The GDPR’s Data Minimisation Principle and Blockchain Technology
For the third article of our legal series surrounding DAOs, we focus on the data minimisation principle. This principle implies that collecting personal data must be kept to a minimum, and that data collected be used only for predefined and specific purposes. In the Big Data economy where obtaining as much personal data as possible is a thriving business model, data minimisation comes into question. Could blockchain-based organisations actually bring a possible solution to this problem?
Data Minimisation as a Design Principle
Blockchains are ever growing databases where the deletion of personal data, especially on public permissionless blockchains, is extremely hard or almost impossible. This doesn't mean, however, that blockchains cannot be designed with the data minimisation principle in mind.
When designing a blockchain or blockchain-based applications, the easiest path to comply with the Data Minimisation principle is to avoid storing any personal data on the blockchain in the first place. Although this might not always be possible, a blockchain should at least be conceived and structured with a data minimisation mindset: the smallest possible amount of personal data should be collected, and it should only be collected for a specific reason. In other words, the disclosure of your personal data should involve the minimum amount of data necessary to accomplish the task at hand.
One really promising fact about blockchain-based applications and organisations is that they can actually better comply with the principle of Data Minimisation than centralised systems and organisations.
Trustlessness
Blockchain technology is based upon the idea of trustlessness. In a centralized system, there is always an intermediary that you need to trust which stores your personal data and interacts on your behalf. On the contrary, blockchain-based systems are designed based on the principles of self-control and self-responsibility. All interactions in a blockchain-based system are peer-to-peer, meaning that there are no intermediaries. This also means that people are in control over the sharing and disclosure of their own personal data.
Blockchains are, however, not fully optimised regarding the data minimisation principle. As mentioned in our first article regarding the applicability of the GDPR to DAOs, when interacting with public permissionless blockchains, the public key stored with every transaction you make on the blockchain could potentially lead to tracing your identity and could thus, be considered as personal data. New decentralised applications and tools could nevertheless solve this issue by offering a more private and secure way of interacting with the blockchain.
Self Sovereign Identity systems
One of these promising solutions regarding data minimisation and data privacy is the development of Self Sovereign Identity systems (SSI). There is no consensus on an exact definition of SSI yet, but roughly, it can be described as a decentralised solution enabling a person to own, control, and share their identity and data as needed. The concept in itself is not new, but blockchain technology has spurred the technical development and a renewed interest towards it.
Though still under development, SSI systems should not be considered as just pie in the sky, as they are likely to be adopted. In the context of DAOs, SSI systems could be used to prove the identities of an organization’s members, or to at least verify that someone is a unique human being. Making use of self sovereign identities can prevent massive data breaches as people do not have to rely on third party “identity providers” such as Google and Facebook, or official public institutions like governments. Furthermore, in light of data minimisation, everyone retains the power to decide which personal data they want to share, and which ones they do not.
Zero Knowledge Proof
Another promising tool that could be important for the principle of data minimisation is an encryption scheme called Zero-Knowledge Proof. By making use of a Zero-Knowledge Proof scheme, one party can prove that something is true to another party, without disclosing additional personal information.
When implemented in blockchain, the sender of a transaction, the recipient, and other transaction details can remain anonymous while guaranteeing that the transactions are valid. When interacting with a blockchain-based DAO, this will solve the problem of a public key being used to eventually lead to someone's identity, as their public key is not being revealed.
Regaining Control over Data
The GDPR is a major milestone for EU citizens regarding gaining back control over their personal data. The data minimisation principle of the GDPR is aimed at the intermediaries collecting and storing personal data. Blockchain solutions such as the ones mentioned above go one step beyond and make it actually possible to truly regain control without intermediaries involved. In relation to data minimisation, this implies that no one — other than the person herself — decides upon the minimal and adequate personal information to disclose to handle a specific task. Taking back control over our personal data will bring an end to the blind data harvesting and big data economy, and evolve society towards a data economy where everyone can decide whether they want to participate or not.
[DISCLAIMER]
This article has been funded through the GenesisDAO, but is not biased towards it. This article presents our own views and was written for general information purposes only and does not constitute legal advice.