GDPR: Going to Disrupt Payment Regimes?
By Edward W. Mandel
I went to a pub last night where I was surprised, but hardly shocked, to find a sign behind the bar advising customers that they would get a 4% discount if they paid in cash. Eighteen hours later, I went to pick up lunch at my favorite Chinese takeout joint, where I saw the same sign today.
The signs might just as well have read, “The beginning of the end of paying with plastic”. The truth is, credit card companies — as well as their sponsoring banks and gateway services and other middlemen — are pricing themselves out of the market. And the online-native portals which aim to replace them aren’t proving to be any less expensive despite being slightly more efficient and marginally easier to use.
The credit card companies and the portals already know this. That’s why a consortium of banks backs Zelle and PayPal created Venmo, two mobile apps that allow essentially free person-to-person fund transfers. The credit intermediaries know they’re not adding value to transactions — certainly not 4%! — and all they’re really doing is what economists call “rent seeking” and the rest of us call “milking the cash cow”. That’s why these transfers are walled off from business accounts. If you want to send your niece $50 on her birthday or pay your work colleague $27.35 for your half of dinner last night, that’s free. But if you want to buy her a $50 video game or pick up the check yourself, you have to feed that cash cow.
Eventually, consumers will figure this out and engineer workarounds that would lead to the disruption of Visa, MasterCard, American Express and the rest of the credit cartel. And yet, the peasants might not need to pick up their pitchforks because an unexpected white knight appears to be riding to the rescue, broadsword in hand to slay the beast with one chop.
I say “unexpected” because libertarian-leaning entrepreneurs — like those of us on the IOU.ioteam — rarely feel the need to be rescued by regulators. Usually, we want to be rescued from them. But the European Data Protection Board — the authority created by the European Union’s new online security statute — might just be the hero of this story.
The Holy Grail
You’ve heard of that statute by now: The General Data Protection Regulation. It’s called GDPR for short and “Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive)” for long.
This new web privacy act is generally known for its main purpose: to keep the Googles and Facebooks of the world from spying on us.
I live in the United States, but GDPR is as much a part of my life as it is part of the life of any of my friends and colleagues who live beneath the EU banner. And it’s not just because I have business interests in Maltaand throughout the continent. This goes for everyone in America and pretty much everywhere else in the world. Just as a car being sold anywhere in the US has to pass California draconian emissions standards and a history text book being sold anywhere in the US has to pass Texas’s rather skewed version of events, GDPR’s reach extends far beyond Europe. It just doesn’t make business sense to subscribe to GDPR where it holds legal sway and to a lesser standard elsewhere. So much easier having one standard that’s acceptable around the world, so every online business of any size is going to have to be GDPR-compliant. (But bear in mind that, within the EU, GDPR’s enforcement mechanisms and penalties are truly substantial.)
The basic tenets of GDPR are fairly straightforward: Its purpose is to protect the data and privacy of everyone in the European Union and the enlarged European Economic Area, and covers data exported from the region as well as data moving inside of it. And of course, in this information age — even without the decentralizing effect of blockchain technology — data bounces from node to node, so odds are that anything you key into your browser is bound to touch a disk somewhere in Europe. Considering how many people and institutions rely on VPNs to mask location, it becomes pretty difficult to prove me wrong about that.
The law gives individuals control over their data, making what they share a matter of decision rather than default. You’ve seen those annoying — but well warranted — popups anytime you visit a new site requesting your permission to use cookies to track your behavior. (Maybe I’m a little cynical, but I haven’t noticed much of a difference in user experience either way. Have you?)
A year or two back you also saw a flurry of equally annoying but equally warranted popups alerting you to new privacy policies designed to comply with GDPR. Their intent was to establish “appropriate technical and organisational measures” to protect individuals’ data. That is, all data collection must be clearly disclosed, along with the purpose to which it will be applied and a firm statement of how long the data will be retained. The individual then has the right to a download of the data collected about them, to have the data expunged and to withdraw consent at any time.
This is all in the service of “the principles of data protection by design and data protection by default.”
Some days you slay the dragon …
But “appropriate technical and organisational measures” is a pretty broad statement and nobody is yet certain what it means. What is known is that this refers to processes for safeguarding data, and that pseudonymization or full anonymization are often considered acceptable options, particularly if the individual can only be identified with data stored in a separate place.
You know. Blockchain.
“The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned,” according to the English-language text of the law, which quickly adds, “The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.”
Message received. Nowhere in GDPR does it say you as a data processor have to pseudonymi[z]e personal information, but the terms “such as” and “including” appear several times immediately before the ps-word throughout the document.
… Some days the dragon slays you
It should be said that there are more ways to achieve pseudonymization and anonymization (European readers, please pardon my Americanized “z”) than via blockchain, and that these two spelling-bee words are examples rather than prescriptions under GDPR.
“Given the well-publicized limitations of current techniques for de-identification,” Matt Wes writes for the International Association of Privacy Professionals, “data controllers that choose to use pseudonymization and anonymization may run the risk of being the subject of a future enforcement action.”
The risk, experts say, is of re-identification, that no matter what you do to mask the individual’s identity, a clever hacker could piece it back together. If that happened to a small ecommerce company, the penalties could be devastating from a compliance perspective and the hit to reputation would be incalculable.
That said, Wes’s article was written before GDPR even went into effect, and the Princeton paper he cites with that link goes back to 2014. You might forgive both the article writer and the academics for not even including the word “blockchain” in their respective works.
As we know from the Silk Road debacle, the owner of a specific bitcoin instance can indeed be traced, because not all cryptocurrency is 100% fungible in the way that a roll of quarters is. (Even dollar bills have serial numbers.)
But an on-chain currency for a specific vendors’ platform could be something to consider. And maybe it’s the IOUX that could do the trick.
And yet, pseudonymization and anonymization aren’t the only issues at the intersection of blockchain and GDPR.
“When looked at through the lens of compliance, blockchain technology could … best be described as a ‘moving target’,” according to a Blockchain Association of Ireland report. “[T]here exist fundamental difficulties with the compliance of blockchain technology in the framework of the GDPR when considering that its essential features, such as its immutability and incorruptibility, are also some of its greatest stumbling blocks in terms of vindicating the data subject’s rights.”
Authors Tanya Moeller and Simon Schwerin raise some good questions. Here are a few that focus more on ecommerce than on crypto trading:
· How can the right to be forgotten be enforced if blockchains are immutable?
· What’s the status of miners, who are relied upon for verifying transactions? (IOU is built on the Ethereum chain which, as of this writing, still depends on proof-of-work hashing.)
· If you build a blockchain-native site, or if you build a dApp or if you craft a smart contract, what is your legal exposure to the public blockchain you created it on?
All good questions. I won’t pretend to have the answer to any of them. I just hope I’m not the first one to find out.
Happily ever after?
When it comes to actually marketing and selling, it’s probably enough to use an out-of-the-box solution to ensure GDPR compliance. As a so-called data controller, ecommerce vendors’ role is to determine why the data is processed rather than process it themselves. You can go through a checklist such as this oneand click off the necessary boxes. Basically:
· List the types of personal information you hold, where it comes from, where it’s stored, how it flows and who gets to see it.
· Push out a privacy policy — you can find some boilerplate and determine if that’s good enough.
· Appoint a data protection officer and make it that person’s job to assure security, train staff on data protection and, inevitably report any serious breaches to EU authorities.
· Manage contracts with any third party that serves as a data processor.
It’s that last point that needs the most attention. Data processors, in this sense, include whatever entities are doing your payment processing. In previous posts here, I’ve described how this cast of characters keeps changing over time as the gateways and the acquirers and all the other middlemen keep falling over each other trying to be the last company standing. I started this article with an anecdote about how they’re becoming too expensive to be sustainable.
But wait. It gets worse. There are so many permutations of payment processing channels out there that according to EcommerceGuides.comPayPal — which is bound to be one of yours if you sell anything online — has to track 600 of its own third-party providers to ensure GDPR compliance. John Di Giacamo, a Michigan-based attorney specializing in internet law, reminds us that you not only need to keep track of where your payment processors store their data, you also need to know where they keep their money.
“If you have revenue, or payment accounts, or other assets located within the European Union, a data-protection authority could seize your assets or levy against them,” Di Giacamo told Practical Ecommerce, whether or not you’re based anywhere near Europe. “PayPal and Amazon have presences in, for example, Luxembourg that store money on behalf of their users.”
Wouldn’t it be easier for all of us if we only had to keep track of our marketing and sales data? While there’s no guarantee that distributed ledger technology in and of itself will insulate our vendors from any current or future data protection regulation in Europe or anywhere, this certainly feels like a step in the right direction.
This much is sure: The same payment processing intermediaries that are overcharging for their services are also putting consumer data at risk by their mere existence. Personally, I’m glad that GDPR has become the law of the land in Europe and the data protection standard for the entire world. It’s just another nail in the coffin of the old way of completing transactions online. I do not mourn.
We at IOU.ioare working to create a world where your promise to pay can be judged to be worthy with or without a bank account, a charge card or a credit history. We believe there are other ways to determine the extent to which you can be trusted, and we leave it to our vendors and whatever algorithms they rely on. It makes us proud that we’re not just disrupting central banking and fractional reserve banking and charge card usury and antiquated credit report rubrics and friction-for-friction’s-sake extortion from useless middlemen, but that we’re doing it to better serve the consumer.
If the consumer’s data privacy is improved as a result, well, we’d be happy to take a bow over that as well.
Edward W. Mandel is a strategic advisor for IOU.io , he is an Ernst and Young Entrepreneur of the Year Finalist, Blockchain Enthusiast and visionary behind many successful organizations. An avid entrepreneur, Edward has a knack for designing distinctive business models complemented with superior technology to deliver unparalleled service and profitability. Edward also has been advising and consulting for various successful Blockchain technology and ICO projects and recently launched his own BQT.io P2P Hedge Exchange helping traders connect with each other to leverage their crypto assets.
IOU is a blockchain-based peer-to-peer platform designed to unify ecommerce transaction and customer retention processes, incorporating trade-able IOUs. It is currently raising capital through ICO. The platform can be found online at IOU.io and its community on Telegram at https://t.me/IOUCommunity.
