A Systematic Literature Review of the Tension between the GDPR and Public Blockchain Systems_2

2025-04-27 0 0 1014.46KB 64 页 10玖币
侵权投诉
A Systematic Literature Review of the Tension between
the GDPR and Public Blockchain Systems
Rahime Belen-Saglama, Enes Altuncua, Yang Lub, Shujun Lia,
aInstitute of Cyber Security for Society (ICSS) University of Kent, Keynes
College, Canterbury, CT2 7NP, United Kingdom
bSchool of Science, Technology and Health York, St John University, Lord Mayor’s
Walk, York, YO31 7EX, United Kingdom
Abstract
The blockchain technology has been rapidly growing since Bitcoin was invented
in 2008. The most common type of blockchain systems, public (permisionless)
blockchain systems have some unique features that lead to a tension with Eu-
ropean Union’s General Data Protection Regulation (GDPR) and other similar
data protection laws. In this paper, we report the results of a systematic liter-
ature review (SLR) on 114 research papers discussing and/or addressing such
a tension. To be the best of our know, our SLR is the most comprehensive
review of this topic, leading a more in-depth and broader analysis of related re-
search work on this important topic. Our results revealed that three main types
of issues: (i) difficulties in exercising data subjects’ rights such as the ‘right
to be forgotten’ (RTBF) due to the immutable nature of public blockchains;
(ii) difficulties in identifying roles and responsibilities in the public blockchain
data processing ecosystem (particularly on the identification of data controllers
and data processors); (iii) ambiguities regarding the application of the relevant
law(s) due to the distributed nature of blockchains. Our work also led to a bet-
ter understanding of solutions for improving the GDPR compliance of public
blockchain systems. Our work can help inform not only blockchain researchers
and developers, but also policy makers and law markers to consider how to rec-
oncile the tension between public blockchain systems and data protection laws
(the GDPR and beyond).
Keywords: Blockchain, distributed ledgers, privacy, data protection law, legal
compliance, GDPR, EU, EEA, UK
Corresponding author
Email addresses: R.Belen-Saglam-724@kent.ac.uk (Rahime Belen-Saglam),
ea483@kent.ac.uk (Enes Altuncu), y.lu@yorksj.ac.uk (Yang Lu), S.J.Li@kent.ac.uk
(Shujun Li)
Preprint submitted to Blockchain: Research and Applications October 11, 2022
arXiv:2210.04541v1 [cs.CR] 10 Oct 2022
1. Introduction
Since Bitcoin was conceptualised in 2008, its underlying technology about
blockchains (also known as distributed ledgers) has been considered as a break-
through of secure computing without a centralised authority in an open environ-
ment. Its potential capabilities led many researchers and practitioners to con-
sider that it is the next big revolutionising technology after the Internet (Puthal
et al., 2018). Its applications have boomed in many sectors for various purposes
and many researchers also started conducting research on this emerging technol-
ogy. Although the blockchain technology has some built-in security and privacy
mechanism by design, it has also introduced new security and privacy concerns,
one of which is the conflict between the immutable nature of data on blockchain
and the “right to be forgotten” (RTBF) of data subjects introduced in new
data protection laws such as the European Union (EU) General Data Protec-
tion Regulation (GDPR) introduced in 2016 (European Parliament, 2016). Such
new concerns let many researchers, practitioners, policy makers and blockchain
users to debate about legal compliance of blockchain systems and to explore
ways to make blockchain systems more legally compliant with such new data
protection laws and regulations. This paper aims at providing a comprehensive
review of such efforts in the research literature.
After being passed by the European Parliament in 2016, the GDPR entered
into force on 25 May 2018 in all EU member states. In addition, law markers
in three non-EU member states of the European Economic Area (EAA), Ice-
land, Liechtenstein and Norway, also decided to adopt the GDPR. For the UK,
after it left the EU, its law markers decided to keep the GDPR in its national
law, but made some necessary changes to reflect the new status of the UK as
a non-EU/EEA country, which led to the so-called UK GDPR (Information
Commissioner’s Office (ICO), UK), a UK-specific version of the EU GDPR. In
the rest of the paper, we will use the term GDPR in a broad sense to refer to
the two different versions of the GDPR, since the differences are not essential
for our discussions on the relationships between the blockchain technology and
the relevant content defined in the GDPR.
In the context of the GDPR, legal compliance issues have been raised for a
range of emerging technologies including IoT (Internet of Things), AI (artificial
intelligence) and big data analytics, and also blockchains. One mostly discussed
aspect of the tension between blockchains (especially public blockchain systems)
and the GDPR is the following: the immutable nature of blockchains makes it
impossible to delete personal information, therefore, it is not possible to exercise
the RTBF (more formally known as the right to erasure) of data subjects as
defined in the GDPR. Another aspect is about data sharing outside of the
EU/EEA/UK: for a public blockchain system, it is normally the case that every
node holds a full copy of all data, no matter where the node is physically located
or even unknown.
Due to those GDPR-compliance challenges, many researchers looked at the
tension between the GDPR and blockchains in recent years and some also at-
tempted to propose solutions to address some of the challenges. In a 2018 re-
2
port (Lyons et al., 2018), the EU Blockchain Observatory & Forum stated that
“Public, permissionless blockchains represent the greatest challenges in terms of
GDPR compliance”. Despite the active research on this very important topic,
to date we have noticed only two systematic literature reviews (SLRs) covering
related research progress, both published in 2021. In one SLR, Haque et al.
(2021) identified 39 papers covering this topic by searching into two databases
(IEEE and Scopus), and in the other SLR, Suripeddi and Purandare (2021)
identified 41 papers for their review by searching into three databases (Science
Direct, ACM and IEEE). Both SLRs are not sufficiently comprehensive due
to the limited databases and keywords they used and the over-strict inclusion
criteria. We also noticed another literature review paper following a different
review technique (Levy and Ellis’ narrative review of literature methodology),
which used a forward and backward search technique to posit a framework for
adopting a blockchain that follows the GDPR (Al-Abdullah et al., 2020). This
non-systematic literature review also suffers from having a very limited number
of papers covered – just 39.
For our SLR, we expanded the databases searched to Scopus, WoS (Web
of Science) and Google Scholar, which allowed us to access gray literature as
well. Our SLR therefore led to a much more comprehensive coverage with 114
research articles, making it possible to draw a much bigger picture of relevant
research work. We also decided to limit our scope to public blockchains only
considering the statement in the EU Blockchain Observatory & Forum’s 2018
report (Lyons et al., 2018). This allowed us to focus on blockchain systems with
more essential challenges in terms of the GDPR compliance.
Compared with past reviews on the same topic, our SLR makes a number of
new contributions due to our larger coverage of related research papers and a
more in-depth analysis of the included papers. First of all, we have considered
different types of personal data that can be stored and processed on a blockchain
and identified both challenges and proposed solutions for each data type. Our
findings also cover limitations and consequences of proposed solutions as well
as contradicting opinions that will allow our readers to get a better idea about
the current state of the art. Second, we considered different roles and respon-
sibilities in the blockchain data processing ecosystem, provided perspectives at
the network and application levels, and categorized discussions in the research
literature accordingly, all of which have been largely overlooked in other litera-
ture reviews. Finally, we reviewed the covered research papers by considering a
broader scope of GDPR-related elements, which allowed a much more in-depth
and precise representation of the literature.
For our SLR, we followed the PRISMA protocol widely used in many dis-
ciplines (Liberati et al., 2009). Our results revealed that the tension between
the GDPR and public blockchains has been studied around three main issues:
(i) difficulties in exercising data subjects’ rights such as the RTBF due to the
immutable nature of public blockchains; (ii) difficulties in identifying roles and
responsibilities in the public blockchain data processing ecosystem (particularly
on the identification of data controllers and data processors); (iii) ambiguities
regarding the application of the relevant law(s) due to the distributed nature of
3
blockchains. Our work also led to a better understanding of GDPR-compliance
related solutions proposed in the literature, e.g., those around assuring the
RTBF using hashing, and the use of smart contracts to manage consent. The
results of our SLR can help inform blockchain researchers and developers, policy
makers and law markers to consider how to reconcile the tension between public
blockchain systems and the GDPR. Note that our results are not limited to the
GDPR since many other data protection laws and regulations share similar data
protection principles with the GDPR.
The rest of the paper is organised as follows. In Section 2, important back-
ground information about the blockchain technology and the GDPR is given.
Section 3 explains our research methodology. Our detailed analysis of the cov-
ered papers is given in Section 4. Then, we summarise the results into three
main areas (GDPR-compliance, proposed solutions, roles and responsibilities)
in Section 5. The final section concludes the paper.
2. Background
2.1. Blockchain Technology
From a technical perspective, a blockchain is a distributed database that is
formed as a chain of data blocks and offers a solution through decentralising
storage and processing of data. Each block in a blockchain normally composes
two parts: transactional data and metadata. The metadata typically contains,
inter alia, a timestamp, hash value of the block, and a hash value of the previous
block. All hash values are computed using a cryptographically hard one-way
function. This allows blocks to be linked to each other to form a chronological
database. This very nature of the blockchains results in any modification of data
to be detected by other participants of the network as the hash of the next block
would not correspond to the data on the modified one. This feature is called
“immutability” and leads public blockchains to be regarded as tamper-proof.
As another important feature of public blockchains, a full copy of a dis-
tributed database is stored at each node that is part of the blockchain system.
Since there is no central authorities, trust is achieved via the distributed storage
(i.e., a distributed ledger) and a distributed consensus mechanism. The latter
is needed to ensure different nodes will converge to the same distributed ledger,
rather than all nodes produce different ledgers therefore leading to inconsistency
in the system. The distributed consensus mechanism determines how new data
blocks are added into a blockchain and how all nodes agree which branch to
follow if there are multiple chain branches. There are several consensus algo-
rithms used by different blockchain systems, and Proof of Work (PoW) used by
Bitcoin is so far the most widely used one, in which new blocks are added to
the chain by nodes who compete against each other by solving a mathematical
puzzle (normally defined by a cryptographic hashing function). The node who
first solves the puzzle creates a new block and a longer chain for others to fol-
low. Such nodes are called miners. Miners need to spend a lot of computational
power on solving mathematical puzzles and are incentivised by being awarded
4
coins for being the first puzzle solver. Those algorithms are used to confirm
consensus of the current state of the ledger and to ensure that all nodes have
the same copy.
The blockchain technology also utilises asymmetric cryptosystems, mainly
for verifying authenticity of a transaction and its sender and receiver. Each user
in a blockchain network has their own private key and public key. The private
key is used by a transaction sender to sign a transaction using a digital signature
algorithm, which can then be verified by other users using the sender’s public
key.
Blockchain systems can be classified into three broad categories: public
(permissionless) blockchains, consortium (permissioned) blockchains and pri-
vate blockchains. Public blockchains are open to anyone and allow any partici-
pants to join the network and read, send, or receive data on the blockchain. In
contrast, there are constraints on consortium blockchains and normally write
permissions are granted to a pre-selected set of participants only. When only
one participant has such a privilege, then we have a private blockchain system.
Finally, smart contracts are another associated technology based on the
blockchain technology, which can fully automate self-enacting electronic con-
tracts. They allow a distributed protocol (such as a set of business rules) to be
executed and enforced automatically.
2.2. The GDPR
In order to pursue the objective of protection of fundamental rights and to
protect personal data of individuals, the GDPR strengthens the protection of
individuals’ personal data primarily by defining principles and the lawful bases
for processing their personal data, and also specifying rights for individuals.
In this section, we will give the definition of a relevant subset of these ele-
ments which are important to understand the GDPR compliance issues of public
blockchain systems.
2.2.1. Personal Data and Data Subjects
Two core concepts, personal data and data subjects, are at the core of the
GDPR. The GDPR defines “personal data” in Article 4 as:
Any information relating to an identified or identifiable natural person
(‘data subject’)
Here, the definition of “identifiable natural person” (i.e., “data subject”) is given
as:
One who can be identified, directly or indirectly, in particular by reference
to an identifier such as a name, an identification number, location data,
an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person.
5
摘要:

ASystematicLiteratureReviewoftheTensionbetweentheGDPRandPublicBlockchainSystemsRahimeBelen-Saglama,EnesAltuncua,YangLub,ShujunLia,aInstituteofCyberSecurityforSociety(ICSS)UniversityofKent,KeynesCollege,Canterbury,CT27NP,UnitedKingdombSchoolofScience,TechnologyandHealthYork,StJohnUniversity,LordMayo...

展开>> 收起<<
A Systematic Literature Review of the Tension between the GDPR and Public Blockchain Systems_2.pdf

共64页,预览5页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:64 页 大小:1014.46KB 格式:PDF 时间:2025-04-27

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 配电装置 动力学连接体 力的合成 高考理综 全宋诗作者索引 公务员考试
/ 64
评分 收藏
分享
立即下载
客服
关注