In early summer, online services users started receiving dozens of emails from websites/apps with a request to re-grant permission for processing their personal data. The reason was for the entry into force of the GDPR (General Data Protection Regulation) and, as a consequence, the need to update policies and procedures for the handling of users’ personal data.
The EU Directive introduced a guarantee of absolute privacy of a new order for the Internet users. Their list includes the “right to be forgotten” and the right to know who, where and how stores the user’s personal data and which third parties and for what purposes will be shared this information. At the same time, having quite an extensive technical component, the European Directive has become a wake-up call for developing technologies. Blockchain has appeared in the risk area in connection with its properties such as complete transparency, as well as the inability to change and delete information that has been previously entered. Our article is dedicated to the challenges the blockchain technology has faced after GDPR adoption.
- Unchangeable ‘digital footprints’ that blockchain smart contracts leave behind
Smart contracts are a revolutionary technology that allows to build fully autonomous infrastructures and thus avoid intermediaries, making services cheaper and more accessible. But his technology has a peculiar feature that comes into conflict with the GDPR. The fact is that every action of a user of the service, developed by using a smart contract, is recorded by a smart contract in the blockchain. It is kind of a ‘protocol’ of a person’s action, which cannot be faked or forged. But GDPR allows companies to collect only the information, which is necessary for their business activities and remove it immediately after cessation of work with the client. Taking into account the fact that transactions, which have been previously made cannot be amended or removed from the blockchain, a number of questions arise to the register of users’ ‘digital footprints’, which is fully uncontrollable, and therefore not GDPR-compliant.
- “Miners” as processors of personal data in the blockchain that runs on PoW
Presently, the blockchain, which works on Proof-of-Work (PoW) consensus algorithm, is considered to the most sustainable one. The essence of this algorithm lies in the fact that the maintenance of such a blockchain is provided by millions of so-called “Miners” who use their computing power to confirm new transactions. Thus, should one of them decide to fake a transaction, the system will reject it. This is why many companies choose blockchains running on PoW to develop their decentralized applications. But, considering this type of blockchain in the context of the GDPR, the question arises as to the processing and confirmation of transactions by millions of computers. The fact that the GDPR obliges the companies that collect personal information to enter into contracts with third parties to whom they send these data and provide their clients the information about such third parties and the purpose of personal data transfer. Considering that transactions in conjunction with the additional data may be personalized, you should think whether the “Miners” will be recognized as processors of such personal data. If this hypothesis is confirmed, the question arises, how feasible it is to sign agreements with all the “Miners” who process transactions of your clients, and whether you should sign such agreements in this case at all.
- ‘Transparency’ of records in the blockchain and the Privacy by Design principle in the European Directive
One of the most fundamental GDPR principles is the principle of Privacy by Design. Its essence lies in the fact that the services that are being developed should by default include in the very future architecture’s ‘foundation’ of the service those mechanisms that will allow to provide maximum privacy to their users. This concept is diametrically opposed to the principles of transparency, on which the blockchain technology operates. In light of this fact, the urgent issue of future projects is on the agenda, which are based on public blockchains, where each transaction can be tracked in each period of time. In conclusion, it should be noted that at all times, regulation has lagged behind technical progress. Realizing the fact that the work on the GDPR was started back in 2012, it is obvious that such rapid blockchain development was impossible to foresee at that time. Today, the blockchain technology is poised to become WEB 3.0 when all online services will be developed with its use. As this process is irreversible – there are optimistic forecasts that the regulation will adapt to technology.
Nestor Dubnevich, the Head of the Blockchain-practice of JUSCUTUM Attorneys Association