IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Blockchain and IoT are "irreconcilable" with GDPR

Incoming data protection rules could scupper blockchain before it's even taken off

Legal experts believe there are "irreconcilable" differences between blockchain and the upcoming General Data Protection Regulation (GDPR), raising doubts as to whether the technology can achieve widespread adoption under the new data laws.

The principles of distributed ledger technologies (DLT) are said to have been the cause of "massive tension" in the legal community, which is unconvinced that the enforcement of basic provisions under GDPR, such as the identification of a data controller, which controls how personal information is stored and analysed, and the role of a data processor, which does the storing and analysing, will be possible.

Speaking at a Westminster eForum panel event in London on Tuesday, Nigel Houlden, head of technology policy at the Information Commissioner's Office (ICO), which is responsible for enforcing GDPR compliance in the UK, said he has "nightmares" about blockchain's ability to protect personal data.

"What I concern myself most with right now is things like the right to be forgotten, and how that can actually work with blockchain," said Houlden. "I'm now almost at the point where I'm convinced 'yes it can work with it'."

But he admitted he's "still got some doubts" about how practical use of blockchain technology - a distributed open ledger that allows a theoretically limitless number of actors to view and make various transactions that the ledger records - can comply with the legislation.

"To get its true efficiency it needs to be an open network, because then you have cyber resilience it's very difficult to attack 10,000 different actors," explained Houlden. But having so many actors makes it difficult to pinpoint roles under GDPR.

"The trouble then is, who is controller and who is processor?" Houlden asked, admitting: "That gives me some nightmares."

The alternative that's regularly suggested to Houlden is the use of a closed, private blockchain, where each participant is, in theory, known to every other participating node. However, he argued that by reducing the number of people to target, it makes it far more likely an attack will bring down a system.

"At this moment in time I'm not 100% convinced blockchain is a great idea," says Houlden. "The technologies under blockchain encryption, certification they are great things.

"What we need to do is maybe unwind a bit from the fascination of blockchain, and start looking at those underlying technologies, which have been around for a while and are really quite mature now."

His comments were echoed by Malcolm Dowden, legal director at Womble Bond Dickinson, who argued that blockchain was an example of technology moving too far ahead of the law.

"There is from a legal perspective, an absolutely irreconcilable tension between blockchain, or distributed ledger technology, and GDPR," said Dowden. "Everytime a new computer, a new node, joins a blockchain system, the data that's on the block is replicated to that computer. That is a data transfer."

He added that because of the lack of geographical restrictions on blockchain use, such data could be transferred to anywhere in the world, something that has data lawyers "completely panicked".

There also appears to be as-yet unaddressed complications with data collection as part of the internet of things (IoT), a technology that has often relied on the passive collection of user data that is not allowed under GDPR.

"GDPR is something that is really essential as an element of this whole debate about using IoT," said Dowden.

"It's a particular challenge because the law was written with a model of primarily provided data consciously provided data. The IoT is at least as concerned with inferred or derived data. So there are tensions within the way the law has been written."

He added that there are further complications when it comes to the activities that go on once data has been collected through the IoT.

"It very quickly becomes profiling, which is one of the points of significant regulatory concern under GDPR. It also then leads on to automated decision making, which is again a huge focus of twitchiness and concern."

It was suggested that the government should to look to the international community for help with issues around emergent technology, and that any decisions should involve academia.

"One model that is really worth looking at is what's happening in the Netherlands, with organisations like the I-Interim Rijk," said Dowden. "Cross-government, multidisciplinary, project management and sectoral expertise, being brought to bear, in a concerted fashion."

He added that there was an urgent need for government departments and the tech industry to work together to "arrive at something that's a workable solution".

Image: Shutterstock

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022