Storing private data on a blockchain does not comply with Spanish legislation.
The report highlights that a blockchain depends on other mechanisms to achieve its optimal security.
The Spanish Agency for Data Protection, official government body, does not recommend using a blockchain or distributed databases to record sensitive personal data.
The comments about blockchain and the handling of personal data are included in a report about how different technologies are used in public administration for the protection of data of the civilian population.
Despite the fact that the agency considers that blockchain could be adapted to the appropriate provisions and protocols, “the publication of personal data in clear on the block chain must be avoided, which should be hosted off-chain, in traditional databases or other information systems of the person in charge “, they indicate.
If it is not possible to avoid the registration of personal data on a blockchain, the appropriate cryptography must be used to encrypt the data and guarantee the confidentiality of the information.
However, it is recommended to limit the information inserted into the blockchain as much as possible, so that the data are protected by default in the data insertion protocol, but not entirely supported by the technology used to store them.
This observation is made considering that a distributed network requires constant configuration and evaluation. Both the consensus mechanisms, the cryptography and the interaction parameters between participants, must be well defined to reduce the risk of data manipulation.
The report also indicates that a distributed database does not necessarily function on its own in terms of protecting embedded data. Blockchain must be integrated with other technological implementations to be completely secure, they affirm.
“We must not forget that blockchain is the solution, or one of the technological solutions, that supports data processing, within which there will be other tools for access, management and even intermediation mechanisms for users. All these elements have their own vulnerabilities, specifically security, so the risks must be analyzed and the necessary measures implemented to avoid identity theft in the execution of transactions and guarantee comprehensive security. “
Spanish Agency for Data Protection.
Can blockchain comply with the legal regulation?
According to the report, blockchain compatibility with the provisions of the General Data Protection Regulation, which governs this activity, should be analyzed.
The AEPD suggests paying attention to the legal section “Responsibility for treatment”, where the responsibility of those who coordinate the insertion of data in a registry is determined. The organization notes that blockchain makes it difficult to identify its participants, an issue that would not be desirable since in the case of personal data, one must have knowledge of who handles the information inserted there.
They also point to the “Right to be forgotten” as one of the legal principles to defend, in contrast to the immutability of data as characteristics that distributed blockchain networks have, so each insertion of data must be done carefully since it cannot be modified later.
The third aspect that they ask to be clear is that personal data should not be visible longer than necessary, so that the immutability of certain blockchains and their transparency, makes it difficult for these data to remain hidden once they are definitively registered by whoever operates them.
Fourth, they mention confidentiality as a crucial factor in making it possible to record personal data on the blockchain. The reason is implicit since the information would be shared by several network participants.
However, for this very reason the availability of the nodes will determine how accessible the information is at times, since there is usually no guarantee that the nodes remain connected and with this information available to those who need it, when they need it.
Finally, they point out that the connectivity between the nodes of the network can lead to an international transfer of data, which conflicts with the legislation. The agency recommends establishing the principles of privacy and confidentiality from the initial design of the network, as well as the governance model.