Since people can store personal data in blockchains, the technology could fall under the purview of the upcoming European change to privacy law. But blockchain technology may be fundamentally incompatible with Europe’s new privacy rules, Washington, DC think tank Coin Center said today in a new post.
The General Data Protection Regulation (GDPR) will take effect on May 25th this year, more than two years after it was first signed into law. Under the new rule, if an EU citizen requests that their personal data be erased from a company’s records, the company will have to obey.
But with blockchain, a complete erasure of any stored personal data might not be possible, experts told The Verge. “Modifying data on a blockchain is very hard,” Oxford Law lecturer Michèle Finck told The Verge, “If you were to delete or modify data from the blockchain to comply with the GDPR’s rights to amendment or the ‘right to be forgotten,’ you wouldn’t just change that piece of data, but the hash of the block containing the data and of all subsequent blocks.”
Finck added, “I think it’s safe to say that currently, most blockchains are incompatible with the GDPR, especially permissionless blockchains.” She said that although many blockchain projects are currently thinking about how to design tech that would be GDPR-compliant, the problem is that “there are so many points of tension...way beyond the right [for personal data] to be forgotten.”
By their very nature, transactions on a blockchain aren’t meant to be deleted but to be recorded permanently. It would also be difficult to stop every place transmitting a Bitcoin transaction. “This is by design,” Andries Van Humbeeck, co-founder and blockchain consultant at TheLedger.be, a Belgium company that provides blockchain-related training and advice, told The Verge. “It’s the basics of blockchain technology.”
Van Humbeeck reiterated Finck’s point that modifying one block meant changing all blocks that followed after, and he added that could have terrible consequences: “If you purge a block of transactions, the truthfulness of all subsequent blocks of transactions becomes questionable.” Transaction recording helps blockchains keep track of payments and a false transaction could have financial consequences for users. When it comes to the blockchain that Bitcoin is powered by, “all Bitcoin transactions after that purged block become untrustworthy, which would undermine the complete system,” said Van Humbeeck.
Jerry Brito, executive director of Coin Center wrote in a post today that regulators should notice that the new law is “incompatible with the reality of open blockchain networks,” which are ruled by no single party but are decentralized.
Given that blockchain and the GDPR currently don’t work together, one of the two may have to change. Blockchain developers could utilize new technologies to make personal data anonymous, which would keep blockchains out of the GDPR’s scope. Alternatively, European judges could rule blockchains don’t have to delete any personal data, as Coin Center advises. If both blockchains and the GDPR don’t change, Coin Center is warning that the outcome could be a problem for blockchain developers in the EU: “The result of the law, then, may be that Europe is closing itself off from the future of the Internet to its detriment.”