Is GDPR on a collision course with blockchain technology?


The new EU data protection and privacy regulations are set to fundamentally change how we use the internet. One of the industries that will certainly be affected is blockchain.

What is GDPR, when does it go into effect, and who does it affect?

GDPR is an acronym for General Data Protection Regulation; it's a set of regulations that are meant to be the guideline on how personal data is processed and handled by companies that have operations in EU. The new regulations, which come to force on May 25, 2018, are expected to have far-reaching implications on how corporations collect and use personal data for all individuals within the European Union. 

The GDPR regulations are set to affect all players in the internet industry that are involved in any sort of personal data collection. The major companies affected are companies that rely solely on data, such as search engine corporations like Google, social media companies such as Facebook and Twitter, and, now, the entire blockchain industry. 

GDPR vs. Blockchain?

Overall, some aspects of GDPR align with blockchain ideology, such as ensuring transparency of transactions and protection of the users’ data. This is the driving force behind the creation of alternative social media outlets such as Steemit that ensure that users’ data is monetized based on the individual needs of each user. However, the alignment pretty much stops there.

Central characteristics of an open blockchain are that its data is distributed, its governance is decentralized and the ledger is immutable; however, there are many aspects of the new GDPR regulations that conflict with the very core of blockchain philosophy — especially in areas related to data privacy, data sharing, access to sensitive information, and terms of service, among others.

Here are just a few:

Data modification: Under the new GDPR laws, an individual can request a company to completely erase any data they have of that person.  However, it is supposed to be impossible to modify data on the blockchain since the ledger is supposed to be immutable.  The very nature of blockchains, especially public blockchains, is that the ledger is not meant to be retroactively modified or tampered with in any way, ever.

No single party should be able to overrule consensus on the blockchain: Another aspect of GDPR is that an individual should have full control over how their personal data is used and can make a decision to discontinue sharing of personal data and request a corporation to make changes to their data. However, public blockchains are not like corporations, there is no single party that owns or controls the blockchain or the network, as their governance is decentralized. Therefore no single party can make changes unless actual consensus is reached on the network.

Handling of data: One of the GDPR requirements is that no data is to leave the EU where the regulations fall. Therefore even foreign companies that have operations in EU should not use data collected within EU in other countries which is currently the case for many companies. This contradicts with a central function a blockchain because data is supposed to be distributed over a network of nodes that are used to verify transactions and can be located in different countries. This is the case, especially for public blockchains. Anyone can host a node in a different country and use it to verify transactions for individuals within EU. Therefore by default, data has already left the EU by the time the transaction is validated.

Illegal Content: Many countries within and outside of EU have enacted laws that clearly criminalize possession or transmittal of certain prohibited content (i.e.: child pornography or terrorist activity). However, what some may not understand or realize is that any type of data including the prohibited content can be placed on a blockchain, and once confirmed and verified by the network, this data cannot be removed. Take, for example, cryptocurrencies focused on decentralized file storage, like Storj, Maidsafe, Siacoin or Filecoin, which all run on a technology called distributed hash table (DHT). One could argue that because the information is encrypted then the liability for its possession and custody should be limited. And this is probably true in countries like the US, but the EU has much stricter measures against hosting of illegal content, whether or not it's encrypted.

GDPR vs. US laws?

The potential problems related to GDPR have already made their way into the Supreme Court arguments in the recent case of United States v. Microsoft, No. 17-2, where central issue was whether a US provider of email services must comply with a probable-cause-based warrant by making disclosure in the United States of electronic communications within that provider's control, even if the provider has decided to store that material abroad.

In 2016, the Second Circuit court ruled in favor of Microsoft and other tech companies by limiting the geographic reach of the US Stored Communications Act to data stored in the United States. EU’s highest court has already weighed in, determining that EU law does not recognize the US legal regime as upholding Europe’s “fundamental right to privacy.” This recent Supreme Court’s decision is likely to present future challenges for companies seeking to comply with both U.S. and EU laws.  

While the current debate about data handling by private corporations is in high gear, especially after the recent Facebook hearing; and while regulators have continuously asked for data about transactions from exchanges such as Coinbase. It's probably safe to say that any United States laws or regulations put in place that resemble GDPR will probably be less strict than those in the EU, due in part to powerful influence of private US corporations and financial institutions, who depend on the availability of PII (personally-identifiable information) to further their business concerns. These corporations heavily lobby the United States government to ensure that any US data protection laws will be more measured than those in Europe.

Nevertheless, it appears that GDPR regulations have the potential of rendering many distributed ledger technology projects non-compliant, and may force many ICOs to rethink their strategies and roadmaps. US companies with data stored overseas and/or with European operations should certainly be following these developments very closely.