Can public blockchains comply with the dictates of Law 13.709/2018 (Brazil's General Data Protection Law), especially with regard to the alteration and removal of data? Let's see.
Article 16 of the LGPD (Law 13.709/2018) states that:
‘Art. 16: Personal data will be deleted after the end of their processing, within the scope and technical limits of the activities, with retention authorized for the following purposes:
I - compliance with a legal or regulatory obligation by the controlling shareholder;
II - study by a research body, guaranteeing, whenever possible, the anonymization of personal data;
III - transfer to a third party, provided that the data processing requirements set out in this Law are complied with; or
IV - exclusive use by the controller, with no access by third parties, and provided that the data is anonymized.’
Remember that treatment, for the purposes of this standard, is:
‘Art. 5, X: any operation carried out with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction;’
And what personal data means:
‘Art. 5, I: information relating to an identified or identifiable natural person;’
It should be noted that the law requires personal data to be erased when the processing procedures have ended, with the exception of the storage possibilities listed above (Art. 16). However, this commandment comes into direct conflict with so-called public blockchains. Let's understand why in what follows.
Public blockchains, such as Bitcoin [1], can be accessed by any interested individual, some even allowing relative anonymization of their users [2]. Private blockchains, on the other hand, can be configured so that only certain individuals can access them and can require (and usually do require) that these users be identified.
Another characteristic of public blockchains is that they are decentralized, i.e. there is no entity, governmental or otherwise, controlling the network. On the other hand, private blockchains have one or more entities responsible for their implementation, configuration and management.
Another difference between public and private blockchains concerns the immutability of the data stored on them. Public blockchains are designed to prevent undue alteration of data, distributing it among their users and applying cryptographic operations to prevent attacks that damage the integrity of the information [3]. Private blockchains also aim for data immutability, however, depending on how they are structured and if desired by the entity that maintains them, entire chains can be deleted, and with them, all data, including personal data, the focus of this brief essay.
This is where two points of friction arise between data protection regulations (GDPR, LGPD, CCPA, etc.) and public blockchains: their immutability makes it impossible to change or remove data, and their decentralized nature prevents any one entity from being held responsible for non-compliance with the dictates related to such operations. The most that can be achieved is to create new data blocks with updated information, but the old information remains, in theory, eternally available on the network [4].
Another point of conflict is the role of data controllers, who are defined by the LGPD in Article 5:
‘Art. 5, VI: natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data;’
While laws, such as the LGPD, assign responsibilities to data controllers in centralized organizations, in public blockchains, due to their operating philosophy, no individual participating in the network can be defined as a controller.
In these public networks, any device that connects to the structure as a ‘node’ will keep a copy of the blockchain. However, by the very configuration of the technology that guarantees the immutability of the data, there is no way for such users to obtain privileges to correct or delete information once that data has been incorporated into the blockchain. It is also true to say that, once included in a public blockchain, no individual will be in control of this data, as it will be decentralized and proof against mutability and deletion.
And there is yet another issue to be raised: the so-called Right to be Forgotten in the face of public blockchains.
This right, which is also provided for in Art. 17 of the GDPR [5], relates, in the context of data protection laws, to information that must be erased when it is no longer necessary for the purposes of processing. In Brazil there are no regulations on this right, but there are STJ decisions, for example, to this effect [6].
The point is that, again due to the immutable nature of public blockchains, this right would not be achieved when there is a need to remove personal information based on the need to be forgotten. Public blockchains thus promote the ‘right not to be forgotten’, rendering judicial decisions to the contrary innocuous.
In addition, some are considering the use of other technologies (such as smart contracts) to avoid or prevent the insertion of personal data into such blockchains, but this possibility is ruled out due to the (again necessary to mention) decentralized nature of such public networks, which operate without a defined person in charge. These layers of prior security could, and even are, used when necessary in private blockchains, because of their centralized management.
Finally, it is worth remembering that Art. 16 of the LGPD requires the deletion of personal data:
‘(...) within the scope and technical limits of the activities, (...)’
This expression bequeaths to the law's interpreters the noble task of deciding whether to punish (or not) anyone who proves that it is technically impossible to remove personal data that they have recorded on a public blockchain for one reason or another, constituting what is known as blockchain privacy poisoning [7].
