Blockchain technology, known for its immutability and transparency, poses a significant challenge in the context of the personal data protection, especially when it comes to guaranteeing the exercise of fundamental rights such as right to erasure established in the General Data Protection Regulation (GDPR)Since data stored on a blockchain, by its very nature, is difficult to modify or delete, an apparent contradiction arises between the characteristics of this technology and the legal obligations imposed by data protection regulations.

In this context, the Spanish Data Protection Agency (AEPD) has developed a Proof of Concept (PoC) to explore how the right to erasure could be applied in a blockchain-based infrastructure. This article analyzes, from a technical and regulatory perspective, the implications of this initiative, detailing the proposed solutions and reflecting on the challenges posed by implementing these measures.

Blockchain and the Right to Erasure: An Apparent Conflict

Blockchain is a distributed ledger technology that ensures data integrity and traceability by generating chained and consensus-validated blocks. Its main features include:

Immutability: Once data is recorded on the blockchain, it cannot be altered without invalidating all subsequent blocks.
Transparency: The stored data is accessible and verifiable by network participants.
Decentralization: Blockchain does not depend on a single entity or server, making it difficult to manipulate.

However, the right to erasure Article 17 of the GDPR establishes that individuals have the right to request the deletion of their personal data if it is no longer necessary for the purposes for which it was collected, if consent is withdrawn, or if they object to the processing, among other circumstances. This conflicts with the immutable nature of blockchain, as the technology's design makes it difficult to effectively delete data.

The AEPD Proof of Concept: An Innovative Approach

The AEPDRecognizing this challenge, the company has developed a PoC focused on facilitating the right to erasure on an Ethereum-based blockchain infrastructure. The main objective is to explore how a combination of technical and governance measures can enable GDPR compliance without compromising the essential properties of the blockchain.

Key Aspects of the PoC

Blockchain Infrastructure
The PoC uses a private, permissioned blockchain, configured with two validator nodes in archive mode. This allows for tighter control over participants and facilitates the management of stored personal data.
Governance and Policies
Organizational measures and policies are established to regulate access to data and the procedures for exercising the right to erasure.
Suppression Techniques
The PoC proposes a solution based on overwriting data in the nodes' underlying database (leveldb) through a hard fork. This procedure eliminates all traces of personal data without compromising the overall functionality of the blockchain.

1. Data Overwriting on Nodes

In the PoC, the personal data to be deleted is identified in the nodes' databases. These databases use data structures such as trees. Merkle-Patricia Trie to store transaction information and account statements. The deletion procedure involves:

Detection of affected dataTransactions and account statements are analyzed to identify the blocks, transactions, and storage structures where personal data appears.
Overwriting values: Values related to personal data are overwritten with constant values (e.g., 0xaaaaaaaa…). This includes:
- The transaction fields.
- Leaf nodes in the state tree (State Trie).
- The values stored in Smart Contracts.

2. Hard Fork to Manage Inconsistency

Data overwriting across nodes creates an inconsistency in the original blockchain, as the modified values do not match the rest of the nodes. To address this, the PoC proposes the implementation of a Hard Fork, which generates a new version of the blockchain in which personal data has been effectively eliminated.

Consensus among validator nodes on the acceptance of the Hard Fork is reached through a mechanism inspired by the BIP-0009 Bitcoin. In this case, the MixDigest field of blocks, which is not used in the Clique protocol, is used to record the validator nodes' support for the new version.

3. Modification of the Node Software

To implement these measures, it was necessary to modify the Ethereum client software (geth) at several key points:

Synchronizing new nodes: Adaptation of the synchronization process so that nodes joining the network automatically adopt the updated version of the blockchain.

Local database: Incorporation of the necessary modifications to overwrite personal data.

Consensus of the nodes: Implementation of a mechanism to reach agreement on the new version of the chain.

Find out more related posts in our DPO blog

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

I give my express consent and accept the Privacy Policy.

EIP International Business School informs you that the data in this form will be processed by Mainjobs Internacional Educativa y Tecnológica, SAU as the party responsible for this website. The purpose of collecting and processing personal data is to manage your subscription to the newsletter as well as to send commercial information about the services of the data controller. The legitimacy is the explicit consent of the interested party. Data will not be transferred to third parties, except under legal obligation. You may exercise your rights of access, rectification, limitation and deletion of data at compliance@grupomainjobs.com, as well as the right to lodge a complaint with the supervisory authority. You can consult additional and detailed information on Data Protection in the Privacy Policy that you will find on our website.