General Data Protection Regulation and Blockchain Privacy

Gretchen HelfrichCryptocurrency

general data protection regulation

Despite the breathless excitement (and no small amount of weirdness) that surrounds blockchain technology, the predictions that it will revolutionize business remain just that – predictions.  Still, it probably makes sense to prepare for a blockchain world. European Union officials are trying to do that.

The General Data Protection Regulation

In 2016, Europe rolled out its General Data Protection Regulation – a far-reaching and restrictive set of regulations for businesses that handle consumers’ personal data.  It’s a European regulation that went into effect in May of this year.  But American companies—especially web-based ones—are increasingly complying (and being advised by their counsel to comply) with the GDPR, either because they actively target EU-based consumers, or because they might attract those consumers.

Here’s the funny thing—the GDPR is brand new but already behind the times.  A recent “thematic report” from the European Union Blockchain Observatory and Forum (a sort of think tank within the EU) identified the problem: the GDPR “was fashioned with the implicit assumption that data in our digital world is controlled by identifiable actors.”  The GDPR was developed for the internet world, where, sure, everyone is linked, but everyone is still in (relatively) complete control of their own little domain.

And then came blockchain.

Can GDPR Work for Blockchain?

Blockchain, of course, allows for decentralization of data control and processing and anonymity of the controllers and processors.  But the very thing that makes blockchain so revolutionary (maybe) puts it at odds with the GDPR regulatory scheme. Under that scheme, the “key role” is that of data controller, defined as the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”  

So who is the data controller of, say, Bitcoin?

[Crickets]

Without an identifiable data controller, the GDPR has no one to hold accountable, and consumers have nowhere to go to vindicate their GDPR rights.

There are other issues too.  For example, the GDPR gives data subjects (i.e. people) a right to have their personal data deleted if it is no longer needed for a lawful processing purpose. This is called “the right to be forgotten.”  The problem is, a blockchain can’t forget. More precisely, it is extremely difficult to remove data from a block in the chain once a subsequent block has been added. Once three subsequent blocks have been added, it is effectively impossible.  This also means that data errors can’t be corrected, yet the GDPR provides a “right of rectification” to data subjects.

“Rule of Thumb Principles” for Blockchain

The EU has not yet formulated specific regulations for implementing the GDPR in the context of a blockchain.  For now, the EUBOF offers four rather wan “rule of thumb principles” for businesses and other blockchain adopters:

  1. Ask how user value is created and whether blockchain technology is really necessary.
  2. Avoid storing personal data on the blockchain.  If you can’t avoid it, make maximum use of data obfuscation, encryption, and aggregation techniques.
  3. Collect personal data off-chain if possible, or make use of private, permissioned blockchain networks.
  4. Continue to innovate, and be as clear and transparent as possible with users.

This isn’t much for a company to go on, but given that Europe seems to be taking the lead on addressing data privacy in the blockchain space, Europe’s advice may be worth following.

Gretchen Helfrich

Gretchen Helfrich

Gretchen Helfrich is a former Ziliak Law attorney.
Gretchen Helfrich

Latest posts by Gretchen Helfrich (see all)