As online transactions become an integral part of daily life, ensuring secure digital identity management has emerged as a global priority.[1] Cybercrime costs are soaring at alarming rates, driven by rapid technological advancements, with damages estimated at $8 trillion USD globally[2]—a figure expected to rise considerably by 2027.[3] Digital identities are crucial for individuals and businesses to access services including banking, healthcare, and government resources, underscoring the urgent need for robust data security.[4]

Governments and organizations are placing greater emphasis on exploring the potential for blockchain technology as a promising solution to digital identity verification.[5] The distinctive features of blockchain—decentralization, security, and immutability—present considerable advantages over conventional centralized systems identity management.[6] Traditional systems often centralize user data, creating vulnerabilities and control issues.[7] In contrast, blockchain enables a “Universal ID” that users can manage independently, ensuring secure portability across different platforms.[8] Each transaction is securely encrypted and recorded within a block’s unique hash, enhancing privacy and data integrity.[9] This approach allows participants on the network access to a shared, transparent record of verified credentials without compromising the integrity of the original data.[10] While blockchain solutions for digital identity management are subject to ongoing debate, they represent a promising approach to addressing a critical and emerging issue.[11] As such, ongoing studies and developments are essential to refine these technologies to fully realize their capabilities in the context of modern digital identity management.[12]

However, the adoption of blockchain solutions in this context encounters considerable legal challenges, especially from an international perspective.[13] The European Union’s General Data Protection Regulation (GDPR) imposes strict privacy standards, including the rights to rectify and delete personal data—provisions that are fundamentally at odds with the immutable nature of blockchain’s ledger.[14] Under the GDPR, the “right to be forgotten” directly conflicts with the enduring nature of data recorded on a blockchain.[15] In blockchain technology, each block’s hash is appended to the next, creating a tamper-resistant and immutable chain.[16] Consequently, data alterations are inherently difficult to implement.[17] While data deletion is technically feasible, it requires extraordinary measures and entails enormous cost.[18] This clash between data permanence and strict privacy standards presents a substantial regulatory challenge for the integration of blockchain into digital identity verification systems.[19] 

Despite these challenges, the GDPR’s restrictive regulations have attracted criticism, particularly for stifling the potential of blockchain technology to bolster digital security.[20] Often, the regulations focus more on the limitations of blockchain rather than its plethora of security and compliance improving benefits.[21] Nevertheless, several countries have progressed with blockchain-based identity management systems, marking an important step toward enhanced digital security.[22]

Estonia has established itself as a global leader in the adoption of blockchain technology with the development of the KSI blockchain, which has significantly improved efficiency, security, and trust across its key government sectors, including justice, healthcare, and commerce.[23] This blockchain infrastructure now underpins Estonia’s state-issued digital identity cards, granting every citizen secure access to essential services like healthcare, banking, and online voting, irrespective of their physical location.[24] Furthermore, Estonia’s innovative “e-Residency” initiative extends digital government services and identity verification internationally, providing safe and universal access to crucial services.[25] This program sets a global precedent for how digital innovation can optimize accessibility and security, paving the way for other nations to follow.[26]

As society’s reliance on digital systems intensifies and cyber threats escalate, blockchain-based identity management emerges as an innovative and decentralized solution, establishing new standards for accessible and verifiable digital identities globally.[27] Utilizing this tool offers substantial benefits, enhancing protection for individuals and businesses alike while facilitating compliance with strict regulatory frameworks.[28] This approach not only fortifies security, but also ensures greater control and transparency in identity verification processes.[29] However, any future implementations must strike a balance between the advantages offered by blockchain-based technologies and the regulatory requirements of frameworks like the GDPR.[30]

Daniel B. Goldberg is a staff member of Fordham International Law Journal Volume XLVIII.

[1] See Mary-Jane Sule, Cybersecurity through the lens of Digital Identity and Data Protection: Issues and Trends, ScienceDirect (Nov. 2021), https://www.sciencedirect.com/science/article/abs/pii/S0160791X21002098.

[2] See Symela Touchtidou, Artificial intelligence fueling global surge in cybercrime, euro news (Aug. 5, 2024), https://www.euronews.com/2024/05/08/cybercrime-on-the-rise-thanks-to-artificial-intelligence.

[3] See Mike McLean, Cyberattack Statistics 2024, Embroker (Oct. 10, 2024), https://www.embroker.com/blog/cyber-attack-statistics/. 

[4] See Chris Wilson, Security in the New World: How Interconnectedness is Raising Security Concerns, Mead & Hunt (Jan. 18, 2024), https://meadhunt.com/new-world-security-concerns/#:~:text=Cybersecurity%20Risks%3A,security%20strategies%20towards%20cybersecurity%20measures.

[5] See Rayhan Ahmed, Blockchain-Based Identity Management System and Self-Sovereign Identity Ecosystem: A Comprehensive Survey, IEEE Xplore (Oct. 25, 2022), https://ieeexplore.ieee.org/abstract/document/9927415; Digital identity verification is the process of confirming that an individual in fact exists, authenticating that they say who they claim to be, while investigating their online presence to deter fraud, mitigate risks and better compliance efforts.

[6] See id.; see Guatami Tripathi et al., A comprehensive review of blockchain technology: Underlying principles and historical background with future challenges, ScienceDirect (Dec. 2023), https://www.sciencedirect.com/science/article/pii/S277266 (explaining that “[t]he immutable and decentralized nature of blockchain has redefined trust, ownership, identity, and financial systems by providing a secure, fast, transparent, and pseudo-anonymous solution.”).

[7] See id.

[8] See Ahmed, supra note 5.

[9] See id.

[10] Charlotte Bowyer, What is digital identity verification, Onfido (Mar. 22, 2022), https://onfido.com/blog/what-is-digital-identity-verification/.

[11] See id.

[12] See id.

[13] See generally Ben Wolford, What is GDPR, The EU’s new data protection law, GDPR EU, https://gdpr.eu/what-is-gdpr/.

[14] See id.

[15] See Ahmed, supra note 5.

[16] See id.

[17] See id.

[18] See Dr. Michèle Finck, Blockchain and the general Data Protection Regulation, European Parliamentary Research Service, at 79 (July 2019), https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf. The “right to be forgotten” is a key aspect of the GDPR focus on data privacy in the European Union. It allows for individuals to request the deletion of their personal data that is associated with themselves, when certain conditions are met. A condition that meets the standard for a data deletion request includes data that is no longer necessary or if the individual removes consent. This is not an absolute right. The main issue here relates to blockchain’s decentralized and distributed structure, which means that any attempt to delete data would require agreement and action from multiple nodes across the blockchain network, which is extremely difficult. This highlights a tension between GDPR requirements and blockchain’s governance, as well as ongoing need for clearer guidance on how erasure should be interpreted in a blockchain context.

[19] See id.; see Wolford, supra note 13.

[20] See Ahmed, supra note 5.

[21] See Esther Saurí, Traditional vs. Decentralized Identity Management: The Ultimate Comparison Guide, Gataca (June 2, 2023), https://gataca.io/blog/comparison-traditional-decentralized-identity/ (providing a comprehensive overview of the benefits of using a decentralized blockchain-based identity management system when compared to the traditional centralized digital identity management systems).

[22] See generally Guneet Kaur, How governments use blockchain for public services, Cointelegraph (Oct. 31, 2024), https://cointelegraph.com/learn/how-governments-use-blockchain-for-public-services.

[23] See Estonia’s Blockchain-Based Digital Identity System: A model for the World, IDefy (Oct. 31, 2024), https://idefy.ai/estonias-blockchain-based-digital-identity-system-a-model-for-the-world/; see KSI Blockchain Timestamping, guardtime, https://guardtime.com/timestamping.

[24] See generally Pritt Martinson, Estonia – the Digital Republic Secured by Blockchain, PWC, https://www.pwc.com/gx/en/services/legal/tech/assets/estonia-the-digital-republic-secured-by-blockchain.pdf (discussing Estonia’s KSI blockchain and its role in enhancing public services, resulting in significant efficiency gains, such as saving 1,400 years of public service labor and 2% of annual GDP, while significantly strengthening data privacy and storage security.).

[25] See id.

[26] See id.

[27] See id.; see Ahmed, supra note 5.

[28] See id.

[29] See id.

[30] See generally What is Zero-Knowledge Proof?, Chainlink (July 29,2023), https://chain.link/education/zero-knowledge-proof-zkp#:~:text=Zero%2Dknowledge%20proofs%20(ZKPs),without%20revealing%20the%20data %20itself.

This is a student blog post and in no way represents the views of the Fordham International Law Journal.