Now that the European Union’s General Data Protection Regulation (GDPR)--the most comprehensive individual data protection law in history--has gone into effect, it is important to know where your business stands in regard to your potential liability. One technology that has a rather lot of ambiguity surrounding it is blockchain, which is essentially an encrypted and distributed digital ledger. How is the development of blockchain, which is built on the idea of security through transparency, going to fare under the guidelines of the new GDPR regulations?
The issue at hand for blockchain technology is actually in the GDPR mandate itself. Under the GDPR, if an organization that doesn’t need personal data, obtains personal data, they are not to keep that data, but are required to delete it. Since you can’t delete blockchain nodes, it stands to reason that the GDPR would be a problem for companies that are looking to innovate using blockchain technology. Ironically, blockchain and the GDPR, despite not having the same agenda in creation, have been cultivated with a shared purpose: to protect the rights of individuals to make the decisions about their own data, but blockchain is not designed to be GDPR-compatible as it is written today.
Technology moves fast so while the GDPR has just now gone into effect, it is already being challenged by technological innovation. The GDPR was designed to be technologically agnostic and flexible enough to allow for such innovations, the blockchain is already testing that. Many of the applications that blockchain is used for actually lend themselves well to the mandate triad of confidentiality, integrity, and availability. In blockchain, the transactions themselves use encryption to be confidential, but the overall ledger, and this is the problem, will still be transparent.
For example, Joe could pay with his blockchain-based account for a physical (as most of the EU has universal healthcare). The particulars (account number, and other personal information) could be hidden, but the record would show that Joe paid so many euros worth of cryptocurrency for a physical. Under the GDPR, because that information, while encrypted, is still in possession of the company that has no rights to it--and it can’t be deleted from the blockchain--it constitutes a breach of the GDPR. Many EU-based companies have stopped accepting Bitcoin and other distributed cryptocurrencies as payments (for a litany of reasons, one being the GDPR).
Now, the GDPR only covers EU-member countries and people doing business with them, but with how much money is being invested in venture capital for blockchain research and application development, it stands to reason that the EU governing body will have to make eventual amendments to the mandate.
The most interesting question going forward is, which is the future of data security? Is it GDPR-like mandates like the California Consumer Privacy Act (CCPA), or is it blockchain itself? What do you think about the GDPR regulation? Would you like to see data privacy be as protected in your country? Or do you think that it is a hindrance to innovation and progress? Leave your comments below and return to our blog regularly.