Since people can store personal data in blockchains, the technology could fall under the scope of the next European privacy law. But blockchain technology may be fundamentally incompatible with Europe's new privacy rules, the Coin Center in Washington, DC said today in a new publication.
The General Data Protection Regulation (GDPR) will come into force on May 25 of this year, more than two years after it was first promulgated. Under the new rule, if an EU citizen requests that their personal data be deleted from a company's records, the company will have to obey.
But with blockchain, a complete erasure of any stored personal information may not be possible, experts told The Verge. "Modifying data in a chain of blocks is very difficult," Michèle Finck, a law professor at Oxford, told The Verge. "If you delete or modify data in the blockchain to comply with the rights to amend the GDPR or the right to be forgotten, not only would that information change, but the hash of the block containing the data and of all subsequent blocks. "
Finck added, "I think it's safe to say that currently, most blockchains are incompatible with the GDPR, especially blockchains without permission." She said that although many blockchain projects are thinking about how to design technology that is compatible with GDPR, the problem is that "there are so many points of tension … beyond the right [for personal data] to forget".
"It's the basics of blockchain technology."
By their very nature, transactions in a chain of blocks are not intended to be erased, but to be permanently recorded. It would also be difficult to stop every place that transmits a Bitcoin transaction. "This is by design," Andries Van Humbeeck, co-founder and consultant of Blockchain at TheLedger.be, a Belgian company that offers training and advice related to Blockchain, told The Verge. "It's the basics of blockchain technology."
Van Humbeeck reiterated Finck's argument that modifying a block meant changing all subsequent blocks, adding that it could have terrible consequences: "If you delete a block of transactions, the veracity of all subsequent blocks of transactions becomes questionable." The transaction log helps blockchains track payments and a fake transaction could have financial consequences for users. When it comes to the chain of blocks with which Bitcoin works, "all Bitcoin transactions after that purged block become unreliable, which would undermine the entire system," said Van Humbeeck.
Jerry Brito, executive director of Coin Center, wrote today in a message that regulators should note that the new law is "incompatible with the reality of open blockchain networks," which are not governed by a single party but are decentralized.
Since blockchain and the GDPR currently do not work together, one of the two may have to change. Blockchain developers could use new technologies to anonymize personal data, which would keep the blockchains out of the reach of the GDPR. Alternatively, European judges may decide that block chains do not have to erase any personal data, as the Coin Center advises. If both blockchains and the GDPR do not change, Coin Center warns that the result could be a problem for blockchain developers in the EU: "The result of the law, then, may be that Europe is closing the future of Internet to the detriment "