Blockchain and GDPR are struggling to co-exist
A very interesting challenge for the past few years has been around the entry of different types of regulations for the blockchain and the cryptocurrency space. The crypto markets are still by and large unregulated, and this today causes huge issues. And blockchain technology is facing a huge challenge with the new EU data protection regulations put in place last year.
Sceptics thinks it’s impossible for the two (blockchain and GDPR to co-exist)
It’s been almost ten months since the new EU data regulations were put in place, also known as GDPR (General Data Protection Regulation). GDPR has been put in place to protect individual and their personal data. Often stored on a multitude of online websites, eCommerce shops and service operators. And then we have blockchain technology. The new buzzword and still something that is in its early stages, where it’s still not massively used around world today.
GDPR aims to remove old and illegal storage of personal data
One of the goals of GDPR was to help individuals gain better control of their own personal data. And have their data removed from a company’s records. With the “Right to be Forgotten” aspect.
And that meant that companies can’t just keep someone’s data for ever, and use it however they want, and who they share your data with. And for many companies it was a struggle to change their processes to adapt to its new requirements. Too many companies were storing data in using poor methods, sharing it too freely with their partners, and data was also stored way past the realistic timeframes.
Michèle Finck is a Senior Research Fellow at the Max Planck Institute for Innovation and Competition in Munich, and she has recently published a book on the topic of blockchain and regulations. In her book she explains the difficulties that presents itself for blockchain with GDPR. It’s obvious that a technology that aims for immutability by keeping an endless history of previous data available on the chain is going to run into some issues with GDPR.
“Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). In simplest terms, data should be kept to a minimum level, but it isn’t straightforward for blockchains because of their append-only and replicating design.Michèle Finck is a Senior Research Fellow at the Max Planck Institute for Innovation and Competition in Munich
“If we look at it from a blockchain perspective,” says Finck, “this forces us to be more specific about what data minimization means and this, perhaps surprisingly, is an area where there isn’t much clarification by courts or relevant regulators in various jurisdictions.”Michèle Finck is a Senior Research Fellow at the Max Planck Institute for Innovation and Competition in Munich
Different solutions are in the works?
Off-chain storage a working but questionable solution?
A solution to this and other data issues, is by utilising an on-chain and off-chain system. Where some data is stored on-chain, and this data can’t be removed. Where other data is stored in a separate off-chain type of database, and this data could be ultimately be erased. The off-chain data would still be linked to on-chain data, so that is functionally stored on the blockchain.
But this solution raises a lot of initial questions. At first it kinda defeats the true nature of the blockchain with the data being immutable. And questions around the storing, and security of that data is another big issue. Is that data then stored on a centralised database ultimately? Where you lack clarity of how it’s stored, who can access it, and is it ultimately secure?
Encrypting the data and making it available to the individual
Another potential solution might be to have the data stored on the blockchain but encrypted. Where you who owns the private keys can decrypt the data, and potentially also have it removed from the chain by erasing your own private keys essentially. However this is not foolproof and in EU law it says that encrypted data is not anonymous. Meaning that it’s still considered by EU law to be personal data, and therefore still posses the initial challenges.
Blockchain is in its infancy, and we need to keep on testing new solutions
GDPR is ultimately a positive solution to an ever growing problem, where personal data is carelessly stored and shared by companies and organisations worldwide. But it does create some early issues, not only for blockchain companies but for all types of companies that deal with personal data in one way or another. But blockchain technology is in its infancy, and we need to keep experimenting and evaluating new solutions to challenges like this.
EU are also a firm believer in how technology can enhance our lives and blockchain technology has been a common topic for discussion during various meetings and research projects. So we can expect to see progress being made in this space in the coming years.
Make sure you’re keeping your data safe, we’ve written guides on the topic of staying safe in crypto
Find more interviews and news here on our blog!