What do Experts Think about Contradictions between GDPR and Blockchain?
Posted on Jul 10, 2018
General Data Protection Regulation can negatively affect the development of Blockchain. Experts believe that that the right to be forgotten in the GDPR contradicts the ideology of reliable data storage in Blockchain. We asked experts from US companies to express their opinion on the problem of compatibility of GDPR requirements with projects where personal data is stored using Blockchain.
Erik MacKinnon, Director of Growth, Blockmason
"Blockchain technology companies and startups share the same burdens as any other when it comes to the GDPR. Limiting automated data collection and processing, implementing data protection measures, notifying users of data breaches, providing data reports and deletions upon request, etc. Blockchains themselves are either GDPR-compliant or GDPR-non-compliant, depending on the data being recorded on them. If you were to submit personally-identifiable data on to a blockchain and permanently record it there, it would be challenging to have it removed later. But you're likely to find few instances where this is the case.
In my experience, the greater impact of GDPR will be on marketing teams that work inside of blockchain technology startups, like ours at Blockmason. For example, we have a mobile decentralized app called Lndr, which is a peer-to-peer expense sharing and bill splitting app for iOS and Android. Although we store very little user data -- just an email address -- we're still required to be responsible stewards of that data. So like any company, we've taken steps to make our policies compliant, have appointed a data manager and have recorded, auditable processes for the GDPR deletion requests we have received.
Can the GDPR kill the blockchain? In short, no. If anything, legislation like the GDPR proves the need for decentralized, anonymous and/or privacy-focused blockchain technologies. Although legislation rarely proves effective in curtailing hacks and data theft.
It seems like every day there's another example of a large company with big data doing very little to responsibly secure and protect it. Just today I read that Ticketmaster suffered a hack and 40,000 people had their data stolen. It's crazy.
A significant first step for many companies would be to decentralize their critical user data so that it's not all stored in a single, hackable database. By leveraging existing blockchain technologies, a company like Ticketmaster could have avoided disaster."
Reuben Kats, COO, Web Design Sales Engineer GrabResults, LLC
"GDPR will block out a lot of information that can be used as a threat against you.: I highly believe there will be a big issue with blockchain technology and GDPR. The transparency will stop and eventually stop sending over personal information. Any personal social security numbers, bank accounts, and routing numbers will now be blocked. That information needs to be manually inputed instead of being transferred or shared from one platform to the next."
Andrew Becks, COO, 301 Digital Media (Nashville, Tennessee)
"As it stands, blockchain technology is fundamentally incompatible with essential parts of GDPR. Without even looking any further than one example, we can find an inherit and fatal issue: Blockchains ledgers are designed to be permanent and transactions irreversible, which means that blockchain ledgers are unable to comply with GDPR's right to erasure provisions (Article 17 of GDPR). This provision, also known as the right to be forgotten, provides people the right to have their data erased from digital services, including something like blockchain."
Alan Majer CEO, Good Robot
"For blockchain practitioners, the implications are very clear, don't store personal data in the blockchain. The 'forever' nature of blockchain data is incompatible with the requirement that personal data must be erasable - so the best strategy is to keep it out of the blockchain in the first place.
However, it's virtually certain that someone, somewhere, is going to put personal data into the blockchain. Regulators will not want to hear that the blockchain is exempt or that data can't be deleted. So when it happens, it's going to create a problem. Even if one can punish the party responsible for it, it may not be possible to correct by removing the data. The genie is really already out of the bottle, so I think it's unlikely that the GDPR will 'kill' the blockchain - anymore than we could shut down the entire internet. Ensuring that blockchain practitioners have adequate data management and privacy practices in place will go a long way to preventing these types of issues.
At this early stage, it's hard to say whether the GDPR will create more harm than good - maybe someday nations will want to keep personal identities and certifications in the blockchain itself because of their permanence and resistance to forgery. While approaches to personal data certainly warrant caution, we also need to ensure that premature regulation doesn't cut ourselves off from innovative possibilities later."
James Robbins, marketing assistant at Sendy
"The main problem with GDPR for blockchain is the 'right to be forgotten' section, which directly counteracts blockchain's immutable transaction records. While a company might be able to change information on a private or centralised exchange, this is fundamentally changing the reliable nature of blockchain, and thus a concern. If someone was to destroy all records of their private key, there would be no way to trace their footprint back to their identity, which is the best that public blockchains can hope for."
KJ Dearie, Product Specialist & Privacy Consultant
"The intersection of blockchain and the GDPR has yet to prove beneficial or detrimental to businesses in their efforts to comply with digital privacy laws. On the one hand, the GDPR pays a good deal of attention to the safekeeping and anonymization of user data – a feat which blockchain and it’s highly-secure, heavily-encrypted technology is built to achieve. On the flip side, blockchain serves to protect data in its inability to let anyone penetrate its layers of specialized encryption – making it directly incompatible with Article 17 of the GDPR, which outlines the “Right to Erasure.” As this right allows users to have their data accessed and erased from where it is stored, the lock-and-key nature of blockchain hinders this process. Whether the GDPR will halt the development of blockchain technology, or make it a hot commodity in data protection, is yet to be seen. The question is – are the protective capabilities of blockchain enough to negate the data access rights granted by the GDPR? I hope your audience finds this input helpful. Feel free to reach out for further clarification, or if you have more questions."
Abhishek Shankar, Founder of Enterprise Product on Blockchain called Majime
"In hindsight it seems to affect adversely because both GDPR and blockchain have different ways of securing privacy. Blockchain makes most of the things public and GDPR gives the control back to user. Since Blockchain is based on making data replicated to many hardware, deleting it is a nightmare, which actually doesn’t help comply with erasure rules of GDPR. Since GDPR and Blockchain are in many ways in their purpose designed to help users, it can be worked to their strengths to Combining trusted computing with public blockchains means that the privacy of data can be protected from outside threats, and stored off-chain, with the blockchain acting as the final judge for who can access that data or not. Because smart contracts mean no longer having to trust centralized service providers, data rights can be managed exclusively via the blockchain and trusted hardware, by users; returning control and privacy of their data back to them. At Majime, we have used encryption and personal control to publicly delete the data which we have collected from a worker for creating his skill registry.
Can the GDPR kill the blockchain? GDPR is like a guiding principle for any web behaviour and data storage is one of them. Blockchain is a decentralised data storage and if applied properly, GDPR is not an adversary to blockchain: off Chain Databases, encryption, peer to peer chains rather than Open blockchains."
Ofir Beigel, CEO, 99bitcoins.com
"GDPR and Blockchain Tech: Hi Aliaksandr, just wanted to pitch my two cents about this. Blockchain Tech and GDPR definitely don't go together. One of the main mottos of GDPR is the right to be forgotten, while Blockchain Tech is all about maintaining a public immutable ledger that no one can alter. This means that there's no actual way to be forgotten when something is written on a public Blockchain. Of course, some companies may deploy a private blockchain which allows them to do whatever they want but then it's not truly a decentralized blockchain. While these two don't go together I doubt GDPR will kill blockchain. Mainly because true public blockchains don't have any owner. Take Bitcoin for example, the government can't force Bitcoin to accept GDPR because there's no one controlling Bitcoin. As always, laws are only as good as the degree at which they can be enforced, and with truly decentralized Blockchain, they can't be. In the case of private Blockchains then this might work and GDPR may have some effect, but then again, I don't think there's anything innovative about private Blockchains in the first place. Hope this helped."
Mike Bradshaw, DigiCert
"I believe GDPR will push the current blockchain technology to evolve at a faster rate, most noticeably pushing the industry to understand the value of authentication and verification for permissioned blockchain platforms where every entity has gone through an extensive background check. The main goal of GDPR is to allow citizens to control their own data, and with the right implementation of blockchain technology that is quite achievable. Further blockchain, if done correctly with the right authentication controls, will strength data ownership and provide transparency between participating entities. Privacy and security can and need to be advanced through permissioned blockchains.
Can the GDPR kill the blockchain? The basic fundamentals of blockchain technology revolve around encryption and hashing. Additionally, blockchain technology was designed to provide a distributed and transparent system. Bitcoin, as the most well-known blockchain platform, utilizes both of the these fundamentals. The caveat is in the permissions of the platform. When considering GDPR, a model such a Bitcoin is certainly not suitable, since any entity without being verified could become a contributor. Utilizing blockchain for GDPR requires a unique approach, essentially providing a permissioned platform for the European Union where every participant has been verified and authenticated. If the platform has been designed with the proper fundamentals of encryption in mind as well as using technologies such as Multi-Party Computation (MPC) and Secret Sharing then I believe blockchain could be complimentary to GDPR."