GDPR: In conflict with blockchain?
Is the new General Data Protection Regulation (GDPR), newly effective in the European Union but with global ramifications, incompatible with blockchain? This is a timely question as the law just went into effect in the EU last week. Here, we will consider two dimensions of the law, one to do with the platform of user rights it puts forward, and the technical side of trying to appease a law written mostly to regulate centralized agencies.
User rights are a good thing
This moment and movement is a catalyst for the user privacy movement. Although (as we will discuss) some of the regulations will prove challenging for blockchain companies, this law builds awareness of the different layers of usage and storage of personal data, and goes further to ensure rights and consent to regular people. GDPR puts constraints on companies that get valuable user data in shadey or coercive ways. LegalThings One do a good job of explaining the way GDPR shirt the power to the user, and the responsibility to the organization:
With a centralized system, personal data is uploaded to the system of an organization (the controller) for further processing. While this is possible under the rules of GDPR it’s putting a large burden on the organization to make sure the data is stored safely and isn’t being used in any other way than described by the data agreement.
As this makes clear, centralization is the real target of this law, and the power it gives back to users and terminology it is mainstreams are good for privacy advocates.
Implications for blockchain companies
All that said, GDPR is definitely a challenge for companies and systems built on blockchain, because the perspectives toward privacy are different in a nuanced way. Companies like BitClave who are in the blockchain space see its advantages — anonymity, an immutable mass of data — as protections for the individual. However, the GDPR’s assurance of erasure means that directly, any identifying or sensitive personal data cannot be stored on a blockchain. During a conversation between Gordon Haff and Laurianne McLaughlin, Haff notes that the conflict between immutability and erasure should be our focus:
“Like many other things associated with GPDR, the immutability of blockchain may be a real issue. Or it may not be,” says Haff.
“One option is to store personally identifiable information off the blockchain itself — that is, use the blockchain to store the transaction, but not all the details of the transaction,” Haff says. “But that at least partially defeats the purpose of using an immutable blockchain in the first place. Alternatively, personal data on the blockchain could be encrypted with a private key that could be revoked on request or after some interval.
“What we can probably safely say is that immutability should be taken into account when deciding what data is to be stored,” Haff adds. “Simply deleting a database record at some future date isn’t really an option with blockchain.”
Creating compatible ecosystems will be an upcoming challenge, but they could look something like the workaround Andries Van Humbeeck devises here. In this instance, data is stored off the blockchain while requests and accesses to the data are verified by the blockchain. Of course, this approach is clunky and has greater potential for breaches because of its greater complexity.
It’s really early, in terms of both blockchain and GDPR
It’s important to remember that we are in the early, exciting moments of blockchain technology and widespread understanding and adoption is only beginning. Likewise, it is only the first week of GDPR! As tech leaders become better acquainted with the new regulations, creative innovations will begin to meet the constraints of this new system. At BitClave, we are currently working with a legal team to be GDRP compliant throughout our entire ecosystem. Companies like Apple are already creating new systems to take them through this time while applications of the law are still being determined. It’s also of note that mechanisms to allow greater user control will be available more broadly than the European Union and benefit worldwide users.
Meanwhile, lawsuits all already being brought against the greatest exploiters of user data. As these cases move through the legal system, other agencies will gain a greater understanding of the law and what regulators are prioritizing. Meanwhile, blockchain companies are incentivized to create efficient solutions that combine the security and anonymity of blockchain with the erasure mandated by GDPR.