Since April 27, 2016, citizens of the European Union (EU) have been waiting for their new data privacy laws to take effect. After a two-year transitional period, on May 25, 2018, the General Data Protection Regulation (GDPR) will replace the previous Data Protection Directive.
As the first major overhaul of EU data protection laws since 1995, the GDPR will consolidate and expand the data privacy regulations of the EU's various member nations into a single, comprehensive source of standards.
Highlighting the growing importance of individual digital rights in the 21st century, the GDPR has been called "the most lobbied regulation in EU history" by many, having been amended over 4000 times before the final version was released. The new EU GDPR's sweeping stance on individual data privacy rights has been intentionally designed to affect entities outside the EU that handle EU citizen data – something the GDPR calls "extra-territorial applicability."
Though not yet implemented, the legal ramifications of the GDPR are already influencing businesses and organizations both in and outside the EU, as well as globally impacting the bourgeoning blockchain space.
As the May deadline approaches, users of blockchain technology must reconcile the new data privacy stipulations set forth by the EU with their online activities. Can this be done or is the GDPR a blockchain death sentence?
GDPR vs Blockchain: Round 1
At first glance, the GDPR and blockchain technology seem irreconcilable. The GDPR was fashioned in a pre-blockchain world of centralized data, while blockchain technology famously decentralizes as much as possible. To better understand this emerging conflict, ETHNews spoke to Michèle Finck, senior research fellow at the Max Planck Institute for Innovation and Competition in Germany, and lecturer in European Union Law at the University of Oxford's Keble College.
"The GDPR was essentially written for data silos," said Finck. "In such settings, data is centrally collected, stored, and processed. Blockchains, however, decentralize each of these processes. The question that emerges now is how to apply a legal framework designed for centralized data settings to one of radical decentralization. This question is far from easy to solve and explains the tension between blockchain technology and various different aspects of the GDPR."
One point of tension is that the GDPR classifies hashed and encrypted data as personal data. This means, for example, that public keys, like those used in conjunction with blockchain-associated cryptocurrency wallets, are subject to the new laws of the GDPR. Since any blockchain operating within Europe is likely to also have nodes outside of Europe, the decentralized nature of data on a blockchain effectively makes all that "personal data" leaving Europe illegal.
Another example of rising tension is the GDPR's data erasure stipulation, commonly known as "the right to be forgotten." Outlined in Article 17 of the GDPR, the right to be forgotten states that an individual's personal data must be deleted by a newly defined "data controller" if requested by that individual. Such data is also restricted from any further dissemination to third-party entities. Yet data on a blockchain, especially on a public or unpermissioned chain, is not easily deleted.
These two data scenarios represent core problems for GDPR and blockchain reconciliation. According to an exhaustive report by Finck, balancing "fundamental rights and protection on the one hand, and the promotion of innovation on the other" is at the heart of understanding whether there is any common ground between the GDPR and blockchain technology.
GDPR vs Blockchain: Round 2
Finck believes that a common ground does exist, it just might require more time to develop and understand how blockchains can be designed to help achieve the high standards of data privacy set forth by the GDPR. Finck's report explores the idea of how future blockchains "could be compatible on a meta-level, as, if properly designed, blockchains can pursue the GDPR's underlying goal of giving a data subject more control over [their] data."
Finck told ETHNews:
"This is the fundamental riddle regulators face in relation to blockchains: that they're both a threat and possibly also an opportunity from the data protection perspective. The GDPR explicitly pursues the goal of giving citizens more control over their data, and although blockchains were definitely not what regulators had in mind when drafting this, they may ultimately come to achieve this."
If blockchain innovation in Europe is going to continue, users of the technology must – sooner rather than later – check and double check their compliance with GDPR mandates, as offending organizations "can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)."
A new generation of laws and technology is bringing regulators and innovators together under the ambitious framework established on behalf of the citizens of the EU. One can only hope that European policy makers will have the insight to grasp how much blockchain technology could actually aid the GDPR's cause.
"There is a lot of potential in using blockchains as a regulatory technology," said Finck in closing. "Specifically, in relation to data protection and the idea of data sovereignty, we are seeing many exciting proposals of how blockchain technology could give individuals more control over their own data."