You might think yes the new advancements in blockchain technology are in fact going down for real or as the cool kids say it “GDFR”. While this is definitely the case, we were actually referring to a slightly different acronym and that is the GDPR. Although differing by only one letter, these terms are very different in meaning (and implication).
GDPR stands for General Data Protection Regulation GDPR. This is a policy that considers how our personal data remains protected. For businesses and consumers, this has very interesting applications for consumer safety. Sound familiar? There are actually several overlapping features between this protocol and blockchain technology.
What is the GDPR?
Okay, let’s break it down a little bit further. The GDPR is a legal framework put in place to protect members of the European Union (EU). This framework applies to all companies that deal with personal data and information about citizens in the EU. The framework itself is actually composed of 99 articles and sets out the regulations that businesses are to follow. This includes the regulation of cryptocurrencies.
Companies like banks, financial companies, and crypto headquarters, all require data (at least to some extent). This means ensuring data remains private is a must and understanding blockchain law is important. Especially since acting opposite to authority may result in a hefty fine. But we’ll get to that a little later.
Who is Affected?
For blockchain companies, this is interesting to note since as far as data that involves any European citizen is concerned even if the company operates in a different country the GDPR will still apply. Since we are talking about a blockchain that spans across the globe, it is not unreasonable that some of these users will be within EU borders. Since there is anonymity within the blockchain especially on public networks such as a popular cryptocurrency like Ethereum, you may not necessarily know every person in the network. Therefore, it is hard to determine which users the GDPR applies to.
This means if the creators of a specific blockchain network have an open platform that is available to those in the EU, this still constitutes as a service to the Union. Okay, we get that. But did you know, that if someone outside the EU is monitoring the data or behavior of EU citizens this regulation would also apply?
Defining Personal Data
Now that we know who we are considering in these regulations, let’s consider what exactly we are dealing with. That is personal data. We can define personal from Article 4(1) of the GDPR, which states:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors.
That was a bit of a mouthful. What we want you to note is that identifying a person doesn’t mean identification by name. As you might know from all your previous knowledge about the blockchain world, the technology itself assigns each individual a series of numbers that act as their identifier. This is great because there is still the transparency that you know who you are dealing with but there is some anonymity. Some have argued that in the blockchain world a unique identifier is sufficient in classifying this data as personal.
This also means that any encrypted data that is posted online is also personal data. We know this comes in abundance on a secure blockchain platform. With this classification of encryption, you will need to make some additional considerations.
What if the company fails to abide by these carefully laid out regulations? Here is the tricky part. The GDPR is based on an assumption that the personal data that someone uses is controlled by someone. Hopefully, someone who knows the GDPR regulations. For these purposes, we can refer to these ones as data controllers (get it, since they control your personal data?) This also happens to be where we run into some confusion.
Remember what we said earlier. There is no single controller. So where do we place blame when data usage ignores GDPR regulations. Would we blame the person who started this platform? Or would we blame all the users who are all seen as “controllers”? Since the blockchain is decentralized, there is no way for there to be a centralized data controller.
Technically this also means that if a blockchain uses fully anonymous data the GDPR would not apply. That said, we might agree that there is no fully anonymous service just yet.
The Right to Delete
One thing we like about blockchain is its ability to hold data that cannot be deleted or modified at a later date. This ensures the ultimate security so we think. This makes it very difficult to abide by GDPR regulations which allows personal data to be erased or updated in the event that it is incorrect. While some have argued this is an issue, consider the fact that you don’t necessarily need to store anything personal on the blockchain. So no harm no foul?
Not quite. In addition to the question of whether or not certain data can be adjusted, adjusting the data is another story. Remember that in the case that a user’s data needs to be corrected, every other user would need to agree to remove the data. This goes back to the fact that there is no single controller, but rather each individual is a controller. If you get each of the other users to comply with the removal request, the data could logically be removed.
However, in blockchain technology, the removal of data changes the function that converts information into encrypted output. This, in turn, would affect the links that link various blocks together. In short, abiding by the GDPR regulation to remove inaccurate data might pose a slight problem from a logistics perspective.
The Right to Change
The GDPR has a second very important feature, which is allowing users the ability to change untrue personal data. This presents a very different and unique challenge in the event that data can be changed rather than just removed. Remember, blockchains are supposed to be more secure since the information that is posted is permanent. If we start allowing blockchain to be editable we would actually be defeating the premise of this technology altogether.
It should also be noted that since the interactions between blockchain and GDPR, newer policies and regulations are likely to arise. With changing legalities on the rise, existing blockchains might have difficulty adjusting. That said, there has been talking about chameleon algorithms that allow for the adjustments of any new requirements such as those outlined by the GDPR.
When in France
Although GDPR spans the EU, there are also some unique exceptions especially pertaining to French data. This is because within the GDPR there are provisions in place that allow member countries within the EU to enact their own legislation that limits or expands on these regulations. In the example of France, French protection laws are in place regarding the use of French data and personal data processing that may affect companies operating within this region.
In the French system, we attribute governance to the data controllers. This brings into question our previous discussion regarding whether this applies to the ruling of blockchains having a controller. French rules define a data controller a little bit differently. There has also been some direction from the French Data Protection Authority which states that when a person decides to add personal data to a blockchain (if it is not related to professional activity), these individuals each should be considered a data controller. This means the purchase or sale of a cryptocurrency would fall under the household exemption.
Since each individual is now viewed as a sole data controller, they must each understand and apply appropriate measures to ensure they are acting within the French law. This also means individuals will need to keep up to date and accurate records of their activities and ensure they are complying from the start of their activities on the blockchain.
With these regulations in place, many blockchain activists have continued to make the argument that having this many rules in place actually hinders the development of new and innovative technologies. This then goes hand in hand with concerns that EU member countries are having difficulty keeping up with new data-driven technology. Some have then begun to argue that perhaps the blockchain should be exempt from the GDPR altogether, at least until it has exited its growth stages. By doing this, EU members will still have the drive to innovate and work within the blockchain industry. Although the exemption might be a stretch there is also some argue that maybe some amendments may be in order.
Regardless of what is decided, those who are less familiar with these rulings and their link to blockchain fear that if blockchain is not abiding by these data protection laws it is not an attractive innovation. This also makes it hard for the masses to widely accept it. This suggests that there is still a need for GDPR in the blockchain world but the matter of which policies will apply is still up for debate.
The Need for GDPR
We had a lot of talk about the GDPR and the areas in which it relates closely to the blockchain. But is there really a need for this regulation to govern this technology. The GDPR has actually been trying to bridge the gap that has existed between old data governance policies and the changing technology landscape.
For new innovations to gain traction by the masses consumers must feel as though their safety is carefully regulated. This is especially true when big companies like Facebook are charged for releasing confidential data. Consumer trust is an asset that takes a lifetime to build and a moment to take away. Therefore, we should continue to remember that these policies are necessary to some extent for consumers to be comfortable with new technology and to ensure best practices are being executed and developed from the get-go.
The Future of Blockchain
We know very exciting things are on the horizon for blockchain technology. That is no secret. While we mostly know blockchain for its role in crypto (I mean let’s face it that is our bread and butter), there are some interesting applications for smart contracts and other binding contracts.
Even better than the ability to keep data secure is the potential for blockchain technologies to help GDPR achieve its objectives. Consider this: blockchain technologies are a data governance tool and can, therefore, help support data management and distribution. This is exactly what the GDPR is in place to regulate. By managing data, there may even be an incentive for companies across various industries to work together. This, in turn, would further the development of such things as AI and other technology. There also might be a push for a universal blockchain law.
So what’s next to align the worlds of GDPR and blockchain? Two words. More research. It’s true we can keep investing in the improvement of regulations. But studies have suggested this is not enough. More research is still necessary to address some of the technical and governance limitations that currently exist.
This research would help to address the distinct areas in which the GDPR can enhance blockchain. In turn, blockchain can help improve the data regulation listed in the GDPR. Blockchain technology promotes such ideals as everyone having their own share in protecting their personal data, with a decentralized network.
This aligns closely to the GDPR, which states that,
“natural persons should have control of their own personal data.”
For members, this suggests that individuals have access to and are the sole controller of their own personal data but also who else is allowed to view their data. Other countries have made strides in regulations including Canada. This can also provide a basis for improvements.
Failure to Comply
We are not suggesting that you should abide by GDPR to avoid punishment. But, it is good to know what you are up against. For those curious, failing to adhere to the GDPR has hefty penalties that can cost your company up to 20 million euros or 4% of global annual turnover. This seems step but data privacy is no light topic.
Even with all of these regulations and penalties in place many companies still fail to abide by these policies. Consider the recent billion-dollar fines that Facebook had to pay out for acting opposite of authority.
A Final Word
We would love to give you a straight answer as to whether blockchain can or cannot abide by the GDPR. Unfortunately, this is impossible. Remember blockchains are a class of technology and this means that there are also several versions of it. Each operating a little differently.
Since each case is slightly different, we need to interpret and assess the GDPR from a different lens in each case. Therefore, many in the community agree that while companies must continue to understand the GDPR and its regulations, there is no one method that fits all when it comes to European law.