On May 25, 2018, the European Union's new General Data Protection Regulations(GDPR) will be in full effect. Expanding upon, and ultimately replacing the 1995 Data Protection Directive (DPD), the GDPR provides a much more specific definition of what constitutes "personal data" and how it is handled by countries that provide products and services to those in the EU. Once implemented, national governments do not have to pass any associated legislation, instead the regulations are directly binding and applicable to any business that markets good or services to customers in the EU. We are going to lay out 3 ways that these new regulations will affect current or upcoming projects in the blockchain ecosystem.
Since the creation of the 1995 Data Protection Directive, technological innovation has forever changed the collection of personal, digital data. With an increase in the breadth of customer information available to businesses, as well as the popularity of social media and internet platforms which can track and record data for third party usage, consumers are less confident in the safety of their personal information online. One of the biggest changes from the DPD to the GDPR are the categories which make up personal data. The chart below illustrates the now expansive explanation of what constitutes personal data in the General Data Protection Regulations.
These changes can drastically affect the marketing efforts of companies that gather information on buying habits, search results, and social platforms that are used to create buyer profiles for goods and services. Unless each form of personal information listed in the chart above has concrete evidence of consent, that information can not be used. It's also important to note that inaction does not constitute consent when it comes to GDPR. Currently, people can be met by 70 page user agreements that outline every possible legal concern a company could encounter, with the GDPR, explicit consent needs to be reached in a concise, easy to understand document.
If consent is given, the consumer may still choose to be removed from the database and for their information to be forgotten. This possibly poses the largest threat for companies utilizing blockchain technology, which is built as an immutable database, not meant to be altered. A solution for storing personal, immutable data on the blockchain would be to store it off-chain, and then have a reference to that data which includes a hash of the consent and other information on the blockchain. However, why implement a blockchain solution if you need to tamper with the transparency and data storage parameters while creating amore complex system?
Previously, the DPD only made reference to Data Controllers, those being "the natural legal person, public authority, agency or other body, which determines the purposes and means of the processing of personal data." In the GDPR, there is an additional party that is liable for the actions taken with personal data. Those being the Data Processors, or “the natural legal person, public authority, agency or other body, which processes data on behalf of the controller.”
Data controllers are expected to build their businesses around a model called "privacy by design", this is to say that each step in their business process will take into consideration the security of private customer information. Measures such as pseudonymising personal data are key for compliance, a positive feature already built into the blockchain. Data controllers are responsible and also liable for implementing effective protocol for obeying GDPR all the way through to processing, even if said processing is done by a third party. The third party processors are required to have a contract with the controllers and are also responsible and liable for the security of customer data.
Larger companies will need to implement a Data Protection officer that is fluent in the processes acted out by both controllers and processors when it comes to customer data. The Data Protection Officers act as a monitor of security measures, but can also create a central point of failure, something blockchain looks to avoid. On a positive note, if there is a breach of data, GDPR requires that it be reported to individuals within 72 hours, and processors must tell controllers without delay. In today's markets, a breach may not be reported for weeks or months as centralized organizations struggle to decipher the problem and breadth of the breach. Issues and bad actors are much more easily revealed in the blockchain ecosystem.
Ultimately, the entire premise of controllers vs processors is built on the assumption of centralized, traditional business models. Clearly GDPR was not drafted with blockchain technology in mind. Regulations that so clearly define parameters solely for traditional models create massive unknowns for decentralized organizations looking to run on a public blockchain, and unfortunately the fines for disobeying these regulations can be cumbersome. As stated in the regulations, companies may be ordered to pay 20 million Euro or 4% of their global turnover (whichever is greater). Yet this also begs the question, how do you fine a decentralized organization?
Finally, GDPR provides interesting rules for the export of data collected on citizens in the EU that some have taken to mean that data from the EU is not to leave the EU. There is no distinct and all encompassing ban on data export, however there are some guidelines which we have plucked from the legislation.
- You can transfer to certain countries as long as they are found to ensure an adequate level of protection.
- If data is to leave the EU, those who will be affected need to be informed and allowed to opt out of the transfer.
- There needs to be protocol put in place to ensure that their data is tracked, secured, and protected by anyone who may process the data.
- If their data is breached or disclosed, they need be made aware.
Due to these regulations, monitoring and ensuring that all nodes in a public blockchain adhere to these regulations would be a logistical nightmare. Furthermore, if you are using a public blockchain, built on a peer-to-peer, decentralized system, stored on nodes located around the globe, where does your data truly exist? These are the kinds of questions that are not directly answered by the GDPR in reference to the compliance of blockchain projects.
Online Copy of the GDPR: https://gdpr-info.eu/art-25-gdpr/
Coinaccord is a Canadian Blockchain Venture Studio that strives to create entirely new and decentralized models on a global scale. As a company run by humans, we want to know if we’ve made a mistake. Do we need to make a correction or do you have a different point of view on the topic? Let us know in our Medium comments.