Blockchain is a type of online technology that is used to track, record, and make all transactions publicly visible by giving users transparency, decentralization, and immutability. Since 2008, it has made its way to a multitude of industries, transforming and revolutionizing them.

Among other advantages, blockchain offers an additional level of security by storing information on a decentralized ledger. Still, some of its concepts might be contradictory to the current General Data Protection Regulation (GDPR). Since the moment of its introduction, the law has left many wondering if blockchain is compatible with it. Let’s take a closer look at this issue.

GDPR Goals

The GDPR was implemented by the EU on May 25, 2018, to regulate their citizens’ rights for online privacy, which means that persons and parties (such as Facebook and Google) aren’t allowed to collect users’ data without their explicit consent.

According to the GDPR, personal data includes anything that can identify someone, for example, location, name, ID, etc.

Additionally, according to the regulations, if a person or entity decides to remove their profile or identity from a certain web platform, it has to be removed entirely without any information left behind.

Notably, these rules also apply to people and parties in other countries outside the EU if they offer items for access (website/web platform) or purchase (online store, etc.) to the citizens in the EU geographical locations.

If an organization is not following the compliance regulations established by the GDPR, it can receive a fine of 4% of its annual turnover or a flat fee of 20 million euros. The penalties are on a sliding scale and depend on the severity of non-compliance.

Three Types of Blockchain Users 

Blockchain uses data in many different ways, and there are three types of users: an accessor, participant, and miner, all of which have different roles.

The accessor is a person or party who has primary access (read and copy) to the chain. The participant is a person or party who can make transactions on the chain, which will require the verification from the miner.

The miner is a person who verifies transactions and makes blocks within the chain. Miners follow blockchain guidelines for what can and can’t be accepted.

Blockchain and GDPR: Can They Coexist?

Blockchain collects data from a transaction itself. This means that if the transaction contains information that could be private, all those who have access to the blockchain can see that same information, thus making it possible that someone could be identified either indirectly or directly .

Here one should note that the level of data access permissions varies depending on the type of the blockchain network. That is, in public (permissionless) blockchains the data is accessible to everyone within the network, while in private (permissioned) ones only a selected group of participants can access data.

Another type is consortium blockchains that are practically similar to private ones but with one main difference – participants can precisely determine the level of permission for each particular operation in the network (like it is done, for example, in Hyperledger).

You may also like:

➔ Hyperledger Fabric: A Blockchain for Like-minded Organizations

Get to know the nature of Hyperledger Fabric and the key concepts behind it.

Citizens living in the EU and using blockchain soon realized that the GDPR comes into play and affects the technology. The GDPR wasn’t created to control technology; only the way technology collects data from its users. However, it’s
making blockchain users’ lives a bit more complicated. 

The GDPR consent guidelines do not allow a Terms and Conditions agreement to be extended and written in a language only lawyers would understand. This means that people and parties must ask for user consent in a readable form, clearly stating their intentions.

In this light, the Commission Nationale de l’Informatique et des Libertés (CNIL) suggested the EU taking a look at the GDPR through the lens of its interaction with blockchain and analyze what solutions can be potentially reached there.

How Can Companies Act to Comply with GDPR Right Now?

First, companies need to review their online sales and marketing activity to make sure there aren’t collecting personal data to remain compliant with the GDPR.

Second, companies need to review their Terms and Conditions to make sure they’re concise. If they are too long and complicated, they would have to be simplified and made more user-friendly. This includes adopting user consent widgets and beginning to offer an “opt-out” option for email marketing.

How Can These Issues Be Solved in the Nearest Future?

The CNIL believes that the blockchain challenge to comply with “human rights and fundamental freedoms” requires a solution in collaboration with European authorities.

One of the solutions is to create a more streamlined GDPR application by using blockchain technology. Recently, Slant released a solution to the GDPR, which is compliant with the data privacy regulations. Their app uses the EOS blockchain, which allows both the individual and the company to make the data that they store on the app private.

Currently, there are several organizations working towards reaching a compromise between blockchain and the GDPR.  For example, POA Network and LTO Network concluded a partnership with the aim to tackle this challenge by developing a new public blockchain solution compliant with the GDPR.

What Are the Pros and Cons of the Possible Compromise?

For blockchain and GDPR to coexist without any conflicts, three things need to happen.

First, the user should be able to quickly search through any types of data that could be used to identify this individual or a company on a blockchain solution.

Second, after user data is obtained, the blockchain company must be able to extract it and then send it to that specific individual or a company whose information is on the blockchain ledger.

Third, if that individual or a company want the data to be removed completely, the blockchain company must delete that data.

All of the above points make up to the pros of the possible compromise. However, the biggest drawback here is the requirement to ultimately redesign the blockchain technology.

This implies giving users the possibility to remove their data, which is currently considered immutable. At this point, this might contradict to the initial logic of blockchain.

You may also like:

➔ Blockchain And The Law: Regulations Around the World

How different countries treat blockchain technology? Learn about direct and indirect regulations.

Piece of Mind for Blockchain Users in Europe

If your business is located under the EU jurisdiction, it doesn’t mean you cannot use blockchain. We recommend following these three simple steps to start your blockchain journey:

1) Before switching your current business model to the blockchain technology, weigh in all your options to determine if you really need a blockchain solution. Here is the checklist OpenLedger put together and published recently to help you decide if you need blockchain or not.

2) If you determined that you need it, start with reviewing your business model to ensure that you’re following the GDPR guidelines.

A quick way to begin is to review your terms and user agreements to find out if your website is collecting identifiable information from your users. Then, you should make sure users will be able to remove that information easily upon request.

3) Contact a company that specializes in blockchain solutions for complete guidance on creating a solution that is compliant with the GDPR .

What Might the Future Hold for Blockchain and GDPR?

Undoubtedly, software engineers should join forces to create a blockchain solution that won’t have legal issues. Who knows, maybe a year from now we will witness a GDPR-compliant blockchain able to handle personal data requests with no violations.

At that point, blockchain will again prove its status of an innovative and reliable technology allowing users to process information with due respect to EU regulations.