On the day GDPR came into force, tech giant Facebook faced a fine for GDPR violation. The violation stemmed from the technology and the processes of data storage. As a result, Mark Zuckerberg’s company received a notification about the violation, as the owner of the data and the entity responsible for GDPR compliance.
Now let’s imagine a situation when the process of storing personal data in Bitcoin‘s blockchain violates the rights of some particular person. What person/entity will be responsible for this violation? Satoshi Nakamoto? Or all owners of Bitcoin’s blockchain nodes?
Blockchain’s key features, such as the decentralised storage of data, immutability and full transparency, can make it very challenging to implement blockchain processes in accordance with the new Data Protection Directive. There are several reasons for this.
- Immutable ‘digital footprints’ in blockchain made by smart contracts.
Smart contract is one of the most revolutionary technologies, the use of which opens up the opportunity for fintech projects to communicate with customers without any centralised governance. All transactions are performed by fully autonomous programme algorithms and can’t be administered by any intermediates. This technology makes it possible for a company to achieve total transparency in interaction with its customers.
However, when we consider smart contracts under the GDPR requirements, we should remember one important feature of this technology – if a blockchain-based service uses a smart contract, every customer’s ‘digital footprint’ is automatically recorded in blockchain. According to GDPR, the companies can collect only the data which is necessary for providing business activities. If the company has finished the provision of services to the customer, it has to delete all of the customer’s data without delay. Blockchain as a technology of decentralised data storage doesn’t allow this on a technical level.
- ‘Miners’ as processors of data in blockchains work on PoW.
Today the PoW (Proof-of-Work) is recognised as the strongest algorithm of consensus in blockchain technology. The network of millions of miners supports the blockchain system by way of using their computing powers for transactions confirmation. This is the reason why this algorithm of consensus is the most popular for services, the main aim of which is fully secure data storage.
Regarding GDPR, in case the company uses third-party providers for data processing, it has to sign agreements with all of them in which it has to define responsibilities and guaranties surrounding such data processing. If blockchain miners are recognised as data processors, they will fall under the Data Protection requirements, and the company which uses this technology might face problems regarding signing agreements with these miners (today Bitcoin’s blockchain is supported by hundreds of thousands of Bitcoin miners).
- Full transparency of recorded transactions in public blockchain and ‘Privacy by Design’ as one of the GDPR approaches.
According to GDPR, one of the most important company obligations is secure data storage. For this purpose, the company has to implement all necessary measures and ensure safe technology for data storage. This is also called ‘Data Protection by Design’. However, the design of blockchain technology aims to give a new level of transparency for customers. Every transaction is available for checking and tracking in ‘blockchain explorers’. Therefore, this situation results in contradictions between GDPR approaches and blockchain principles.
Ultimately, tech progress is faster than regulation process. The blockchain technology has the chance to become the new Internet (like Web 2.0) and be used by most businesses for operational optimisation. However, it’s impossible to implement an AI autopilot on a horse-drawn trolley, and the changes will need to be on the government’s side, because the tech revolution is an irreversible process.
Nestor Dubnevych – Head of Blockchain Practice, Juscutum