Is blockchain technology GDPR compliant?
In just a few weeks the new privacy regulation by the European Union known as the General Data Protection Regulation (GDPR) will take effect. But it seems that most of the companies are still in state of denial and burying their heads in the sand, waiting until the last moment and hoping for a miracle to happen where their governments will relinquish the alignment of the national legislation with those GDPR requirements. While there are many implications for various companies around the world, we are more interested in one particular GDPR case, namely in companies that offer solutions based on blockchain technology, given that it was one of the most emerging technologies in 2017. Many promising implementations have been catapulted the last years ranging from new cryptocurrencies, tokens, company shares representation, identity directory to copyright and intellectual property protection. Some of these new solutions should also meet the GDPR requirements if they are going to be used by European residents. From the above examples of blockchain technology implementations, let’s take a closer look at how cryptocurrencies, and in specific the leading cryptocurrency Bitcoin and the privacy oriented cryptocurrency Monero, are impacted by GDPR. While there are many requirements in GDPR we will look only at a few key requirements to show the impact of GDPR.
ConfidentialityAccording to GDPR you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised (Article 5(1)(f) of the GDPR). Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier is considered personal data (GDPR article 4). This means that a crypto wallet address can be regarded as an identifier that directly relates to information on the blockchain of an individual. Bitcoin is fully traceable and doesn’t ensure confidentiality. If you know the wallet address – you can check the existing balance and all transactions history of anyone. Monero on the other hand, is designed with privacy in mind. Even if someone knows your wallet address, they cannot check your balance or transactions history.
Right to accessAccording to GDPR Individuals have the right to access their personal data and supplementary information (see Articles 12 and 15 and Recital 63). Bitcoin meets this requirement as content is fully traceable and you can access your personal data and supplementary information anytime. The downside is that your data is not only for you accessible but for everyone. Monero, like bitcoin, is also fully traceable and you can access all your data at any time. But with Monero no one else than you can access your data.
Right to erasureThe GDPR introduces a right for individuals to have their personal data erased (see articles 6, 9, 12, 17 and Recitals 65, 66). This is also called the right to “be forgotten”. Meeting this GDPR requirement is impossible when using Bitcoin. In fact, blockchain has not been designed to “be forgotten”, but rather to remember all transaction data since the genesis of a blockchain. In Monero also the right to be forgotten is extremely simplified. If you want to be forgotten, just “delete” all your keys.
Right to rectificationThe GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete (see articles 5, 12, 16 and 19). Both cryptocurrencies do not meet this requirement, since both of them are subject to the second restrictive blockchain characteristic: immutability. This means that you cannot modify existing blocks in the chain as this will affect the control sum of all next blocks. While Monero strictly doesn’t meet this requirement, it doesn’t necessarily expose a risk since no one has visibility or can access your (wrong or incomplete) data.
Privacy by designGDPR requires you to consider and implement technical and organisational data protection measures and to integrate them into your processing activities during the design phase (article 25 GDPR). As for Bitcoin, it wasn’t developed with privacy in mind and any new application relying on Bitcoin will have to deal with this caveat. It’s worth noting that hundreds of other blockchain projects, whether launched via an ICO or not, have currently similar privacy problems. Monero on the other hand, was designed with privacy in mind. With the recent move to protect the blockchain against centralization and ASICS, they once again have shown and applied “privacy and security by design”.
In conclusion, applications based on block chain technology, such as Bitcoin, by default don’t meet GDPR requirements and will have to put extra effort to compensate for certain fundamental properties of blockchain technology such as transparency, immutability and recording to align their solutions with GDPR. Some, however, like Monero have been designed with privacy and security in mind and are more compliant with GDPR than others by default. Note that in this article we have only looked to a few GDPR requirements and that full compliance with GDPR would require many other technical and organisational measures to be considered.