1. BLOCKCHAIN IS NOT ALWAYS STRICTLY IMMUTABLE
Already in the very first paper on Blockchain, “Bitcoin: A Peer-to-Peer Electronic Cash System” by Satoshi Nakamoto, there was the notion of pruning: “Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space.” Meaning even in the first-generation protocol of Bitcoin, there is a technical method to delete certain data from the chain. So far, this has not been implemented, but there is a methodology to achieve this without breaking the system. Obviously in this particular way, a node operator could still choose to maintain all data that ever comes across, so in practice this may not be with Bitcoin unless additional safeguards to guarantee this are being put in place. With later-generation protocols, such as with EOSIO, there is more sophisticated governance in place. By designating certain block producers who could, based on a constitution, agree to remove certain data, or mutually agree to block access to certain data for the outside. Even though this may limit transparency and centralizes some of the decision making, this may still be a feasible solution for certain use cases. For example Europechain aims at setting up networks with only EU/EEA block producers that are all under a Data Protection Agreement (DPA), specifically to offer a GDPR compliant way in which blockchain can be used while keeping most of the advantages of using blockchain in place. Immutability can for certain purposes be very valuable, but for Personal Data it may not be ideal.
2. THE RIGHT TO BE FORGOTTEN IS NOT ABSOLUTE
The right to be forgotten if often cited as the holy grail of protection your personal data, but it can not always be applied. According to Article 17, it can for example be used under the following circumstances: Personal data is no longer needed for the purpose, for example, if it was processed for the provision of a contract (Article 6.1(b)), but the contract has been cancelled or has expired. It was processed under consent (Article 6.1(a)), and the consent has been withdrawn. It has been processed under legitimate interest, but the legitimate interest has been challenged and no overriding interests prevail. The processing was unlawful in the first place. The right to be forgotten does for example not apply if the processing is (still) necessary for the performance of a contract, for scientific or historical reasons in the public interest, to comply with a legal obligation, or if the legitimate interest continues to overrule the interest of the data subject. If a controller has made the personal data public, and publishing on a public Blockchain should be seen as making public, they are required to inform others who are processing the data that should be deleted. It’s an interesting question how that should work in a distributed environment with public actors, but this is not impossible.
詳見全文Full Text： Dataconomy
若喜歡本文，請關注我們的臉書 Please Like our Facebook Page： Big Data In Finance