The main blockchain research body of the European Commission is positive the General Data Protection Regulation (GDPR) and blockchain can co-exist in harmony – but things will ultimately boil down to specific use cases and applications.
In a report published in October, The EU Blockchain Observatory and Forum argues GDPR compliance is fundamentally less about the technology itself, and more about how those technologies are put to use.
“Just like there is no GDPR-compliant Internet, or GDPR-compliant artifcial intelligence algorithm, there is no such thing as a GDPR-compliant blockchain technology,” the reports insists. “There are only GDPR-compliant use cases and applications.”
But what exactly does this mean? Let’s dive into it.
Blockchain under GDPR
For those unfamiliar, GDPR stipulates that users should have control over their data at all times.
Any company or system that fails to provide such control to its users is in direct opposition to the new regulation. But unlike standard centralized solutions, blockchains (especially permissionless ones) tend to be decentralized and immutable.
This creates an interesting conundrum for blockchain – and how it can ensure compliance with GDPR. According to the Observatory, there are three main points of tension:
- Determining obligations to data controllers and processors: while it is easy to identify who is responsible for processing GDPR-related data requests in the case of permissioned (private) blockchains, it is virtually impossible to do the same with permissioned blockchains, since the task of data processing is ultimately split between many independent validators (miners).
- Ensuring the anonymization of personal data: there are still no mechanisms that can guarantee users’ personal data will remain anonymous when recorded on the blockchain.
- Defining users’ rights: if GDPR is about giving users control over their data, then it is important to clarify what constitutes the removal or rectification of data in the case of blockchain.
To help blockchain entrepreneurs and businesses navigate away from potentially illegal use cases and applications, the report has outlined four ‘rule-of-thumb principles’ to consider.
For starters, the Observatory encourages every business to think really hard about whether blockchain suits its goal – and whether it adds value.
If that is indeed the case, the next suggestion is to avoid storing personal data on-chain, or use obfuscation methods to anonymize sensitive information. As an extension of this, the third tip is to collect personal data off-chain or on a permissioned blockchain, in order to ensure compliance with GDPR.
The last suggestion encourages businesses to always “innovate” and remain “transparent” with users. Unfortunately, the report does not elaborate on what this really means.
The big picture
The report is in no way legally binding, but the big takeaway is that European regulators (and GDPR) seem to suit permissioned blockchain models better than permissionless ones. Indeed, this is consistent with recent findings of researchers from the Queen Mary University of London and the University of Cambridge.
While the Observatory deliberately reiterates that GDPR won’t interfere with permissioned blockchains, things aren’t looking up for permissionless networks like Bitcoin.
“Public, permissionless blockchains represent the greatest challenges in terms of GDPR compliance, because of their extremely distributed nature,” the report reads. Unfortunately, none of those challenges are addressed at length.
Another curious highlight the report implies that businesses handling permissioned blockchains will ultimately be responsible for ensuring users have sufficient control over their data.
“In situations where application developers or consortiums act as intermediaries between individual users and blockchain networks, they will most likely be considered data controllers, and must ensure that they can carry out their obligations,” the report insists.
The Observatory is swift to note that its findings do not necessarily reflect the official stance of the European Commission. It further warns that it can’t guarantee the accuracy of the data references in the study.
So while initial findings suggests GDPR and blockchain don’t necessarily negate each other, the Commission has yet to come up with an official stance on the situation itself.
But there is one thing it is certain about: blockchain is no silver bullet.
“Another key element to consider is that blockchain technology is not the solution to every problem,” the Observatory concludes. “Entrepreneurs should not assume that using blockchain automatically makes an application more secure or cheaper, or that it automatically equates to data protection or privacy.”