The letter, penned by Brave's chief policy & industry relations officer, Dr Johnny Ryan, came in response to an invitation to comment on the ever-growing issue of consumer online privacy. Ryan's letter follows one written by Eich to the US Senate Committee on Commerce, Science and Transportation in September.
In the letter, Ryan recommends the introduction of a federal law that draws upon the EU's newly introduced GDPR and adopts its protective approach to new market entrants. It also recommends that the US build upon similar standards to the GDPR to maintain its global leadership. The GDPR, in brief, seeks to regulate how companies can use their customers' data.
The letter agrees with GDPR concepts of "data controllers" and "data processors," roles that entities entrusted with users' personal information must clearly have, and who must follow and implement set rules in order to comply with GDPR or similar legislation.
Brave, with its Ethereum-based Basic Attention Token (BAT), is very much a part of the cryptocurrency and blockchain ecosystem. Yet many believe GDPR and blockchain technology are not compatible due to the latter's immutability.
The EU Blockchain Observatory & Forum recently outlined the tensions between GDPR and blockchain technology whilst also arguing there are "paths for reconciliation." Such paths are more difficult to envisage for public, decentralized blockchains.
For the Ethereum blockchain and others, GDPR and a potential US equivalent pose problems. Personal data stored on a blockchain could be carried across borders through decentralized nodes, out of the jurisdiction of regional legislatures. (While that's permitted under GDPR, user protections must be in place.) Moreover, if a blockchain is immutable, how can data be deleted at the request of a user, under the principles of GDPR?
For Brave, compliance is a little clearer. Ryan, speaking directly to ETHNews, explained how Brave by default does not, and will not, store any personal data. Nor does Brave use a blockchain other than for financial transactions of BAT. If a Brave user opts in to features that do store personal data, this data is secured in a way that even Brave cannot access it. Ryan explains:
"For example, if a user switches on 'Sync,' a feature that synchronizes settings, bookmarks, history, and related data between instances of Brave on different devices, then an encrypted copy of this information is sent to Brave in order to keep the data synchronized, but we do not have the keys to decrypt the data."
By using "privacy-by-design" principles, Brave is already GDPR compliant and would likely be compliant with any similar federal privacy laws developed in the US.
Ryan says Brave has chosen to support federal privacy legislation because "self-regulation in the ad tech industry has failed. Cambridge Analytica proved that beyond argument. Remember, Cambridge Analytica was once a darling of the ad tech industry."
There are other reasons, he points out:
"I also think this will protect innovation and choice in the market. The GDPR's robust approach to 'purpose specification' will help restrain large tech platforms from leveraging their dominant positions in one line of business by cross-using data accumulated in that line of business to dominate other lines of business too. This is important, because the cross-use of data is a serious antitrust concern. Young, innovative companies can be snuffed by giant incumbents who erect barriers to entry by cross-using data for purposes beyond what they were initially collected for."
Though the Brave browser blocks all advertisements, unwanted media, and data-collecting cookies, the Brave Ads program is being developed, where users will be able to choose how many and what type of adverts they view in return for payment in BAT. By using BAT tokens, which are paid for by advertisers and passed on to users as an opt-in reward, Brave can monetize the platform without the need for Google or Facebook's models of monetizing data or displaying ads.
Ryan and Brave don't want the US to be left behind or struggle to adapt to legislation implemented in other countries. Ryan suggests: "GDPR-like laws are emerging across the globe, and it is becoming a standard. The United States can assume the global lead in this domain by establishing a world-leading regulator that pursues test cases and defines practical standards."
Brave's position on data privacy and compliance is clear, as is its ability to comply. But others in the blockchain and cryptocurrency ecosystem may find GDPR-equivalent legislation more challenging to implement, even though GDPR shares blockchain's ethos of user empowerment.
The EU Blockchain Observatory & Forum is not alone in believing that GDPR-style legislation and decentralized blockchain technology can coexist on a harmonious path. Michèle Finck, senior research fellow at the Max Planck Institute for Innovation and Competition in Germany and lecturer in European Union Law at the University of Oxford, explained the hidden opportunities of GDPR to ETHNews earlier this year.
Correction (11/8/2018): An earlier version of this article implied that users can opt in to receive cookies as part of the Brave Ads program. This has been corrected. Additionally, we have added language to make it clear that the GDPR allows data to be transferred out of the EU.