After two years of notice, the GDPR comes into force. Today the European Union (EU) has launched the new GDPR privacy rules. While many websites from Europe have been shut down because they did not comply with the new General Data Protection Regulation, many people have started wondering how do the blockchains fit into this scheme.
For the moment it is a bit unclear if the blockchains should conform to the new rules mainly because of their decentralized nature.
At first glance, some might say that the blockchain is anonymous, but after some research, we find that the blockchains, namely for bitcoin and ethereum are not entirely anonymous. They are in fact pseudo anonymous which can make the GDPR applicable for the two examples.
However, the processing of data is not enough; the EU wrote that it must be personal data. In the first articles of the GDPR, the authorities have stated that the rules are applicable for “all information relating to an identified or identifiable natural person.
Furthermore, we know that the blockchain has to store all the transactions that a person has made. Along with the information about the operations, the blockchain can store data on credit card balances and payment sources which in the digital world are both allocated to the identity of a user and the crypto address.
“ personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,” Art4.
With the right tools and knowledge, it is possible for anyone to trace the identity of an investor or a crypto user by accessing. This is possible due to the hashes which are in place for user identification. Besides that, some exchanges have imposed KYC procedures which means that the identity of a user can be discovered very easy.
On that note, the GDPR is applicable for blockchains, but only in theory.
Another interesting aspect that raises many questions on the GDPR and blockchain is Art.17. titled the “Right to erasure or ‘right to be forgotten’.
“the controller [of data] shall have the obligation to erase personal data without undue delay where one of the following grounds applies”
Following this statement, the blockchain becomes invalid since its main attributes are created for keeping data built in, unchanged and permanent on the network. This type of architecture being the reason for why the blockchain has been accepted as the most trusted technology for storing essential data like payments, user identity and so on. In addition to that, the blockchain was created so an external or centralized force cannot touch it.
While it’s hard to believe that this rule could be applied to blockchains, it could instead be imposed on the cryptocurrency exchanges which are obligated to gather user information. Art. 17 explains that a “controller” has to delete the personal info of a user if the data is “no longer necessary in relation to the purposes for which they were collected or otherwise processed.”
In other words, after the user stops using the cryptocurrency exchange.
The Scapegoats of the Blockchain
According to the document the people who violate the terms of the GDPR are liable for paying huge fines. Namely “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In the case of the blockchains like bitcoin, there is no owner, and the mining pools do not play a decisional role in how the content of the blockchain is used.
In this scenario, the only people who could be taken accountable for misplacing the user data are the Full Nodes. If a person who has a copy of the blockchain and decides to distribute any information, data for his own purposes could become responsible for violating the rules of GDPR.
While this are just mere examples of how the GDPR could affect the public blockchains, nobody knows if the regulators have taken into consideration this area of technology. Until further notice, according to a brief analysis of the documents, the only one who might suffer are the private nodes and possibly the crypto exchanges.