Can GDPR Disrupt Blockchain Technology?
After the passing of GDPR, some blockchain projects could no longer operate legally, and one of them was Parity ICO Passport Service (PICOPS) — Vitalik BUTERIN has even expressed his regret:
https://t.co/yt58zEPBG4
— Vitalik Non-giver of Ether (@VitalikButerin) 18 мая 2018 г.
This is very sad. A potentially very useful service in the ethereum ecosystem discontinued due to GDPR issues.
I have consulted with the former CEO of ERGO, currently Professor at the Technical University of Cologne Dr. Torsten OLETZKY and Fabian RAETZ, CTO and Co-founder of a Blockchain InsurTech startup, on the subject of the blockchain. We exchanged some thoughts about the regulations and its impact. We also discussed how GDPR affects blockchain-based projects.
What is GDPR?
The General Data Protection Regulation (GDPR) is the new legal framework of the European Union, which determines how personal data may be collected and processed. Following several years of discussions and preparation, GDPR was approved by the European Parliament in April 2016 and came into force on 25 May 2018. It applies to all EU-based organizations that process personal data and all organizations worldwide that process data belonging to EU citizens.
The consent to data processing
In addition to the general principles governing the processing of personal data, other principles govern in particular the consent to data processing and "special cases." Consent to data processing is a central element of the new EU GDPR regulation. The prohibition principle applies here: storage and processing of data are not permitted without the prior consent or explicit permission of the data owner. As the GDPR applies to any personal data that is stored or transmitted inside a blockchain network, that means no transactions may be carried out without customers’ consent — for the blockchain projects. Given the multitude of use-cases and approaches in the field, there can be no single solution that fits everybody.
What are the consequences of non-compliance?
Failure to comply with the new EU GDPR can result in penalties of up to 4% of annual turnover (maximum € 20 mln). For this purpose, appropriate authorities have been set up in each EU member state, which, in addition to education and awareness-raising, are in particular responsible for monitoring and enforcing the directive. The purpose of the regulation is to guarantee the protection of personal data and to ensure uniform and free movement of data within the EU. If the blockchain projects are accessible globally and thus accessible to EU citizens as well, then these projects will only operate legally in compliance with the GDPR Directive.
For many blockchain projects, the maximum penalty would mean going out of business. For this reason, it is very important to pay attention while developing GDPR-compliant projects. Many data protection questions must be addressed, such as:
- Does a blockchain project have to store or process personal data of EU citizens?
- What parts of the project are responsible for dealing with the customers' data?
- How the decentralized nature of the network is going to affect data protection?
- Which data protection laws are applicable to that particular project?
Fabian RAETZ tells about GDPR conformance in the blockchain and how it can be handled: "Since we are not permitted to store any personal data, even if we encrypt it, we have to start with the requirements analysis." The storage of personal data in a blockchain is no longer possible according to the GDPR. But this does not necessarily mean the end of the blockchain.
The obvious approach to handle GDPR regulation challenge, according to Fabian Raetz, is to look at the simple example: let's say, we require a date of birth which belongs to personal information obviously, our options are:
- We completely waive the date of birth. In the case of an age claim, e.g. in a pension, product age is always needed, if we completely do without it, for example, we can take payment duration as an alternative and rethink the new model.
- The data is stored only by the user; a hash is stored in the blockchain in order to identify the user during use and to be able to work with this data within the application level.
- With the aid of the zero-knowledge method, it is possible to store various statements that can be proved by a third party, such as is this person over 18 years old to be able to shoot a contract without the concrete information, only a proof is stored within the blockchain to be able to check these statements.
How does GDPR affect the end users
As stated above, virtually every technology company dealing with customers within the European Union is going to be directly impacted by the new law. The implications for the business's customers are going to be as follows.
From one side, this is a cybersecurity measure that was long awaited. Now it becomes much easier to hold companies accountable for the wrong usage of their information. One can simply withhold his consent for certain uses of the personal data. An end user may also decide to request the full personal information collected by a company in order to check what kind of data he shared and with whom. If one changes his mind about the decision he/she made on what kind of data can be used for what purpose, now there is an option to make the data go away from sites forever. Actually what this means is that people now got leverage that can be used against the misbehaving companies as the penalties for wrongdoing can be quite high, especially for large enterprises.From the other side, the law also standardizes personal data protection laws across all 28 EU countries; this is definitely going to reduce miscommunications between different regulatory bodies, and help organizations keep information assets secure. Without legislative standards and norms, chaos would reign. According to Prof. Dr. Torsten OLETZKY, thanks to the previous privacy policies in Germany (DSGVO-Datenschutz-Grundverordnung), the companies were mainly well prepared for the coming GDPR law. The challenge that many small companies faced was that they simply didn’t have enough time and resources to adapt to the new law.
Conclusion
The relationship between GDPR and blockchain technology is both paradoxical and in some ways ironic. The goal of the new regulation is to "give citizens back control over their personal data" and impose strict rules for hosting and processing this data worldwide. The blockchain should also give users back control over their data. But the new EU regulation is slowing down the blockchain and preventing users from achieving this goal at the blockchain level.
For the blockchain projects it meant a conversion or discontinuation of service from the passing of GDPR also the insurance companies were not unaffected, according to Torsten OLETZKY, the systems there also had to be adapted. The EU-DSVGO / GDPR can be seen as an opportunity for blockchain startups. Better privacy is an important incentive for customers. Transactions sharing between parties can be made much easier, whereas a consistent standard also creates trust.
Image courtesy of Inrix
About the author:
Paul Mizel is an entrepreneur, enthusiast, inventor, investor and InsurTech specialist. He is also the founder of Asure Network, the first scalable decentralized social security network.