The European Union’s General Data Protection Regulation (GDPR) is set to go into effect on May 18, 2018. This EU regulation is already confounding many EU companies who wish to employ blockchain technology. When implemented, the GDPR will allow customers to request the removal of their personal data. Unfortunately, this contradicts the blockchain’s primary feature, its immutable nature.
It also presents a technical conundrum as well. In order to for personal data to be removed, it must be erasable. However, public blockchains have no control over who hosts a node. In short, it’s simply not possible to alter data on the public blockchain.
Ironically, the EU regulation may help dissipate the trend toward data ownership rather than help it. As argued in The Ledger:
Here is the paradox: The goal of GDPR is to “give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.” GDPR prohibits us from storing personal data on a blockchain level. Thereby losing the ability to enhance control of your own personal data
The GDPR is creating an untenable situation for companies as well. The regulators likely had Amazon and other cloud service providers in mind when they composed their rules (centralized services that control user data). Now, any company that puts personal data on the blockchain must cease and desist (absent a workaround). The blockchain does not correspond with what came before it. However, that seems to be beside the point for EU regulators:
“[The GDPR] is agnostic about which specific technology is used for the processing, but it introduces a mandatory obligation for data controllers to apply the principle of ‘data protection by design’,” said Jan Philipp Albrecht, the member of the European Parliament who shepherded the GDPR through the legislative process. This means for example that the data subject’s rights can be easily exercised, including the right to deletion of data when it is no longer needed. This is where blockchain applications will run into problems and will probably not be GDPR compliant. (TheNextWeb)
Regulatory Intransigence & Company Liability
EU companies cannot risk non-compliance. They simply cannot afford the risk. And the EU will enforce this regulation whether it’s impractical or not. As one blockchain founder has stated, “From a practitioner’s perspective, it sounds to me that it was drafted by trying to implement a certain perspective of how the world should be without taking into account how technology actually works.” (The Ledger)
Of course, strict enforcement will likely put Europe at a competitive disadvantage with regard to blockchain technology. And how will this affect smart contracts? “When you start having a decentralized network it breaks down entirely. You can’t have a contract with [all] the nodes on the Ethereum network. It’s unfeasible.” (IPDB Foundation co-founder Greg McMullen). And yet, a host of industries (healthcare, insurance, etc) are waiting to be transformed if they can simply move forward in this direction.
Several questions beg to be answered, particularly in regard to enforcement. How will compliance be enforced? Will such regulation make decentralized autonomous organizations (DAO) more popular? After all, who will regulators approach to conduct a DAO audit? And who will be punished for non-compliance?
Various blockchain experts are hurriedly seeking to come up with solutions. One solution is to “blacklist” personal data in order for it not to be served when requested (even though its not deleted). Another suggested solution is to substitute hashes (mathematical derivations of data) for the personal data itself. The solution would enable personal data to be verified without exposing it. It would also enable data deletion without blockchain alteration.
Perhaps the most obvious short-term fix is simply to store the personal data off-chain, providing that the blockchain has the means to reference it. Some technologists believe this is the answer:
“An interesting solution to the problem is a dual data handling architecture, where contractual elements of a transaction happen on-chain via smart contracts and the actual data transfer happens off-chain. This also solves scalability issues we’re facing with Blockchain technology in its current state. (Coin Telegraph)
Still, such a solution does a disservice to the blockchain’s character. This is particularly true when only a centralized institution (say, a bank) can understand a data reference point. Off-chain solutions have been criticized for reducing transparency and reducing the benefits inherent in data-ownership. Storing data off-chain will also lead to greater complexity (and thus data errors) as well as greater vulnerability to hacking.
Will GDRP adapt to the technology or will the technology adapt to GDRP? Given the EU regulations are slow to change, the latter appears most probable. If EU corporations end up making off-chain solutions the standard, they will certainly forego the many benefits blockchain has to offer. And perhaps that will not become readily apparent to most – until it creates real problems down the line.