On May 25 2018, the European Union enacted the General Data Protection Regulation (GDPR). GDPR primarily aims to give individuals control over their personal data and it was welcomed with fear and trepidation by marketers and tech giants alike.
However, GDPR also seems to clash with the fundamentals of blockchain technology because of the transparent and immutable nature of the ledger. Blockchains are shared ledgers that can be accessed by all, but not changed or exported, and this seems immediately at odds with the law.
Now, this law is no joke. It is based on an individual’s privacy, and businesses can face heavy penalties should they fail to adhere to it. This means that for many businesses, any designs to jump aboard the blockchain train in the EU have suddenly become a lot more complicated.
So, does this mean that blockchain will simply go dark in the EU and that this hub of global power will have to bypass the potential blockchain revolution that is building? Or is there a way for the fundamentals of blockchain to fit into this legislation?
The EU could take one of three roads with regards to blockchain technology. Will they stifle it to death with this legislation? Will blockchain remain on the margins and operate as a mere plaything of EU businesses without ever going into the mainstream? Or, indeed, is there space for both the technology and the legislation to co-exist?
Is GDPR Already Out of Date?
Ironically, the reasoning behind the creation of GDPR has a lot to do with innovative expansion in Europe, and globally, since 1995. GDPR was considered a bridging piece of legislation that would help with the expansion of technology from the 1990s to 2018 and keep it in check the changing landscape.
Data has obviously grown in importance, becoming a vital aspect of the internet age, and its value is quantifiable and ever-increasing. Thus, it became apparent that people’s data needed additional protection. Yet, despite entering an era of huge data importance, it is already being arguably left behind by the growth of distributed ledger technology.
“[GDPR] was built around a primarily centralised ecosystem. The reality of data as envisaged by the makers of the GDPR was that it was collected, stored and processed by major internet companies, such as Google and Facebook.”
The intentions of the GDPR are correct and well-argued, and the protection is necessary. However, the legislation was built around a primarily centralised ecosystem. The reality of data as envisaged by the makers of the GDPR was that it was collected, stored and processed by major internet companies, such as Google and Facebook.
The introduction of decentralised data, in the form of blockchain, has now thrown a spanner in the works. The protection of data, and the ability to freely export one's data, makes sense when a centralised entity is in control. However, when the data is stored and available to all on a decentralised piece of technology, the legislation falls flat - it has been constructed in a manner which hinders blockchain technology.
Under GDPR, a user can ask for their data to be exported and removed from a company’s records. However, if the company is implementing blockchain technology, and the user requests their data, this is not possible. Herein lies the crux of the issue, especially seeing as a company can face fines of €20 million, or 4% of global revenues, for not adhering to GDPR.
“GDPR is agnostic about which specific technology is used for the processing, but it introduces a mandatory obligation for data controllers to apply the principle of ‘data protection by design’,” said Jan Philipp Albrecht, one member of the European Parliament who helped GDPR through the legislative process.
“This means, for example, that the data subject’s rights can be easily exercised, including the right to the deletion of data when it is no longer needed.”
What Can Blockchain Do?
It would seem that because of the fundamental nature of blockchain and the key aim of GDPR, we’re heading towards an impasse. Blockchain is immutable, but the GDPR says you must be able to alter and remove data. So, what can be done?
“Blockchain is immutable, but the GDPR says you must be able to alter and remove data.”
Blockchains come in a few different forms. Firstly, there are private or ‘permissioned’ blockchains that are under the control of a limited group. One example is Ripple, a cryptocurrency which many have labelled as not decentralised in the full sense of the word. Then we have public or ‘permissionless’ blockchains, such as Bitcoin and Ethereum, etc.
Blockchains can be altered, and data removed, but only if most nodes on the network agree to create a new ‘fork’ (version) of the blockchain that includes the changes and to then continue using that version rather than the original.
On a private blockchain, this is pretty straightforward. On a public blockchain, though, it is near impossible to get right.
So, if blockchain technology cannot realistically bow to GDPR, is there any hope for blockchain in the EU? Well, legislation is fluid, and its interpretation can be bent in certain directions, which could offer some reprieve for blockchain and pave the way for a more permanent solution.
What Can be Done for Co-existence?
In many respects, both the legislation and the technology are actually after the same end. Privacy and data protection are two large pillars of blockchain technology, and with GDPR aiming to offer more in those areas, it would make sense that an agreement could be met.
But, it will take some understanding and interpretation from legislators involved in GDPR, as well as compliance, to an extent, from blockchain engineers. Thus, if there is closer collaboration between regulators and those building blockchains, the same goals can be met by these seemingly conflicting entities.
Legislators need to understand that the technology they are trying to police is moving far quicker than they can. GDPR is supposed to encompass technology from the 1990s up until today, but even that sounds almost impossible due to recent paradigm-shifting changes in tech, blockchain being just one example.
“GDPR is already out of date… [it] was written on the assumption that you have centralised services controlling access rights to the user’s data, which is the opposite of what a permissionless blockchain does.”
“From a blockchain point of view, the GDPR is already out of date,” John Matthews, the chief finance officer for Bitnation, says. “Regulation plays catch-up with technology. GDPR was written on the assumption that you have centralised services controlling access rights to the user’s data, which is the opposite of what a permissionless blockchain does.”
“From a practitioner’s perspective, it sounds to me that it was drafted by trying to implement a certain perspective of how the world should be without taking into account how technology actually works,” said Jutta Steiner, the founder of Parity.io.
“The way public decentralised network architecture works means there is no such thing as the deletion of personal data. The issue with information is that once it’s out, it’s out. Given the stage where the technology is at, I think, hopefully, there’s still time to adjust certain things in the GDPR.”
Not the Be All and End All
It would seem that there needs to be a lot of compromising, education and interpretation for the future of blockchain under GDPR. However, the manner in which technology is steaming forward means that the compromising will have to happen quickly, but still continue over a long period of time.
We spoke to Thomas Power, Bloomberg Listed PLC Director, who says that blockchain is a new forthcoming standard binding everything, documents and/or transactions, and everyone together almost like Internet 2.0. “GDPR is merely a label on the blockchain that people will choose to observe, respect and recognise. It's a good label,” he explains.
“Blockchain identity will allow people to decide who they share their documents and transactions with. Blockchain tokens are how people will receive rewards for sharing access to their documents and transactions. It will be about choice and token reward. However, blockchain requires 15 to 18 years to hit the mainstream, based on the 2008 Bitcoin blockchain. I see mainstream blockchain in the 2023-2026 timeframe, post-the 2020-2022 economic crash, much like 2007-2009.”
Power does also note that, while GDPR will need time to recognise and compromise with blockchain, there is already some compromising and blockchain compliance that is beginning to occur.
“First they (GDPR and blockchain) will battle and challenge, then they will harmonise because they are not enemies.”
“Once Bitcoin, the first blockchain, is recognised by The SEC, likely to be in 2019, there will be more and more legal recognition globally. This event is the catalyst to recognising crypto assets as an asset class here to stay, albeit in embryo,” Power added. “First they (GDPR and blockchain) will battle and challenge, then they will harmonise because they are not enemies.”
Not Even Slowing Down the Process
So, while fundamentally it does not look like blockchain and GDPR can even exist in the same room, Power does not see it putting any sort of handbrake on the space in Europe, nor does he even see it slowing down adoption.
“I don't think GDPR is a handbrake. In fact, it’s the opposite. What I like about GDPR is it forces the highest data standards to citizens who choose to publish, store, and record their documents and transactions on the blockchain. It also places that same discipline on companies, governments and institutions, both public and private,” Power explains.
"Like the Internet, blockchain is a 30-year movement. All of this will seem like trivia in 2038.”
“I also don’t think it is slowing anything down. Like the Internet, blockchain is a 30-year movement. All of this will seem like trivia in 2038 and personally I am a fan of GDPR, and, of course, blockchain. I like the highest data standards for citizens and companies.”
Power’s assertion that this clashing of ideologies at the beginning of the world’s blockchain journey will seem trivial in a few years is an important one. In the fast-paced blockchain ecosystem, people have problems looking far into the future to see where it is heading.
It is on a path similar to the Internet. And, in terms of the Internet, the problems of the 90s around regulation and governance are not even remembered today. Blockchain and regulators will meet in the middle and find a compromise as the industry keeps moving forward.
Since GDPR was announced, companies have been scrambling to ensure that they meet the stringent requirements it sets. There has, also, been speculation as to which high-profile business would be the first to fall foul and be hit with a potentially huge fine. Well, Facebook could take that unfortunate crown.
The social media giant announced recently that hackers had gained access tokens to at least 50 million Facebook accounts. The hack gave them control over full profiles and linked apps, an offence that could see Facebook fined $1.63 billion in GDPR charges, according to the Wall Street Journal.
llustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]