Ireland is a member of the European Union and a party to the General Data Protection Rules (GDPR) and Right To Be Forgotten (RF) rules in EU privacy law. The details on how GDPR and RF apply to blockchain has still yet to be worked out by the E.U. as of May 21, 2017, but it is expected to be clarified in the next couple of years. The GDPR is a relatively restrictive data protection, and there are some aspects, such as the Right to be Forgotten, that seem fundamentally incompatible with most blockchains as they are currently conceived. There is an enormous amount of discussion ongoing about how GDPR restrictions will apply to blockchains in the EU. Oxford Lecturer Michèle Finck notes that, “I think it’s safe to say that currently, most blockchains are incompatible with the GDPR, especially permissionless blockchains.” (Source). The status on European legislation of blockchain privacy needs to be closely monitored, as the GDPR only came into full force in May 2018 and its application is sensitive to change in clarification and interpretation, especially in new technologies such as blockchain.

The GDPR, in Article 25, proscribes the principles of “data protection by design” and “data protection by default”. “Data protection by design” means that a company processing user data must design data protection and minimization in all aspects of their business process. According to legal advisory Mason, Hayes and Curran, “ Organisations should implement and practice methods of data minimisation, such as pseudonymisation. Other methods of data protection by design include staff training, audit and policy reviews in the context of data protection.” “Data protection by default” means that “Data protection by default encourages organisations to apply the strictest privacy settings to a particular product or service at the outset of when that product or service is made available.” Although these measures are subjective, they will be enforceable given further interpretation.

As an example of how specific regulations on blockchain privacy is evolving at the time of writing, on April 20 of 2018, the European Parliament passed a directive that included the line “In a bid to end the anonymity associated with virtual currencies, virtual currency exchange platforms and custodian wallet providers will, like banks, have to apply customer due diligence controls, including customer verification requirements.” The same E.U. Member states have 18 months to implement this directive in law. Companies entering E.U. countries such as Ireland are advised to consider the likely direction that final regulations will take in order to be prepared.

In addition to the GDPR, under the current data protection rules of Ireland, in section 2(1)(c)(iv) , it is stated that “the data shall not be kept for longer than is necessary for that purpose or those purposes”. It remains to see whether this will include old data on blockchains, which persist throughout time well after the original transaction, but is needed in perpetuity to verify the transaction and to keep the following blocks valid.

Sources

• Mason, Hayes and Curran - Data Protection By Design and Data Protection By Default
• The Data Protection Rules of Ireland - See Rule 7
• Discussion Paper: Virtual Currencies and Blockchain Technology