Will GDPR compliance kill Blockchain?

Privacy is still an ambiguous term today as far as legal definitions go.

Immutability

Blockchain is being touted as a trustless system, or a system where the trust is built into the architecture. This immutability of transactions or the inability to erase or modify a transaction once it has been written to the chain is one of the key factors that ensure this trust. This is in direct violation to the right to erasure in GDPR.

You cannot modify or erase a transaction once it is written on the blockchain.

Transparency

Not only are transactions not editable, but these transaction are visible to all nodes in the network. Consider Bitcoin, right from the genesis block (the first block in a blockchain), all the blocks and the transactions can be independently viewed and verified. In fact if you want to start mining Bitcoin, you have to do exactly this process before you can get started with mining. This transparency is an advantage when we are talking about a crypto-currency but not so much in other applications like banking. Private blockchains have a different take on transparency, but it is still guaranteed in many ways.

The article 15 of GDPR, states ‘The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed’. This can never be guaranteed in a public blockchain.

Data Storage

In a public blockchain there is no control over who can host a node, any person or corporation in any part of the world can setup a node and join the network. An important aspect of GDPR is the fact that personal data is not to leave the EU, and if it can not be avoided only to countries permitted by the EU. This guarantee can only be given in case of a private blockchain.

Solution or Workaround?

The most obvious solution to the above paradox is the hybrid storage model. We can store the personal data off-chain, in a traditional database where the data can be erased and access restricted. This model is already used in blockchains that handle a large amount of data, where storing the data on the blockchain is not technically feasible. In this case, only a reference to the data is stored on the blockchain. This solution however increases complexity and costs related to data storage. Spreading data across centralised company servers also invites a lot of compatibility issues when using blockchain.

Conclusion

The goal of GPDR is to “give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.”

--

--

I write about blockchain and tech. https://twitter.com/stanlyjohnson72

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store