Huobi Research
Published in

Huobi Research

Celebrating the birth of GDPR at Madrid DES Exhibition

On May 24, 2018, Huobi Research completed the three-day trip to Madrid DES exhibition. The DES exhibition is the largest exhibition in the field of information, communication and software in Western Europe. It gathers more than 400 exhibitors, including IBM, Accenture, KPMG, Deloitte, Cisco, SAP, Dell, Hewlett-Packard and others. This year, the exhibition was themed of “Digital Economy” , and was divided into artificial intelligence, internet of things, Blockchain and many other related topics. As we have anticipated, Blockchain was the most popular topic.

However, when we interviewed participants at the exhibition “What is your opinion of Blockchain”, we get two answers: 1. “ I have heard of the Blockchain, but I don’t want to buy Bitcoin.”; 2 “Oh, Blockchain, I know. It’s KYC.”

The logic behind the first answer is “Blockchain=Bitcoin”, which is a manifestation of the conservative investment style of the European public, because they need time to accept revolutionary innovations. From the second answer, we infer that enterprise-level authentication may be the first application of Blockchain in Europe, and such application has the chance to develop to be more advanced than the rest of the world. This goes back to Europe’s long-standing pursuit of data privacy protection and the EU GDPR that will be enforced today (May 25, 2018).

What is this globally discussed magical GDPR that appeared as the most high-frequency vocabulary in presentations at DES exhibition, and how does it relate to Blockchain?

What is GDPR?

In simple terms, GDPR stands for “General Data Protection Regulation”, also known as the 2016/679 regulation. This regulation was passed on April 27, 2016 and was announced on May 24, 2016. It was given a two-year buffer period and will be enforceable from May 25, 2018. It is the European Union’s basic data protection bill and is aimed to protect the privacy data of all individuals in the European Union. Its main goal is to give citizens and residents control of their personal data (Self-sovereign identity), and to control exportation of personal data within the EU.

GDPR is the largest reform of the EU privacy protection law since its establishment in 1995. It is also the first time in big data era to raise the rigidness of personal information protection to an unprecedented degree. This reform may completely change the way that various organizations collect user registration information and the way they use the personal data they collect. Major internet technology companies are intimidated by GDPR. Its rigidness is reflected in the following aspects:

1. Expanded the boundaries of Personal Data

As early as 1995, the European Union passed the “Data Protection Directive” and for the first time in history established clear standards for EU member states protect personal data in legal forms. In this standard, the concept of personal data includes only relatively simple information such as the user name, home address, and postal code. The content specified only gives the user the right to access their own information and modify the error information.

On the other hand, GDPR completely stands at the user’s perspective to define the data boundaries. The definition of personal data became extremely broad, covering most of the types of data that can directly or indirectly identify individuals’ identity, including basic information (such as ID numbers), social security accounts, etc.), network information (such as IP addresses, cookie data, etc.), biometric information (fingerprints, irises, etc.), and political and ethnic information.

2. The scope of application is categorized by users

The GDPR applies not only to companies in the European Union, but also any procedures that handles data from users in the European Union. GDPR is a norm, not a guiding document, so it does not require direct authorization from the governments.

3. The strictness of the punishment intimidated Internet companies from easily being involved

From May 25, 2018, any company that fails to meet GDPR regulations will face a huge fine of 4% or 20 million euro in annual revenue, whichever is higher. After a fine, any further data processing activities will be subject to a halt. On April 13, Tencent suddenly announced that it would stop all services of QQ in Europe from May 20. We can reasonably guess that this move is related to the impending implementation of GDPR.

The relationship between GDPR and Blockchain

The GDPR framework puts forward several new prerequisites for the collection and use of personal data:

• Obtain user’s authorized consent before collecting personal data, and allow users to withdraw their authorization at any time

• Allow individuals to modify or delete their personal data (right to be forgotten)

• Safekeeping of data, making it easier for organizations to access user-shared data, and maintaining the ability to migrate data between service providers

• Ensure that data transmitted outside the EU strictly meets standards

On the surface level, the GDPR-Blockchain pair seems paradoxical. The main controversy lies in that, while GDPR intends to give users the right to modify and erase their personal data, no one could really delete data written on a public blockchain. On another level, GDPR is also designed to allow international organizations to access personal data of EU citizens. Since GDPR isn’t letting personal data to leave the EU, it would be a daunting task to ensure all out-of-EU nodes to meet the GDPR standard.

Thus, many people believe that GDPR is going to hinder the development of blockchain in Europe. On the contrary, we think this will be a great opportunity for blockchain technology to develop, especially with the help of dApps (Decentralized applications).

• GDPR makes the issue of dealing with personal data a “hot potato”

Because GDPR has mandated specific and strict requirements for the collecting, using, and storing of personal data, organizations will be less likely to store personal data on their centralized databases in face of potential hefty sanction fines. Instead, organizations will be inclined to store these data on a public blockchain, and thus need to pay for whatever personal data they want to access — but without the potential downside of getting fined because of accidental data misusage.

• Blockchain technology meets GDPR’s requirement on personal data protection by design and by default

With the help of Public-key cryptography on blockchain, each individual as data owner would retain control of every single piece of their information and ensure that their personal data is not accessed unless necessary for each specific purpose with their expressed consents.

• Blockchain technology provides foundation for transmitting personal data

Organizations will be benefited by the use of attestations on blockchain platforms. For example, when someone tries to rent a car, he/she no longer needs to provide various kinds of personal information (such as legal name, social security number and etc.) Instead, the car rental company only needs an attestation issued by another rental company that have already verified the person’s information previously, which would be easy to accomplish with the help of smart contracts.

• Can’t erase data on blockchain? Try layered design with data off-chain

When personal data is stored off-chain (in each person’s own off-line database), organizations could utilize smart contract to access specific parts of personal information with the explicit consent from the person. In other words, users store and have full control of their data off-chain, and the hash of this data and other metadata (like edits to this data) is stored on the public blockchain for future use by organizations.

EU’s Development on blockchain-based KYC utility

After the two-year transition period, many Europe companies have already stepped up on developing blockchain-based KYC utilities. The development in this realm received the most support by traditional service companies and data-collecting organizations. Also, financial institutions are also eager to see what blockchain technology has to offer to resolve their current problem with meeting the data protection requirements while accessing personal data (most of these blockchain-based KYC utilities are developed on Consortium blockchain platforms).

Last year, Spanish’s Cecabank has teamed up with accounting and consulting service company Grant Thorton to create Spain’s first blockchain banking consortium “Red Lyra (renamed Alastria)”. The consortium will take advantage of the Ethereum and Hyperledger platform to develop legal identification services and supporting smart contracts. It is important to note that BBVA and Santander, Spain’s largest two banks, are also involved in this effort.

In 2016, the R3 blockchain consortium and ten of its consortium members banks, like ING, have developed a shared KYC registry service to help banks fulfill basic KYC requirements of new customers while providing increased transparency, security and cost-efficiencies.

In 2017, Luxemburg’s LuxTrust and Cambridge Blockchain have announced a privacy-protecting identity platform to help Luxemburg’s financial service providers be in full compliance with GDPR.

It’s thus not hard to imagine that blockchain-based KYC services will boom in Europe in face of the full implementation of GDPR, starting from large banks and financial service providers. However, we still have a long way to realizing this goal, as it is still uncertain how public-blockchain developments will interact with the strict mandate of GDPR regarding data protection.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Huobi Research

Huobi Research

Blockchain industry top think tank, affiliated to Huobi Group.