What are the compatibility issues between GDPR and blockchain?

24 May 2018

It may be difficult for blockchain solutions to fall in line with GDPR. Image: aanbetta/Shutterstock

How will blockchain co-exist with GDPR after 25 May?

GDPR is a transformative regulation for both EU data subjects and any organisations that deal with people within the bloc.

The regulation itself had been in development for several years, having kicked off in earnest in January 2012. The final text was agreed by the close of 2015 and it entered into force in February of 2016, with the implementation date set at 25 May 2018.

While officials were getting granular with legal wrangling, other developments in the world of tech and business were gaining popularity.

Blockchain technology is probably one of the most talked-about evolutions in the tech world but, while it is heralded for its innovative potential, it does present some major compatibility issues with the EU regulation.

Siliconrepublic.com spoke to Laura Jehl, partner at law firm BakerHostetler in Washington DC. An expert in privacy, data protection, compliance and blockchain, she has noticed some areas where blockchain and GDPR may end up butting heads – particularly in the realm of digital identity.

Laura Jehl headshot

Laura Jehl. Image: BakerHostetler

“I think, with digital identity solutions or anything using blockchain for identity, the intent is quite compatible with GDPR. There’s a sense of the individual having more control over the data and data minimisation in terms of what gets shared, and it’s all great until you get to the right of erasure and data portability,” Jehl said.

“If whatever is on the blockchain is defined as personal data, then they’re fundamentally incompatible because the blockchain is immutable.”

Personal data under GDPR

She added that for EU data subjects to use the growing number of blockchain-enabled digital products, certainty must be reached that the data entered on to the blockchain is not defined as personal data under GDPR. This is a very broad definition indeed, and it includes identifiable information such as numbers, as well as factors specific to a person’s physical, physiological, mental, economic, cultural or social identity.

“If you look at the way digital identity solutions are described, they’re described as the individual having more control over their data, over who gets it, over how much is shared – and that’s exactly what GDPR wants. But then, there’s the controller issue and the fact the EU wants to help you [a data subject] protect your right to change your mind.”

This presents problems for blockchain-based digital identity solutions where you might be sharing all of this information with different contexts with different third parties. “There are two issues; one is the question ‘Is this personal data?’ and two is ‘Who is the controller?’ because GDPR doesn’t really contemplate individuals as the controller.”

The consent issue also presents its own set of problems.“If you consented once, you might not keep consenting and that’s really the issue with blockchain solutions. On the controller issue, I really think if the individual can be the controller then perhaps the blockchain solution can merely be the processor, but it doesn’t get around all the issues.

Encryption of the data could also be a major help, Jehl posited. “If you can easily re-engineer a hashed piece of data, then it’s pseudonymous personal data still subject to GDPR, but if it’s encrypted and I can’t, then it’s anonymised.”

She noted the fact that cryptocurrency exchanges require some off-chain data to remain so for know-your-customer and anti-money laundering laws, presenting some other roadblocks.

Two movements at odds?

The European conception of GDPR is heavily government-dependent and institution-centric, whereas blockchain has arisen out of crypto anarchy and the very philosophy of making centralised institutions obsolete.

In Jehl’s view, it’s a case of two new movements in the digital world converging. “It’s an issue of emerging technology literally emerging at the same time as emerging law. So, the law, even though it has never been interpreted or held up in court, it will have to shape the architecture of these systems, how they get designed. Clearly, during the drafting of GDPR, blockchain wasn’t in the forefront of anybody’s mind in the way it is emerging to be now.”

Blockchain and the EU

Jehl described legal analysis around blockchain and GDPR as “quite tricky” as encryption of data may not make sense for all blockchain solutions. She also questioned what companies will be told to do with data already on existing blockchains. “You can’t really undo what has been done. If the law doesn’t develop, does that mean all blockchain solutions are blocked from EU data subjects? Will Europe be cutting itself off from the next round of technological innovation?”

In recent months, Jehl has found the general consensus around the enforcement of GDPR to be that a large tech firm is likely to be fined before SMEs or their ilk are, as the EU “needs to set a precedent quickly”. She said the EU will want to essentially demonstrate to the wider world that it is “not kidding” about enforcing the regulation, and those in violation of it will be penalised.

As the world looks on after GDPR is enforced, does Jehl think the US could end up introducing more stringent data protection rules? “I wouldn’t be surprised.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com