Europe: Privacy and Data Protection-related Laws

The European Union’s General Data Protection Regulation (GDPR) is a unified privacy regulation that seeks to harmonize and streamline the various legal frameworks in different EU member states. It regulates how companies collect, store, and process large amounts of information on EU residents. It applies to any company with a digital presence in the EU, regardless of whether or not the company is based in the EU. It introduces new procedural and organizational obligations for “data processors” (both corporate and public entities) as well as more rights for “data subjects” (individuals). Full text for GDPR can be found here.

The regulation expands the scope of what companies must consider personal data, and it requires them to carefully track the data that they store on EU residents. It gives EU residents control over their own data, and if someone wants a company to delete his or her data, send copies of it, or correct an error in it, the company has to comply. EU residents can also object to specific ways that companies use their data, for example allowing them to keep the data but not use it for certain purposes. In addition, the law requires companies to notify users within just 72 hours of a data breach. While each member state has its own method to enforce GDPR, with one GDPR supervisor for each country, there are very steep fines for companies found violating the law.

Blockchain may pose a problem for enforcement of GDPR, since blockchain relies on a distributed ledger system that is decentralized and immutable. It is intended to be a permanent, tamper-proof record that sits outside the control of any individual governing authority. Since data stored on the blockchain, including personal data, cannot be deleted, there is no way to ensure individuals’ rights granted under GDPR. It has yet to be seen whether or not existing blockchain applications storing personal data are now illegal in Europe.

At first glance, it may seem as though there are direct contradictions between GDPR and public blockchains, specifically with regard to the “right to erasure” which is at odds with the immutability at the core of blockchain technology. This is because GDPR was first proposed by the European Commission in 2012, at a time when blockchain was not very well known. A solution to this problem involves convincing regulators that “erasure” does not have to mean that data is literally deleted and that making data permanently inaccessible without deletion should produce the same results. If all personal data that links to an individual is stored only in hashed form on a blockchain, an argument could be made that the existence of the hashes on a chain does not count as a GDPR violation as it is sufficiently anonymized. Encrypting all personal data with a key and deleting the key in response to a request for erasure could be another method too. Another compromise would be to find ways to keep certain data off the blockchain, with some technologists exploring structures that store personal data elsewhere but with references to it remaining on the blockchain.

Since GDPR is so new, and its enforcement at the member state level has yet to be seen, the years to come will determine to what extent it regulates public blockchains.


Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus