Those who have heard of “blockchain” technology generally know it as the underpinning of the bitcoin virtual currency, but there are myriad organizations planning different kinds of applications for it: executing contracts, modernizing land registries, even providing new systems for identity management.
There’s one huge problem on the horizon, though: European privacy law.
The bloc’s General Data Protection law, which will come into effect in a few months’ time, says people must be able to demand that their personal data is rectified or deleted under many circumstances.
A blockchain is essentially a growing, shared record of past activity that’s distributed across many computers, and the whole point is that this chain of transactions (or other fragments of information) is in practice unchangeable – this is what ensures the reliability of the information stored in the blockchain.
For blockchain projects that involve the storage of personal data, these two facts do not mix well.
And with sanctions for flouting the GDPR including fines of up to €20 million or 4 percent of global revenues, many businesses may find the ultra-buzzy blockchain trend a lot less palatable than they first thought.
“[The GDPR] is agnostic about which specific technology is used for the processing, but it introduces a mandatory obligation for data controllers to apply the principle of ‘data protection by design’,” said Jan Philipp Albrecht, the member of the European Parliament who shepherded the GDPR through the legislative process.
“This means for example that the data subject’s rights can be easily exercised, including the right to deletion of data when it is no longer needed.
This is where blockchain applications will run into problems and will probably not be GDPR compliant.”
Altering data “just doesn’t work on a blockchain,” said John Mathews, the chief finance officer for Bitnation a project that aims to provide blockchain-based identity and governance services, as well as document storage.
“Blockchains are by their nature immutable. The GDPR says you must be able to remove some data, so those two things don’t square off.”
There are two main types of blockchain: private or “permissioned” blockchains that are under the control of a limited group (such as the Ripple blockchain that’s designed to ease payments between financial services providers); and public or “permissionless” blockchains that aren’t really under anyone’s control (such as the bitcoin or Ethereum networks).
It is technically possible to rewrite the data held on a blockchain, but only if most nodes on the network agree to create a new “fork” (version) of the blockchain that includes the changes — and to then continue using that version rather than the original.
That’s relatively easy on a private blockchain, if not ideal, but on a public blockchain, it’s a seismic and exceedingly rare event.
At least as the technology is currently designed, there is little to no scope for fixing or removing bits of information here and there on an ongoing basis.
“From a blockchain point of view, the GDPR is already out of date,” Mathews said. “Regulation plays catch-up with technology. The GDPR was written on the assumption that you have centralized services controlling access rights to the user’s data, which is the opposite of what a permissionless blockchain does.”
Jutta Steiner is the founder of Parity.io, a startup that develops decentralized technologies, and the former security chief for the Ethereum Foundation. She agrees with Mathews that “the GDPR needs a proper review.”
“From a practitioner’s perspective, it sounds to me that it was drafted by trying to implement a certain perspective of how the world should be without taking into account how technology actually works,” Steiner said.
“The way [public decentralized network] architecture works, means there is no such thing as the deletion of personal data. The issue with information is once it’s out, it’s out.
