When the GDPR entered into force on May 25, 2018, mailboxes around the world were flooded with obligatory emails by various services informing their customers about the new “GDPR compliant privacy policies.” All of us have been a “victim” of this annoyance and we’re well aware that nobody reads the terms of service, but we assure you – this one actually matters.
The GDPR has been labeled as “the most significant overhaul of EU’s data protection legislation since 1995” for a reason. Companies can no longer hide dubious data collection policies under 10,000-word “terms and conditions” that read like they’ve been produced by legal gibberish generators. Under GDPR, businesses are held accountable and privacy is no longer a meaningless buzzword.
The long-awaited revamp of EU’s supranational privacy regulations coincides with the emergence of DLT as one of the most disruptive global phenomena of the 21st century. The blockchain landscape is such, that stern regulations on cryptocurrencies or blockchain technology in one country have immense ripple effects across the industry — and the extra-territorial applicability of the regulation just aids this process unequivocally.
This article investigates the legal and functional ramifications of the GDPR and the newly inaugurated “Right to be forgotten” on all stakeholders in the blockchain industry.
What is GDPR?
While the former (1995) Data Protection Directive – based on the principles of transparency, legitimate purpose, and proportionality – was designed to ameliorate the “Right of privacy” as stipulated in Article 8 of the European Convention on Human Rights, it was essentially ineffective at doing so in any meaningful way. The old legislation, drafted before the breakthrough of the Internet, simply wasn’t suitable to address the problem of privacy in the Digital Age. Furthermore, the lack of technical certainty and clarity of the DPD led to big discrepancies in its implementation in the national legal systems of EU member states.
In an attempt to unify the data protection laws of all EU member states and counter the newly arising challenges of the Digital Era, on January 25, 2012, the European Commision announced its plan to reform the data protection laws of the European Union.
The new General Data Protection Regulation set to replace the Data Protection Directive (95/46/EC) was published in May, 2016; two years after, on May 25, 2018, it became directly applicable to all EU Member States. The objective of the regulation is to protect the fundamental rights and freedoms, as well as the right to the protection of personal data of more than half a billion citizens of EU member states.
You can think of the GDPR as a sort of “consumer Bill of Rights” regulating the processing of user data. There’s a key difference between the GDPR and the DPD from a formal standpoint: a regulation is a binding, immediately enforceable legislative act that overrides all national laws dealing with the same subject matter; a directive, on the other hand, is a legislative act that sets out an objective or policy which needs to be attained and leaves the means by which the objective will be achieved to the individual countries.
Before we dive into the effects of GDPR on both data processors and data subjects, let’s get familiar with the general terms and definitions of the GDPR:
- Personal data, within the means of the GDPR, is defined as any information relating to an identified or identifiable natural person.
- Identifiable person is defined as a natural person that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing means any operation or set of operations performed upon personal data, such as collection, recording, storage, use, disclosure by transmission or dissemination, erasure, or destruction.
- Data controller is defined as a subject that gives instructions for the purposes and ways in which personal data is processed.
- Data processor is the subject that processes the personal data on behalf of the data controller.
How does the GDPR affect data subjects and data processors?
Recent events, such as the Cambridge Analytica scandal or the various disturbing privacy violations disclosed by Snowden and Assange, showed us that we have virtually no control over the data gathered about us by various data processors. The GDPR sets to correct this injustice by giving the power back to us – the people – by explicitly enunciating the rights we have over our own data.
The first thing that must be addressed is the territorial scope of the GDPR. As defined in the original text, the regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. […] The Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union.”
To put this in perspective, extraterritorial applicability in the context of the GDPR means that data processors such as cryptocurrency exchanges, wallet providers, peer-to-peer markets, and other blockchain-related service providers are likely to be affected by the regulation due to the transnational nature of their business operations.
The GDPR means different things for different businesses. Multinational companies based outside the EU may decide to block Europeans from accessing their services, or take a more radical approach and completely shut down their EU operations. For small data-driven businesses inside the EU, the cost of GDPR (non)compliance may be the very end of their existence. Coinbase, the biggest crypto exchange in the US, has already implemented separate privacy policies for US and EU residents. London based P2P exchange CoinTouch announced its closure because it was unable to endure the costs of GDPR compliance.
GDPR compliance is by no means a cheap endeavor. According to the latest survey done by Netsparker which analyzes the information gathered from 302 Chief Executives of US-based businesses, 59.6% of them will spend somewhere between $50,000 and $1 million, while 10.3% will spend more than $1 million to comply with GDPR standards. However, GDPR compliance is still considerably cheaper than non-compliance, as the infringement penalties can get up to €20 million or 4% of the company’s global annual turnover in the prior financial year — whichever is higher.
That being said, the individual and societal benefits of the GDPR far outweigh the financial consequences that data processors may endure. Under the GDPR, EU citizens truly own their information. They have the right to be informed, the right to access all their data at will, the right to rectification, and the right to object. Furthermore, companies can no longer hide security breaches for years; rather, they must send data breach notifications to individuals within 72 hours.
Although the GDPR has far-reaching implications on both data processors and data subjects in general, in times of pronounced hype surrounding DLT one particular power bestowed upon EU citizens got the widest attention within the blockchain community: the “Right to erasure,” better known as the “Right to be forgotten”.
What does the right to be forgotten mean for the promotion of innovation in the blockchain space?
Blockchain Technology and The Right to be Forgotten
The roots of the “Right to be forgotten“ can be traced back to Google Spain v. AEPD and Mario Costeja González. In this case, the Court of Justice affirmed that upon data subject’s request “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person…” This ruling by the Court of Justice can be thought of as the first conceptualization of the “Right to be forgotten” which was later expanded upon in the GDPR.
Article 17 of the GDPR mandates that the data subject “shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”
It becomes obvious at first glance that the GDPR right to be forgotten – designed for a world where data is centrally stored and processed – is profoundly incompatible with permissionless and decentralized blockchains not only at the technical, but also at a conceptual level.
Put simply, a blockchain is a data structure that allows a network of distrusting peers to share a continuously growing list of records (grouped in blocks) linked together and secured using cryptography. The state of the blockchain is determined by what is known as emergent consensus. Emergent consensus is a technical term describing the way in which thousands of independent nodes, following simple rules dictated by the consensus algorithm, reach an agreement on the latest state of the blockchain.
Decentralized blockchains do not rely on central authorities to process data and, therefore, the idea of data controllers that can erase personal data from the blockchain is rendered meaningless. Besides, blockchains are, by design, tamper-proof. The modification of data in a blockchain is possible in theory, but in reality we can’t expect a straightforward application of the right to erasure to decentralized blockchains. Not only is the enforcement of the GDPR on public and permissionless blockchains almost impossible from a technical standpoint, but the mere idea of a right to erasure goes against everything blockchains stand for. Looking at blockchains as mere apolitical technological tools is a narrow-headed, reductionist approach to the study of this multi-layered technological and cultural phenomenon.
Blockchain immutability is not just a technical feature, but also a political statement.
The very first block of the very first blockchain introduced to the world holds an unignorable political message “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.” It seems that the technology was set up to avoid intrusion and tampering by anyone (including governments) right from the beginning.
Upon closer inspection, the legal incongruities of the GDPR in regards to blockchain technology become clear as day. Let’s take a look, for example, at how the GDPR defines “personal data” and what that means for public blockchains.
“Personal data is any information relating directly or indirectly to a ‘living natural person’, whether it actually identifies them or makes them identifiable.”
There’s nothing ambiguous about direct identification, but when it comes to indirect identification things get messy.
According to the Opinion 05/2014 of the Article 29 Data Protection Working Party, encryption and hashing are techniques of pseudonymization, and pseudonymized data is still considered private data under GDPR. Translated into plain English, this means that both transactional data and public keys published on the Bitcoin blockchain (or any other public blockchain for that matter) are labelled as pseudonymized private data under the regulation.
To make things worse, the Bitcoin protocol has nodes all over the world, which begs the question: is the Bitcoin blockchain in direct opposition to the strict cross-border data transfer provisions of the GDPR?
If that is the case, we can conclude that at the present moment blockchains and GDPR are completely incompatible, and in order for them to coexist – one of them will have to change.
Viable reconciliation solutions
Generally speaking, there are two possible paths we can take in devising workable solutions to the compliance problem of DLT and GDPR. We can either amend the regulation – this time with distributed data processing in mind – or we can figure out ways to make the existing blockchains GDPR-compliant.
On April 5, 2018, Coin Center, a major DC think tank, published a post stating that the new European regulation is completely incompatible with DLT and proposed that DLT should be exempt from the regulation.
“That said, we’re optimistic that our European friends will come to see that their legitimate privacy concerns are best addressed not through law, but through decentralizing technology itself.”
Although this provocative proposal is well-founded, it’s highly unlikely that the “European friends” will take it into consideration. There might be, however, another more sensical approach to the problem. As Michèle Finck, a Senior Research Fellow at the Max Planck Institute points out: the meaning of erasure is not exactly defined in the GDPR, which opens the door to other interpretations than absolute deletion.
Softer interpretations of the right to be forgotten, in conjunction with the lowering of standards by which pseudonymized personally identifiable information is labelled as private data after the obfuscation by various masking techniques such as hashing and encryption, may be the way forward. Once your private information has undergone encryption and hashing, it’s very, very hard for someone to de-anonymize that data to the point of personally identifiable information. This is as good an anonymity guarantee as any and, considering what a headache the implementation of GDPR into the blockchain space will be, it might be time for us to accept it.
It’s one thing to leave raw data in the hands of a centralized operator and to rely on their good behaviour for safe keeping, it’s another thing to have encrypted (basically unintelligible) data that means nothing to the naked eye available for public viewing. The former leaves a lot of space for privacy abuse, while the latter seems to be working just fine in that regard.
On the other end of the tunnel, developers are working on new methods and technologies in order to anonymize private data on blockchains in an attempt to keep them out of GDPR’s scope. Possible solutions entail the utilization of private channels where two or more nodes share the encrypted personal information exclusively between each other and publish only the hash of the (final) encrypted data on the blockchain. In this way, the other nodes in the network can see that data has been shared at a specific time, but they are not able to see the content.
A further, rather controversial option may be the storage of private data on completely separate off-chain structures, and post-referencing to that data on the blockchain. Although this method is suitable for the purposes of the GDPR, it beats the purpose of DLT. Other methods such as transaction pruning and chameleon-hashes are also workable solutions of this type, but they also break the sanctity of “blockchain immutability.”
Some experts on the subject advocate for the implementation of various anonymization technologies such as stealth addresses, zero-knowledge proofs, ring signatures or even adding “noise” to the data, as a way of circumventing the strict provisions of the law. Anonymous cryptocurrencies such as Monero and Zcash have successfully implemented these technologies, but then again, authorities don’t seem too fond of them as they’re a disaster from an AML and CTF perspective.
Lastly, we’re left with the seemingly unsolvable problem of implementation. Stating that something needs to change in the blockchain world and actually changing it are two very different things. The aforementioned solutions may work for blockchain projects that are in the development stage, but for seasoned projects such as Bitcoin, Ethereum, Litecoin and others, the case is very different.
Decentralization implies rigidity by default. If a change in the protocol is to happen, a three-layer consensus must be reached. First, the core developers of the project must agree on the amendments in the code and devise working solutions to the problem; second, the miners must accept the update in the software and agree to process data under the new rules; finally, it’s up to the users to decide whether they will actually use the newly amended technology. As history has taught us, this process can last for years and usually results in divisions in the community or, in the case of cryptocurrencies, with forks in the blockchain.
The GDPR vs. Blockchain Takeaway
Blockchains and the GDPR seem to advocate for the same normative objective: give ordinary people back the control over their personal data, and radically change the way in which data processors are currently managing personal data.
Regardless, the concept of blockchain immutability and the right of erasure seem to be completely incompatible with each other.
- Who can ensure that each node in a distributed system is GDPR compliant?
- How can the regulators effectively enforce these new regulations on blockchain projects?
- Even if regulators hypothetically choose to ban blockchains, how will they stop people from using them without breaking the same rights of privacy they claim to protect?
- Can we label miners as data controllers or data processors?
- How do we determine the appropriate jurisdiction and applicable law in case of breaches and failures, having in mind that data processing is done simultaneously all around the world?
If these problems are to be solved, regulators need to accept the new wave of technological innovation and build bridges to overcome present challenges. Legal experts need to work in conjunction with computer scientists and relevant stakeholders in the industry in order to devise regulatory solutions that promote responsible innovation and protect the private data of individuals.
Finally, there’s no doubt in anyone’s mind that the GDPR is the right move in the right direction, but it shouldn’t come at the cost of technological advancement in the blockchain space.
Disclaimer: the author has not invested in cryptocurrencies, but has accepted a crypto payment on rare occasions.