Are Blockchain and Cryptocurrency Services Compliant with GDPR?
GDPR or General Data Protection Regulation, a piece of legislation approved by European authorities, came into force on May 25th, 2018.
Without a shadow of a doubt it is the toughest piece of privacy regulation in history and it will change ways businesses function as current processes might become not congruent.
Its purpose is to give consumers control of their personal data as its collected by companies. It will affect organizations located inside the EU, but will also apply to companies outside of the region if they offer services or collect data about people in EU.
Companies who aren’t in compliance will face large fines — up to $24million (20m Euros) or 4% of annual global turnover, whichever is higher. GDPR defines personal data as “anything that relates to an identifiable, living individual whether it actually identifies them or makes them identifiable”.
- Clear notifications to individuals as to how data will be collected and used, and how and with whom it will be shared;
- Specific rights for individuals to access and correct personal data, and to request that processing of personal data cease;
- The so-called “right to be forgotten”, a right to request that data which is no longer being used be erased;
- the right to data portability, being a right to require the export of data to alternative service providers in usable form; and
- Significant obligations to secure personal data and to notify regulators and individuals of certain types of personal data breaches.
Blockchain might be facing an architecture difficulty: its shared, distributed, and immutable record keeping system might not be compliant.
Blockchain compliance issues could afflict many companies as thousands of apps are being built on the Ethereum blockchain:
A recent article from Bloomberg gives us an overview of the Blockchain and GDPR compliance issue:
“Under the European Union’s General Data Protection Regulation, companies will be required to completely erase the personal data of any citizen who requests that they do so. For businesses that use blockchain, specifically applications with publicly available data trails such as Bitcoin and Ethereum, truly purging that information could be impossible. “Some blockchains, as currently designed, are incompatible with the GDPR,” says Michèle Finck, a lecturer in EU law at the University of Oxford. EU regulators, she says, will need to decide whether the technology must be barred from the region or reconfigure the new rules to permit an uneasy coexistence.”
Blockchain first conceptualized and implemented in 2009 as a core component of the bitcoin, is a transparent, public, append-only ledger that is used to record transactions across many computers so that the record cannot be altered retroactively. This allows the participants to verify and audit transactions inexpensively.
On a public blockchain, it is possible to look at the complete history of all transactions. Each transaction is linked to a public key, representing an user and even though that key is encrypted, it is possible to trace all transactions in order to ensure that the individual is associated with each transaction to avoid ‘double spending’ of an asset.
Under the current comprehension of personal data within the GDPR, it is possible that a public key associated with a person will qualify. In theory, the public key might display information (maybe an IP address or connection with a website) that allows an individual to be identified via blockchain. This is wont happen on all occasions but remains a valid concern when considering blockchain technology against the GDPR regulations.
In summary, the two main features of the blockchain that could be causing compliance issues are:
- information cannot be removed from the blockchain
- information transiting through the blockchain is visible to every node
Jan Philipp Albrecht, the member of the European Parliament who guided the GDPR through the legislative process said: “This is where blockchain applications will run into problems and will probably not be GDPR compliant.”
Can Blockchain technology comply with new EU data protection laws?
The interpretation and the enforcement of GDPR compliance is still unclear, and we will not know until after the deadline whether auditing will ultimately result in fines for blockchain and cryptocurrency services or just guidance for remediation.
GDPR regulators will have to interpret the blockchain structure over the next few years in thorough manner and can make the argument that the legitimate business interest is around something like preventing money laundering, which would trump deleting a record.
However other implementations of blockchain technology may not have the same defensible position in which cases, blockchain core precepts definitely conflict with GDPR subject access rights.
Corporate legal experts will be balancing compliance costs with company values and possible risks in case per case basis as they do with other regulatory issues.
One option is to store personal data off the blockchain itself. To use the blockchain to store the transactions, but not all the details of the transactions.
Second option is to encrypt data with a private key that could be revoked on request or after some interval since deleting a database record at some future date isn’t really an option with blockchain.
Best preparation for blockchain service providers
- To be fully aware of customer’s rights and GDPR articles.
- To establishing standard operating procedures (SOPs) with a standardized action plan for situations like customer data requests or audit responses.
- To have an internal expert or data protection officers (DPOs). Depending on the size of data processing, some organizations may be required to appoint a DPO to oversee compliance efforts such as the processes above and serve as the liaison to officials when necessary.
The Third Generation Blockchain — Decentralized AI Blockchain
Let everyone easily access AI computing resources from anywhere to anyplace in the world.