Blockchain and GDPR: Can they coexist?

“When you browse on this site, cookies and other technologies collect data to enhance your experience and personalize the content and advertising you see.”

With the enactment of The General Data Protection Regulation (GDPR), websites who collect and own the personal data of their visitors have been enforced to notify their users of their activities, as the regulation calls for transparency in the collection and use of personal data.

Though such legislation is much needed in the age of ever-growing and invasive technology, the GDPR has clashed and practically blocked the use of another important innovation of the century: blockchain. While it is impossible to browse the internet without the term coming up, its promising future is not so stable as it faces challenges to the core of its system, especially from its legal aspects.

What is GDPR?

Since May 2018, GDPR has been in full effect and the UK has decided to adopt the regulation regardless of its plans to leave the EU. What GDPR aims to achieve is to put the people in charge of their personal data online and strengthen privacy. It enforces transparency between the firms and the individuals, as it now requires these companies to be honest about how the data is used and stored.

But what exactly constitutes ‘personal data’?

A white paper by Hogan Lovells writes that “‘Personal data’ is any information relating directly or indirectly to a ‘living natural person’, whether it actually identifies them or makes them identifiable.”The Court of Justice of the European Union’s (CJEU) final jurisdiction on Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland set the bar for what constitutes personal data.

“The right to be forgotten” vs “Immutability”

The answer to how this all clashes with blockchain and its decentralised nature lies in the most significant regulation of the GDPR of all, the right to erasure. Also called the “right to be forgotten”, this clause gives individuals the right to request that their personal data be removed from a record.

This right applies when the data is no longer necessary to fulfill the function for which it was collected in the first place, where it was processed illegally, where the individual does not consent to having it online anymore, or where the data has to be erased in order to comply with a legal obligation.

“The GDPR offers the power back to the individual to edit and delete data which falls into the hands of centralized authorities, but when there is no centralized authority, there is no need for data to be moved around,” describes Darryn Pollock of Forbes.

While GDPR is a legislation that gives individuals the right to mandate their personal data on the internet, blockchain secures the data on a distributed ledger chain, which has no centralized authority as mentioned by Pollock, making it impossible for data to be altered or deleted. This is called “immutability” and causes GDPR and blockchain to be fundamentally incompatible.

Carlo de Meijer puts ‘immutability’ like this: “There is no authority to amend or correct a block once it is incorporated into the chain. Once their data goes through the application and onto the chain, the blockchain company that enabled you to put that data onto the chain, is no longer in control of that data since it is decentralised.” Data stored in a blockchain cannot be erased and hence conflicts with “the right to erasure” of GDPR. This creates a problem because if a blockchain contains personal data, it must be assumed that GDPR is engaged.

This is not just an issue in the European Union, however. Although GDPR is an EU regulation and applies to the European territory, blockchain’s transnational nature means that a blockchain can include users from many different locations. If one of those locations is in Europe, this jeopardizes the whole of the blockchain as that user being bound by the regulation means that it must be applied to the whole chain.

Hence, if GDPR and blockchain are to coexist, public blockchains might be no more. “Public, permissionless blockchains represent the greatest challenges in terms of GDPR compliance, because of their extremely distributed nature,” reads a report by The EU Blockchain Observatory and Forum.

A common intention

Although even their very natures conflict and make it hard for their coexistence, GDPR and blockchain were created for very similar reasons. The idea of creating a new legislation for data protection in the EU came after people started to lose their trust in big corporations with the protection and storage of their personal data.

With the Cambridge Analytica scandal and many others alike, the past year was devastating for protection of personal data online. While GDPR aims to protect data through giving individuals more control over it and restricting the control that big corporations have, blockchain does the same through its safe storage of data in the chain.

These two new ideas, both created with the intention of becoming a saviour of personal data in modern world, are unfortunately blocking each other from existing due to their very nature. The biggest question now is how lawmakers and tech people can work to find a way for the two to coexist.