Skip to main content

The Regulatory Implications of the General Data Protection Regulation on Blockchain Technology

30 May

The Regulatory Implications of the General Data Protection Regulation on Blockchain Technology

Brief Overview of the EU General Data Protection Regulation

            Due to mounting concern over the treatment of personal information by Internet companies, the European Union passed a new regulation that aims to safeguard personal information and give individuals more control over their data on the Internet.[1]The EU General Data Protection Regulation (GDPR) provides several important rights to individuals over their information including: (i) the right to be notified of a data breach, (ii) the right to access their personal data, (iii) the right to have their personal data erased, and (iv) the right to move their personal data from one site to another. Together, these regulations increase the transparency of how companies process the personal information of their online users and require these companies to be responsive to the inquiries of their user base.  

            Personal information is defined broadly under the GDPR.  Any data that directly or indirectly can be used to identify an individual is personal information.  Common examples of personal information are names, email addresses, telephone numbers, social security numbers, and various other identification numbers.  

            The penalties for failing to comply with the GDPR can be severe. Under the regulation, the maximum penalty under the GDPR is 4% of the company’s annual global turnover or twenty million euros, whichever is greater.[2]All companies with an online presence that collect personal data should be familiar with the GDPR.  It is extra-territorial in scope and so can be applied to any company, even if based outside of the EU, that processes the personal data of EU residents.

Blockchain Technology and the GDPR

            While the GDPR undeniably gives Internet users increased control over their personal information, it was principally developed to address concerns associated with current business and technological models.  The GDPR generally assumes a centralized entity with control over all aspects of data collection, processing, and retention, even if those activities are done by other actors.  This assumption captures a wide variety of now-dominant businesses and sites on the Internet including Internet retailers, social networking sites, and search engines. It does not accurately characterize distributed models of computing, such as blockchains, where no single entity has complete control over the system by design.

            Two aspects of blockchain technology, in particular, may conflict with the general principals of the GDPR.  The first is decentralization.  This is especially true of permissionless blockchains, which allow anyone to participate on the blockchain.[3]  If personal information is recorded on these types of blockchains, there may be no authority to which a user could direct a request to alter or remove that information, as required by the GDPR.  The other compliance issue relevant to blockchains involves the immutability of blockchains. Once a batch of transactions have been verified by the network, it is added to the blockchain permanently.[4]  This aspect of blockchain technology makes it both highly reliable and secure. However, it also means that there is no mechanism easily available if a user would like his or her person information altered or removed altogether from the blockchain. 

Design with Privacy Rights in Mind

            As blockchain technology becomes more prevalent in the online lives of Internet users, it will draw increasing scrutiny from the European data authorities. Companies aiming to launch new services based on blockchains should make GDPR compliance a priority during the design process.  One design approach that can help prevent privacy issues is data minimization. Data minimization, a principle endorsed by the GDPR, means only soliciting or collecting personal information necessary from users for the application.  For example, IPwe’s technologies and applications are designed to only collect the personal information absolutely required to provide its services to users.  This greatly limits a company’s exposure to personal information and the need for users to request changes to or removal of it in the future.  Another approach is to make sure that participating nodes “scrub” any transactions of personal information before they are added to the blockchain.  If necessary, this personal information can be stored in related databases where it can be more easily updated or deleted if requested by users.  

            Blockchain technology is an exciting and revolutionary approach to storing data and implementing transactions on the Internet. However, the distributed nature and immutability of blockchains present challenges to GDPR compliance.  The best approach is for creators and administrators of blockchains to factor in privacy concerns at the blockchain’s inception to avoid compliance issues in the future.     

[1]This introduction is meant to be a very high-level overview of the EU GDPR.  For more information, consult a resource such as https://www.eugdpr.org, where much of this information is found. 

[2]https://www.eugdpr.org/the-regulation.html

[3]http://blog.global.fujitsu.com/how-to-master-the-relevancy-of-permissioned-vs-permissionless-blockchain-and-distributed-ledger-technology/

IPWe Inc.

  • #

    Address 160 Greentree Dr, STE 101, Dover, DE 19904, USA 

  • #

    Phone  USA: 1.214.438.8320

  • Email info@ipwe.com

send us a message