{"id":100210,"date":"2024-12-17T08:30:00","date_gmt":"2024-12-17T07:30:00","guid":{"rendered":"https:\/\/eiposgrados.com\/?p=100210"},"modified":"2024-12-04T10:17:21","modified_gmt":"2024-12-04T09:17:21","slug":"blockchain-and-the-right-to-erasure","status":"publish","type":"post","link":"https:\/\/eiposgrados.com\/eng\/blog-dpo\/blockchain-y-el-derecho-de-supresion\/","title":{"rendered":"Blockchain and the Right to Erasure: Challenges and Technical Solutions for GDPR Compliance"},"content":{"rendered":"

Blockchain technology, known for its immutability and transparency, poses a significant challenge in the context of the personal data protection<\/strong>, especially when it comes to guaranteeing the exercise of fundamental rights such as right to erasure<\/strong> established in the General Data Protection Regulation (GDPR)<\/strong>Since data stored on a blockchain, by its very nature, is difficult to modify or delete, an apparent contradiction arises between the characteristics of this technology and the legal obligations imposed by data protection regulations.<\/p>\n\n\n\n

In this context, the Spanish Data Protection Agency (AEPD)<\/strong> has developed a Proof of Concept (PoC)<\/strong> to explore how the right to erasure could be applied in a blockchain-based infrastructure. This article analyzes, from a technical and regulatory perspective, the implications of this initiative, detailing the proposed solutions and reflecting on the challenges posed by implementing these measures.<\/p>\n\n\n\n

Blockchain and the Right to Erasure: An Apparent Conflict<\/strong><\/h2>\n\n\n\n

Blockchain is a distributed ledger technology that ensures data integrity and traceability by generating chained and consensus-validated blocks. Its main features include:<\/p>\n\n\n\n

    \n
  1. Immutability<\/strong>: Once data is recorded on the blockchain, it cannot be altered without invalidating all subsequent blocks.<\/li>\n\n\n\n
  2. Transparency<\/strong>: The stored data is accessible and verifiable by network participants.<\/li>\n\n\n\n
  3. Decentralization<\/strong>: Blockchain does not depend on a single entity or server, making it difficult to manipulate.<\/li>\n<\/ol>\n\n\n\n

    However, the right to erasure<\/strong> Article 17 of the GDPR establishes that individuals have the right to request the deletion of their personal data if it is no longer necessary for the purposes for which it was collected, if consent is withdrawn, or if they object to the processing, among other circumstances. This conflicts with the immutable nature of blockchain, as the technology's design makes it difficult to effectively delete data.<\/p>\n\n\n\n

    The AEPD Proof of Concept: An Innovative Approach<\/strong><\/h2>\n\n\n\n

    The AEPD<\/strong>Recognizing this challenge, the company has developed a PoC focused on facilitating the right to erasure on an Ethereum-based blockchain infrastructure. The main objective is to explore how a combination of technical and governance measures can enable GDPR compliance without compromising the essential properties of the blockchain.<\/p>\n\n\n\n

    Key Aspects of the PoC<\/strong><\/h2>\n\n\n\n
      \n
    1. Blockchain Infrastructure<\/strong>
      The PoC uses a private, permissioned blockchain, configured with two validator nodes in archive mode. This allows for tighter control over participants and facilitates the management of stored personal data.<\/li>\n\n\n\n
    2. Governance and Policies<\/strong>
      Organizational measures and policies are established to regulate access to data and the procedures for exercising the right to erasure.<\/li>\n\n\n\n
    3. Suppression Techniques<\/strong>
      The PoC proposes a solution based on overwriting data in the nodes' underlying database (leveldb) through a hard fork. This procedure eliminates all traces of personal data without compromising the overall functionality of the blockchain.<\/li>\n<\/ol>\n\n\n\n
      \"blockchain\"
      Blockchain technology <\/figcaption><\/figure>\n\n\n\n

      1. Data Overwriting on Nodes<\/strong><\/p>\n\n\n\n

      In the PoC, the personal data to be deleted is identified in the nodes' databases. These databases use data structures such as trees. Merkle-Patricia Trie<\/strong> to store transaction information and account statements. The deletion procedure involves:<\/p>\n\n\n\n