A new set of regulations concerning data protection could have a negative impact on blockchain applications in the European Union (EU). One of the fundamental operational premises of most blockchain-based applications is in danger of being against a new European law on privacy.
The record of transactions on most blockchains can be viewed by the network participants. These records are once authenticated, become immutable, meaning that they cannot be altered or removed. This immutability is one of the strong points of the technology and a reason while cryptocurrencies like bitcoin and ether have become popular.
The European Union General Data Protection Regulation (GDPR)
The European Union recently issued a new set of data-handling regulations as an update to its General Data Protection Regulation (GDPR). These new regulations which take effect from May 25, 2018, basically deal with how the sensitive information of users is handled by companies.
As part of the new regulations, companies must comply with the request of any EU citizen to completely delete his/her user information stored by the company. It is a landmark ruling which throws light on a topic that has been brought to the forefront particular in the aftermath of the Cambridge Analytica and Facebook controversy.
While this move would mean user data now firmly belongs to the user, it could spell doom for many a blockchain businesses operating in Europe. According to Michèle Finck, an Oxford University lecturer specializing in EU law, blockchains in their current operational architecture are not compatible with the new GDPR:
“On a tamper-proof ledger, these rights cannot, however, be easily implemented. It is safe to assume that at present most blockchains are not GDPR compliant because they are unable to implement these rights. A number of technological solutions are currently being developed that might facilitate this in the future, but we are not there yet.”
According to her, EU regulators face the choice of either banning blockchain apps from Europe or tweaking the GDPR to offer some exceptions for blockchain apps. Blockchain companies might be forced to look for ways to delete data from the blockchain after it has been vetted, something that is, for the most part, theoretically impossible.
Greg McMullen, a German-based lawyer, says blockchain companies will be faced with immense compliance headaches due to the new regulations. He also went to say that the move will most likely impede the development of blockchain-based applications. Developers and entrepreneurs will face the hard task of trying to ascertain if an application should be built on a blockchain in light of the new laws.
Understanding the GDPR as it Relates to Blockchains
According to Jules Polonetsky, the CEO of the Future of Privacy Forum, the new regulations while having a great deal of detail, has several elements that leave room for subjective interpretation. Personal information is defined by the GDPR as anything that relates to an identifiable, living individual. Polonetsky commented that such a definition is incredibly broad, and as such, could apply to bitcoin addresses.
Commenting on the issue, Hogan Lovells said that encrypted data would more often than not qualify as personal data instead of as anonymous data. As a result, the GDPR will apply to some of the data used in blockchain transactions.
As a result, some blockchain companies will be forced to redesign their systems in order to comply with the regulations by creating off-chain databases.
Such a move runs counterproductive to the underlying principles of a blockchain and will also create the possibility of information tampering. Also, creating an off-chain database would mean more expenses for startup companies as they will need to build IT infrastructure which wasn’t part of their initial business plans.
Furthermore, Monero contributor Howard Chu said how it might be impossible for bitcoin and other decentralized, public ledgers to comply with GDPR, as data cannot be deleted by any central authority. He goes on to explain how there is a chance that Monero will be in the clear since there is no personally identifiable information (PII) on their blockchain:
“It will be irrelevant for Monero since there is never any PII stored on the blockchain. So – when the topic of government bans comes up, Monero may be the only survivor. Note the heavy use of ‘may’ above. While it’s clear that Bitcoin and other transparent coins will be in violation of the GDPR, it’s not certain that Monero is in the clear, yet.”
Potential Implications of the GDPR vis-à-vis Blockchains
Mark Rudnitsky, the CEO of a Chicago-based blockchain startup believes that the new regulations will most likely force some blockchain startups to stop operating in Europe. The GDPR doesn’t only apply to companies based in Europe but also to those that offer services to EU citizens.
Some experts like Winston Maxwell prefer a situation where blockchains and the GDPR find common ground in terms of data protection measures. On the flip side, there are those who accept the notion that the GDPR spells any kind of doom for blockchains at all. The executive director of Hyperledger, Brian Behlendorf believes that blockchains could assist businesses in complying with the GDPR.