New European data protection regulation is hardly compatible with Blockchain
In our Expert Takes, opinion leaders from inside and outside the crypto industry express their views, share their experience and give professional advice. Expert Takes cover everything from Blockchain technology and ICO funding to taxation, regulation, and cryptocurrency adoption by different sectors of the economy.
If you would like to contribute an Expert Take, please email your ideas and CV to [email protected].
EU privacy laws are set to undergo their biggest overhaul since being created in 1995. The new framework, entitled the General Data Protection Regulation (GDPR), comes into effect on May 25, 2018 and will drastically change how organizations handle the personal data they collect and use. The GDPR aims to harmonize data privacy laws throughout the EU and give individuals better control over their personal data.
Under the GDPR, all organizations that store personal data of EU citizens or residents, including Blockchain projects, will be required to follow stringent data privacy rules. Failure to do so will result in fines based on the severity of the breach, the character of the infringement, and the organization’s compliance protocol. The most egregious offenders will face hefty fines up to 20 mln euro or four percent of their annual revenue, whichever is higher.
To avoid risking fines, all organizations handling the personal data of EU citizens or residents must take active steps to ensure compliance, not only those physically located in the EU. Because the GDPR applies to any online service that is accessed by EU citizens or residents, the regulations are likely to capture the vast majority of Blockchain projects regardless of where their operations are based.
Whether the EU can enforce these regulations on organizations located outside of the EU remains an open question. For example, how will the EU pursue a call center database in Bangladesh or a Blockchain project operating across thousands of nodes all over the world? Regardless, organizations with an EU presence should immediately begin implementing the GDPR framework, which includes complying with dozens of new protocols, including:
- clearly stating their data privacy policies
- obtaining express consent from individuals prior to collecting personal data
- allowing individuals to easily withdraw their consent at any time
- properly securing data
- ensuring that data transfers out of the EU meet strict standards
- allowing individuals to revise or delete their personal data
Can Blockchain function within the GDPR Framework?
Unfortunately, many of the assumptions underpinning the GDPR are in conflict with Blockchain’s core technology. A Blockchain is an immutable database that is stored, maintained and controlled by a decentralized network. This contrasts with traditional databases, which are controlled by a central party like Facebook, Google or Amazon Web Services. While the GDPR is intended to be technology agnostic, it was drafted with the assumption that personal data would be stored with traditional centralized parties who could easily manage the data in accordance with the GDPR framework. But when it comes to Blockchain, it is unclear how decentralized networks across the globe will be able to implement all of the GDPR standards.
For example, the GDPR and Blockchain are clearly not compatible with respect to the GDPR’s requirement that individuals be given the ability to revise or delete their personal data. Blockchains are immutable and generally cannot be changed once a block is created. How can data revision and immutability be reconciled? David Fragale, co-founder at Atonomi, highlights the contradiction:
“GDPR presents an opportunity for EU citizens to exercise control over their personal data. From a Blockchain perspective, this aligns well with the community’s ethos of moving away from central authorities. However, technologically, this conflicts with Blockchain’s immutable ledger and decentralized data storage architecture.”
Shane Brett, CEO of GECKO Governance agrees that there is a conflict, but reminds of a possible space for interpretation and different national approaches within the EU:
“GDPR is intended to give the individual control over their personal data and how it is used by third parties, with one of the key components of the legislation being the right to be forgotten/data erasure. This, however, is somewhat in conflict with Blockchain technology, which is mooted as being an immutable ledger that cannot be deleted. In essence, you cannot delete data off a Blockchain once written, as this would break the chain.
It should be noted, however, that GDPR does not define exactly what erasure is intended to mean. As such, the interpretation of this will be left to the host of the data, or may be clarified further in legislation transposed in each EU Member State.”
One possibility being explored is the concept of off-chain storage for personal data. This split in data architecture allows personal data to be referenced in a Blockchain but not seen or accessed without access to the off-chain database, explains Serafin Lion Engel of Datawallet, generally looking on GDPR with optimism:
“An interesting solution to the problem is a dual data handling architecture, where contractual elements of a transaction happen on-chain via smart contracts and the actual data transfer happens off-chain. This also solves scalability issues we’re facing with Blockchain technology in its current state.
I think GDPR is a great step towards the future of a data empowered user, specifically by requiring companies to allow users to download it and move it to other platforms, or even delete it entirely and there are definitely companies, like Datawallet looking to ensure this necessary regulation and exciting technology don’t need to be mutually exclusive.”
While this approach allows organizations to revise or delete personal data, and therefore comply with the GDPR framework, it raises a host of other concerns. Namely, how do individuals trust that the off-chain database is managed properly? How easily can personal data be accessed off-chain and still facilitate on-chain transactions? And of course, as we’ve learned with all centralized databases, how will they defend themselves from attack?
According to Rob Viglione, Co-Founder and team lead at ZenCash, compliance with GDPR is a major concern for identity management firms exploring Blockchain solutions:
“We are working with several companies that want to bring digital identity protocols to Blockchain but nobody has solved the GDPR compliance issue yet. The EU framework is hard to apply to Blockchain technology and is definitely causing these projects concern.”
Unfortunately, many of these concerns are further complicated by Blockchain’s node architecture. The GDPR is designed so that organizations will store the personal data of EU citizens and residents within the EU and not across thousands of decentralized nodes throughout the globe. Moreover, the GDPR assumes a world in which corporate leaders are responsible for implementing regulatory standards.
But Blockchain projects are often managed by a loose collaboration of developers and entrepreneurs located throughout the world. Some are even governed by decentralized autonomous organizations (DAO). These novel governance systems don’t work in the way EU regulators contemplated. Who within a Blockchain project can ensure that each node complies with the GDPR standards for privacy? Who can the GDPR regulators approach to audit compliance? Who can they punish for noncompliance? These are all issues EU regulators and Blockchain projects need to grapple with over the coming months and the task will be Herculean.
The views and interpretations in this article are those of the author and do not necessarily represent the views of Cointelegraph.
Dean Steinbeck a US corporate lawyer with a focus on data privacy and technology. He is General Counsel for TigerConnect, a clinical communication platform serving over 4,000 US healthcare organizations.