What is a blockchain? 

A distributed ledger is a replicated, shared, and synchronised digital data structure maintained by consensus algorithm and spread across multiple sites, countries, and/or institutions. Blockchain is a type of distributed ledger, comprised of digitally recorded data in packages called blocks which are linked together in chronological order in a manner that makes the data very difficult to alter once recorded, without the alteration of all subsequent blocks and a majority of the network colluding together. Each node on the network (generally) contains a complete copy of the entire ledger, from the first block created—the genesis block—to the most recent one. Each block contains a hash pointer as a link to a previous block, a timestamp and transaction data.

What is a Smart Contract?

Smart contracts use blockchain technology. The term is used to describe computer program code, maintained on the various “nodes” constituting a blockchain network that is capable of facilitating, executing, and enforcing the negotiation or performance of an agreement upon the occurrence of predefined conditions. The smart contract code executes on each node and the resulting output is stored on the blockchain. Where “tokens” of value are involved, the smart contract code can also automatically transfer these tokens (and underlying value), thus effectively enforcing the outcome of the smart contract code.

Do blockchains process personal data?

‘Personal data’ is any information relating directly or indirectly to a ‘living natural person’, whether it actually identifies them or makes them identifiable. To determine whether data protection rules apply, we need to assess whether personal data is being processed when blockchain technology is used. The nature of the public blockchain means that every transaction taking place will be published and linked to a published public key that represents a particular user. That key is encrypted so that noone who views the blockchain would be able to directly identify the individual or corporate entity that represents the user. However, the re-use of the public key enables individuals to be singled out by reference to their public key, even if they cannot be directly identified. Indeed the very purpose of the public key is to single out the authors of a given transaction, to ensure that transactions are attributed to the correct people. The public key, when associated with an individual, will likely qualify as personal data for the purposes of European data protection legislation. Some newer blockchain technologies permit the public key not to be published, which may alter the analysis. When the public key is visible, it could be possible to attain information that enables an individual to be identified, either because it is held by the service provider or because someone is able to connect a public key to an individual or organisation, (for example, through their IP address or its connection with a website). At that point, all transactions that the relevant individual has made are publicly available.

In 2014, the Article 29 Working Party, provided guidance on the difference between pseudonymised and anonymised data in its Opinion 05/2014 (WP 216). This distinction is important in relation to blockchain as data protection rules do not apply to anonymised data, as such data cannot be traced back to a living individual. However, the threshold for data to qualify as anonymised is very high. The guidance states that ‘anonymisation results from processing personal data in order to irreversibly prevent identification.’ Data controllers must have regard to all means likely reasonably to be used for identification (either by the controller or any third party). Because hashing permits records to be linked, hashing will generally be considered a pseudonymisation technique, not an anonymisation technique. This high standard continues to apply under the European General Data Protection Regulation 2016/679 (GDPR). Encrypted personal data can often still be traced back to a person if enough effort is put into it by experts or someone holds the key to decryption. Therefore, encrypted data will often qualify as personal data and not as anonymous data. This means that in most instances the privacy rules will be applicable to at least some of the data involved in blockchain systems.

 image

Variety of blockchain systems

There is no single model for blockchain systems. Unlike the Internet, blockchain has no single set of standards, meaning that the technology can be deployed in an almost infinite variety of configurations. Each project will therefore have to be analysed on its own distinct merits.

Private vs. Public blockchains

From a privacy perspective, it matters greatly whether the blockchain is generally accessible or only accessible to parties that are members of a closed group. For instance, this may influence the assessment of whether data is transferred to countries that do not ensure adequate protection. On another level, it is possible that each party to the blockchain network only has “access” to part of the information stored via the blockchain. As each party has its own copy of the entire blockchain, restricted access is achieved via encryption. Depending on how this is given substance, it may help to ensure compliance with the relevant privacy requirements. Similar to debates in the cloud industry, blockchain will raise the questions of whether making a copy of a hash in, for example, Singapore means that data has been “transferred” to Singapore for the purposes of data protection law. In some sense, data put on a public blockchain is similar to data posted to the public internet. The reasoning in the CJEU’s Bodil Lindvist case (C 101/01) may apply to the question of transfer. The CJEU held that it cannot be presumed that the word “transfer”, which is not actually defined in the Directive, was intended to cover the loading by an individual of data onto an Internet page.

“Off-Chain” 

There have recently been some experiments made on public blockchains by introducing “off-chain” mechanisms to store the confidential information separately on another system with access control restrictions. To protect data and manage storage on the blockchain, some solutions use only a hash of personally identifiable information (PII), which serves as a reference point and link to an off-chain PII database. Storing information “offchain” provides privacy of the transaction details. The “off-chain” system can be set up to restrict access to the transaction details to authorised parties only. However, storing information “off-chain” also negates a number of the advantages of using blockchain. The blockchain can no longer be a single, shared source of truth and in most cases both counterparties will be required to maintain their own records.

“Sidechains”

Unlike “off-chain”, which generally stores the chosen information on a traditional network, but at the expense of the benefits of using a blockchain, a “sidechain” is a parallel blockchain. It sits alongside the primary blockchain, serving multiple users and generally persisting permanently. The degree of confidentiality and privacy provided for transactions that take place on sidechains depends on what technology the sidechain uses. These sidechains are independent. If they fail or are hacked, they won’t damage other chains. So damage will be limited within that chain. This has allowed people to use sidechains to experiment with pre-release versions of blockchain technologies and sidechains with different permissions to the primary blockchain.

Non-Permissioned vs. Permissioned Blockchains

With non-permissioned blockchain applications, all parties are in principle free to add information to the blockchain. With permissioned blockchain, on the other hand, access is restricted. In this way, trusted intermediaries are reintroduced into the system, which impacts the allocation of control over it. The party that determines the means and the purposes for the processing should ensure that the privacy rules are taken into account, meaning the choice between nonpermissioned and permissioned control also influences which parties should comply with what privacy requirements.

Hyperledger

Hyperledger is a hub for open industrial blockchain development; it is not a company, a cryptocurrency, or a blockchain. Hyperledger provides technical knowledge, software frameworks and contacts to industries and developers. The platform aims to “create an enterprise-grade, open source distributed ledger framework and code base” as well as creating, promoting and maintaining an open infrastructure. Hyperledger incubates and promotes a range of business blockchain technologies, including distributed ledger frameworks, smart contract engines, client libraries, graphical interfaces, utility libraries and sample applications. One of the distributed frameworks is called Hyperledger Fabric (“HLF”), which is an open-source project within the Hyperledger umbrella project. HLF is a modular, general-purpose, permissioned blockchain system, which can also be seen as a distributed operating system for permissioned blockchains. (Source: www.hyperledger.org)

R3

R3 is the largest consortium of global financial institutions working on developing commercial applications for the distributed ledger technology. R3 has its own proprietary ledger that can be used to develop applications, and it also supports an infrastructure network for financial services firms and technology companies wanting to build their own ledger-based applications and services. The blockchain technology that R3 is currently developing is a distributed ledger platform designed specifically for financial services, called Corda. The Corda network is permissioned, with access controlled by a doorman. Communication between nodes is point-to-point, instead of relying on global broadcasts. Each network has a doorman service that enforces rules regarding the information that nodes must provide and the know-your-customer processes that they must complete before being admitted to the network.

Zero Knowledge Proofs

A zero knowledge proof (“ZKP”) is a cryptographic technique which allows two parties (a prover and a verifier) to prove that a proposition is true, without revealing any information about that thing apart from it being true. A zk-SNARK (zero-knowledge Succinct Non-Interactive Arguments of Knowledge) is a ZKP that proves some computation fact about data without actually revealing the data. Zk-SNARKS are the underlying cryptographic tool used for verifying transactions in Zcash. This is done while still protecting users’ privacy. Zcash can be described as an encrypted open, permissionless, replicated ledger. It is a cryptographic protocol for putting private data on a public blockchain. Zcash uses zk-SNARKS to encrypt all of the data and only gives decryption keys to authorised parties. Previously this could not be done on a public blockchain because if everything was encrypted it would prevent miners from checking to see if transactions were valid. However ZKPs made this possible by allowing the creator of a transaction to make a proof that the transaction is true without revealing the sender’s address, the receiver’s address and the transaction amount. ZKPs and blockchains complement each other – a blockchain is used to make sure the entire network can agree on some state that may or may not be encrypted, whereas ZKPs allow you to be certain about some properties in that state. 

Conclusion

Blockchain is a type of distributed ledger technology that ensures data integrity and security by linking blocks of information in a chronological and tamper-resistant manner. Smart contracts enhance blockchain’s capabilities by enabling automated and enforceable agreements. While blockchain offers transparency and decentralization, privacy concerns arise due to the visibility of public keys and potential personal data exposure. Different blockchain models, such as private vs. public, permissioned vs. non-permissioned, and sidechains vs. off-chain solutions, offer varied applications and levels of security. Innovations like Hyperledger, R3’s Corda, and Zero-Knowledge Proofs (ZKPs) further enhance blockchain’s potential by improving scalability, privacy, and enterprise adoption. As blockchain technology evolves, it continues to reshape industries with new applications and security measures.