How GDPR Could Deflate the Blockchain Hype

Firms adopting blockchain technology could struggle to comply with the EU’s incoming GDPR rules. They could be forced to choose between finding ways to bridge the gap, even if it results in less secure systems, or retreat back to their home markets.

With less than four months to go until the EU’s GDPR (General Data Protection Regulation) goes live, and with 2018 said by some to be ‘the year of blockchain adoption’, it is no surprise that a recent EY survey found up to 78 percent of financial institutions consider data protection and data privacy compliance a growing concern.

With a cost of non-compliance up to EUR20 million – or 4 percent of worldwide turnover – as well as possible upcoming compensation claims from individuals, this is rightfully a top of mind issue for any firm pursuing applications of blockchain technology.

The challenge is that there appears to be a paradox between GDPR and the many blockchain projects banks are pursuing – a paradox which appears fundamental to their respective goals.

This paradox is a result of the core elements of GDPR. Firstly, the ‘data controller’ role, which in generic terms represents the function for deciding the purpose and means of data processing. Secondly, the ‘data processor’ role, which processes the data under the instruction of the controller.

GPDR has a stated goal to “give citizens back the control of their data, while imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.” The first challenge is that personal data is not to leave the EU, a massive issue for public blockchains since there is no control on who hosts specific nodes which serve as points of validation. This, however, may be less of an issue with private or permission-based blockchains, which restrict node access based on predefined criteria.

GDPR also requires that data “should be erasable”, giving individuals the ‘Right to be Forgotten’. This should include any or all data collected by the data controller about an individual by that controller. The challenge here is that most jurisdictions do not consider encrypted personal data as anonymous, and secondly that by their very nature, transactions on a blockchain are immutable. They cannot be changed once written into a blockchain sequence. Deleting data would essentially break the chain, rendering the entirety of the blockchain useless.

As per GDPR, the blockchain itself will be liable as a ‘data controller’ and therefore must allow data within the chain itself to be erased for any application of the technology to be deemed ‘compliant’. This would essentially require a “manual override” option within each blockchain, which is directly contradicts the immutability of the chain. In reality, this may be possible with a permission-based or private chains, but it will undoubtedly be problematic with public permission-less chains such as those underpinning cryptocurrencies including bitcoin.

Given the cost of non-compliance, compromises will need to be made. Workarounds already exist, but these come at a cost, such as a reduction in transparency and the benefits from data ownership, as well an overall increase in the need for point-to-point integration between all participating parties. Likewise, the resulting increased concentrating of personal data increases the risks of a potential breach whereby personal information can be stolen. Risks also increase with the added complexity of ad-hoc workarounds, as these heighten the potential for unintended errors, resulting in less secure systems.

Beyond GDPR, other governance tools are in the works, such as the e-Privacy Regulation now being proposed and expected to compliment GDPR. It will have a substantial impact on cookies, metadata storage, online tracking and communications secrecy, similar to the move Chinese authorities have made to enhance their data protection regime. With the enactment of China’s Cybersecurity Law in 2016, Chinese authorities assumed the right to police the Internet within its borders and participate in managing international cyberspace.

Beyond the GDPR-blockchain paradox, institutions in Asia also remain skeptical as to how, and if, European regulators could enforce such laws outside of the EU. How are firms meant to be compliant if they are not in the EU? How are multinational EU firms meant to be compliant if their business activities involve cross-border transactions which are blockchain-based?

Enforcement actions are expected to flow through coordination with local regulators in Asia. Several Asian nations, including South Korea and Japan, have expressed their interest in cooperating with overseas regulators to develop regulatory frameworks for blockchain applications – namely cryptocurrencies. It would not be a surprise if such coordinated efforts were built on cross-border agreements to cooperate on incoming data protection regulations.

However, the reality is that the real pressure for Asia’s compliance with GDPR is unlikely to come directly from regulators, but rather from European counterparties with which Asian institutions plan to continue doing business.

With banks expected in 2018 to become more digitally mature and driven by innovation instead of regulation, it is likely that gaps between innovation and regulation will become defining aspects of strategy. Firms may be required to make a difficult choice between finding ways to bridge the gap, or otherwise retreat back to their home markets.

To Top
Share via
Copy link
Powered by Social Snap