Poland is a member of the European Union and a party to the General Data Protection Rules (GDPR) and Right To Be Forgotten (RF) rules in EU privacy law. This law replaced the Polish Data Protection Act on May 25, 2018. The details on how GDPR applies to blockchain has still yet to be worked out by the European Parliament as of May 31, 2018, but it is expected to be clarified in the next couple of years. The GDPR is a relatively restrictive data protection, and much noise has been made about its potential incompatibility with blockchain.
The provision that has especially caused concern in blockchain circles is the GDPR’s Right to be Forgotten, which seems to be fundamentally incompatible with most blockchains as they are currently conceived. The Right to be Forgotten is also known as the Right to Erasure (link here). The GDPR gives the onus of data management to an entity called a “data controller”, meaning ”[a] natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” (GDPR). The right to be forgotten says that the subject of the data has a right to obtain from the data controller the erasure of their own personal data, which must be deleted if “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.” Blockchains are basically unmodifiable, with transaction records held around theoretically forever long past a relevant period of time for the transaction, which makes it difficult for blockchain-based technologies to be erasure-complaint. It is not clear who the data controller of personal data on a blockchain is or how this law will be enforced.
Oxford Lecturer Michèle Finck notes that, “I think it’s safe to say that currently, most blockchains are incompatible with the GDPR, especially permissionless blockchains.” (Source).
This article describes some of the current issues to be clarified regarding blockchain and GDPR.
The GDPR, in Article 25, proscribes the principles of “data protection by design” and “data protection by default”. “Data protection by design” means that a company processing user data must design data protection and minimization in all aspects of their business process. According to legal advisory Mason, Hayes and Curran, “ Organisations should implement and practice methods of data minimisation, such as pseudonymisation. Other methods of data protection by design include staff training, audit and policy reviews in the context of data protection.” “Data protection by default” means that “Data protection by default encourages organisations to apply the strictest privacy settings to a particular product or service at the outset of when that product or service is made available.” Although these measures are subjective, they will be enforceable given further interpretation.
As an example of how specific regulations on blockchain privacy is evolving at the time of writing, on April 20 of 2018, the European Parliament passed a directive that included the line “In a bid to end the anonymity associated with virtual currencies, virtual currency exchange platforms and custodian wallet providers will, like banks, have to apply customer due diligence controls, including customer verification requirements.” The same E.U. Member states have 18 months to implement this directive in law. Companies entering E.U. countries such as Poland are advised to consider the likely direction that final regulations will take in order to be prepared. The current (as of May 29, 2018) status on European legislation of blockchain privacy needs to be closely monitored, as the GDPR only came into full force as of this month and its application is sensitive to change in clarification and interpretation, especially in new technologies such as blockchain. Some commentators see a “strenuous legal debate ahead,” which could swing the provacy regulation either way for public blockchains.
|Previous Section||Next Section|