Europe’s General Data Protection Regulations (GDPR) took effect on May 25, 2018. Under Europe’s new privacy laws, any citizen of the EU has a legal right to request a company erase their personal data from corporate records.
Specifically, Article 17 of the GDPR states:
“[t]he data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay“
There are, of course, exemptions from the right to erasure in Article 17. However, it is unclear from all parties, including European regulators, whether any of those exemptions might apply to blockchain.
Blockchain’s Immutability Concerns
Blockchain technology is a notable storage solution, due in large part to its unique attributes which include transparency, immutability, decentralization. However, despite being such a robust solution, removing personal data from a blockchain is extremely challenging because each block of data contains a hash of the previous one.
Blockchain technology was never designed to be deleted or modified. Instead, the technology was deliberately constructed so that all transactions would be tracked alongside hosting a permanent record of such transactions.
The question that follows is therefore, how can a company using blockchain technology be GDPR compliant if the technology itself cannot allow them to be so and how will European data protection and privacy regulators approach this issue?
Nigel Houlden, Head of Technology Policy at the Information Commissioner’s Office (ICO)—the body responsible for enforcing data protection and privacy regulations in the United Kingdom—admitted in an eForum panel in London last month that he has, “nightmares about blockchain’s ability to protect personal data.“
Houlden also mentioned he’s “still got some doubts about how practical use of blockchain technology )a distributed open ledger that allows a theoretically limitless number of actors to view and make various transactions that the ledger records) can comply with the legislation“.
In addition, Houlden remarked that ,“there was an urgent need for government departments and the tech industry to work together to arrive at something that’s a workable solution“.
GDPR Limiting Scope Of Options Or Presenting New Opportunity?
The reality is that the options are rather limited when it comes to finding a solution to this unique challenge presented by distributed ledger technologies. Blockchain developers may have to develop new technologies to either enable personal data to be deleted or else make personal data entirely anonymous which would keep blockchain out of the GDPR scope.
Failing that, the only other alternative is, (which doesn’t seem like a viable alternative in my view), that Europe may end up, to its detriment, pushing companies advancing blockchain technology out of Europe.
Considering the fear that operating in Europe will subject these technology companies and service providers to the very real risk of non-compliance with European regulation, no company may want this type of exposure following them around like a black cloud.
Although blockchain technology holds much promise, even in the realm of legal services through the proliferation of smart contracts, certain attributes accompanying blockchain might require compromise to ensure regulatory compliance.
Concurrently, European regulators may need to reconsider their inimical stance towards blockchain to ensure they don’t prevent innovation in what is already a rapidly expanding new technology.
While much about blockchain remains to be clarified by regulators, barring a change in attitude, companies might find themselves moving to friendlier jurisdictions.
With the complications of GDPR proving a tall order to observe, distributing a blockchain-based product or service in Europe may be complicated endeavour until the lines are more clearly drawn.
Do you have questions about how to navigate the legal complexities of blockchain and GDPR? Contact us at [email protected] to learn more about regulations and how they might impact your enterprise or blockchain business.