocol. But the use of a softfork requires on the bitcoin blockchain, that it is enforced by a majority of the miners, i.e. more than 50% of the miners should first get access to the sensible information, read it, understand it and then agree, that the sensible information was worth to protect by altering or deleting it. Such a procedure is definitely not the best way to protect Data Privacy, since the sensible information would be distributed, known and discussed even more during the process.

The problem with all personal data and meta-data to be (in principle) accessible to everyone is, that privacy may be challenged by this new technology. For instance, using cash in a payment transaction do not leave a trace of personal data. But with digital payments (including the use of crypto currencies) it is (in principle) possible to combine each payment with data to be gathered and used for future purposes by governments, companies, retailers etc.

It is outside the scope of this article to define what kind of data, that constitutes personal data in a Blockchain context. However, inspiration might be found in the newly adopted EU regulation regarding General Data Protection Regulation (GDPR: Regulation EU 2016/679), that include a right to erasure / a right to be forgotten in article 17. Due to this article, the person in question (the data subject) can request an erasure of personal data related to them on a number of specific protectable causes, i.e. personal data must be relevant and limited to what is necessary in relation to the purposes for which they are processed (the principle of proportionality).

How such legislation can be applied to an open and decentralized ledger will be interesting to follow. Especially because of the dual faces of the Blockchain, that both protect Data Privacy but also challenges it.

Advokat Jeppe R. Stokholm is based in Zürich, Switzerland. The area of expertise is corporate affairs, including M&A, Venture Capital, Private Equity and Crypto Law. Advokat Jeppe R. Stokholm represents several international oriented Law Firms, Auditors and Family Offices on a case-by-case basis and provide discretionary counselling to global operating companies and private UHNW clients. 

​Zürich, Switzerland