In this article, we will cover the newly adopted European legislation on the data protection called the General Data Protection Regulation or simply GDPR which sets out general principles and rules the existed businesses must comply with in order to maintain investor’s or customer’s privacy which is a fundamental human right. In the age of highly developed technologies abidance of data protection standards seems to be more complicated than it was 20 years ago. New phenomena known as blockchain makes it more difficult to preserve inherent human rights to their full extent. GDPR regulations do not directly address blockchain regulation but some of its provisions are applicable to the technology. We will alsol consider data processing through the blockchain and how European Data Protection rules might affect the whole blockchain industry.
- What is GDPR and why we need it?
Within the last two years there have been more than 2000 Initial Coin Offers (ICO) and almost all of them were collecting personal data. For most companies, personal data is the basis for their business. If the participants of the ICO are Europeans, it means that European laws must be complied with. In terms of data protection, we are talking about GDPR (Regulation(EU) 2016/679) which is the primary legislation in European Union (EU) law on data protection and privacy for all individuals within the EU and European Economic Area (EEA).
- Definition and main changes
GDPR entered into force in the EU on the 25th of May 2018. The document regulates collection and usage of personal data in the EU and is notable because of high threshold of care set for companies that collect, store and use personal data and the Regulation is binding not only on European companies but on everyone beyond the EU territory, who offers services to Europeans and collects their personal data.
It is essential to understand the key players who are involved in GDPR. First of all, there are data subjects or simply, individuals whose personal data is collected, stored and used by companies and who actually need to be protected by the regulation. Secondly, there is ‘personal data’ which involves any kind of information by using which there is a possibility to identify a person, e.g. name, phone number, location, IP address and the category of ‘sensitive data’ comprising of physical, racial, social, generic identification of that person that could potentially prejudice the individual to others. The entity (person or company) who controls the collection of personal data collected from the individual is called the ‘Controller’ who also may use a processor for processing data on its behalf under the Controller’s direction and for the Controller’s purposes.
In general, GDPR is not extremely different from the previous EU Data Protection Directive (Directive 95/46/EC). It only makes several necessary changes in order to keep pace with the quickly developing technological progress. There has been a dramatic increase of liabilities, remedies and sanctions applicable in case of non-compliance with the GDPR. The data subjects are able to seek remedies from controllers and processors, who now can have joint and several liability for the damages and they must compensate any material and non-material damage caused by the GDPR infringement. Also, authorities will be able to impose significant administrative fines which can be up to 20 millions of euros, or more depending on the infringement, with fines rising to up to 4% of the global turnover which can be much higher.
Also, there will be more difficult for organisations to get a data subject’s consent to use of their data. GDPR requires direct consent from the part of an individual, thus, opt-out is no longer valid anymore which makes the work of controllers more complicated.
Moreover, the material and territorial scope of the new regulation is significantly broader. In terms of material scope, according to GDPR, both processors and controllers will be liable (before this liability rested only with Controllers). In terms of territorial scope, now GDPR applies not only to the processors and controllers established in the EU but to those who are beyond the EU territory but still using personal data of EU citizens.
Data security has several changes such and now a Controller is obliged to provide a data breach report to the competent authorities within 72 hours without undue delay. Failure to do so may lead to imposing a fine on the organization.
- ‘Right to be forgotten’
According to the art. 17(1) of the European regulation ‘The Data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have an obligation to erase personal data without undue delay they one of the grounds stated in the regulation applies.’ These grounds might be:
- the personal data are no longer necessary in relation to the purpose for which they were collected;
- the data have been unlawfully processed;
- the data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the data has been collected in relation to the offer of information society services directly to a child. The processing of the child’s data can be lawful where the child is 16 years old or older, otherwise, the consent of the holder of parental responsibility is essential.
2. Difficulties of Blockchain Data processing
It is a common knowledge that the revolutionary benefit of the blockchain is that the data on the blockchain is impossible to delete or alter. The main idea of technology constitutes the distributed storage of data. To understand how the system works, it is essential to know the basic elements,such as the structure of block and the principles of storage the data.
Block in a blockchain consists of three parts: data, hash and hash of previous block. Data is a piece of information stored in a block and the hash is a unique code which identifies the particular data and can be compared to the fingerprint. Once the block of data is created, its hash is calculated and in case of a change of the unique hash the block is not the same anymore. And as each block is a part of a chain, it has a hash of the previous block that makes all the blocks interconnected. Thus, when the hash of one block is changed, the previous block’s hash is automatically not valid and leads to the crash of the whole chain. This whole process makes the blockchain immutable where changing the data on at least one block breaks the whole chain.
As it has already been said, the essential idea of a blockchain is the distributed storage of data. This model makes the technology resistant to the illegal financial schemes and in case if dishonest “player” tries to change or add other data, other “players” will simply notice and reject the change and the Block will remain unaltered.
3. The Blockchain – GDPR paradox
Modern technologies face a lot of challenges when it comes to their legal side and cryptocurrency is not an exception. As it has already been mentioned, personal data fixed on the block cannot be changed or deleted which is completely inconsistent with the data protection regulation. The private blockchains are more adapted to the new legislation rather than public versions, where the host is unknown and the data subjects are not aware of where their personal data is stored, who is in charge of it and where it might be moved.
The Paradox itself is as follows: the main goal of GDPR is to provide citizens with a control of their personal data. But blockchain technology does not ensure this right due to the impossibility of erasure of the data from the blocks without crashing the whole blockchain. Even throwing away the encryption keys which encrypts personal data in the blockchain is not considered as an “erasure of data” according to the GDPR.
Thus, the only acceptable way is to store data off-chain thereby rendering links and hashes stored on the blockchain completely useless. This way seems like a good solution to the GDPR-compliance problem but nevertheless it deprives the data subjects from following their data: they are not aware anymore of who can use it and who is able to access it. Moreover, such a system does not allow one to use the technology to its full potential and does not guarantee the same results and benefits as most blockchain technology solutions.