GDPR and Blockchain … Like handcuffs on a ghost.

It’s always exciting when then technology and legislation collide. A new report highlights the problem no one dares mention. Blockchain, the much hyped technology with hundreds of millions of pounds investment riding on it, is ‘incompatible’ with GDPR.

The report, authored by fintech journalist Bird Lovegod, ex co founder of The Fintech Times newspaper, was commissioned by blockchain company Cygnetise.

It jumps straight to the point. GDPR legislation is designed around the idea that there is a central database. With public blockchains, including the bitcoin blockchain, this just isn’t true. There is no central point, the whole purpose of blockchain is to avoid having one. GDPR addresses data controllers, requiring them to comply with the seven GDPR principles. With public blockchains, there is no data controller. The actual language of the legislation immediately comes a cropper when encountering the decentralised structure of blockchain. As the report highlights, this is both unfortunate and ironic. GDPR was introduced to bring data protection into the modern age, the old data protection act having been launched right at the birth of the digital reformation. GDPR was designed to counter the problem of technology moving faster than legislation can ever keep up.

As such, it relies on seven principles. According to Bird Lovegod, “With some public blockchains, six of these seven GDPR principles are either breached, or rendered non applicable in some way. What’s more, it’s almost impossible for any court to enforce any action against public blockchains, there’s no one in charge, no one to serve documents to, no one to even name on legal papers. In the instance of Bitcoin, who are they going to summon? Satoshi Nakamoto? No one even knows who invented it. In practice they would have to prosecute everyone on the network. It’s a bit of a farce. The very legislation designed to ‘future proof’ data protection has been launched right at the time when technology has fundamentally changed the rules. And that’s even before Ai becomes involved. When an autonomous software system breaches EU data legislation, who you gonna call then? Blockchain technology was designed to exist outside of central control and independently of government rule. It still does. GDPR slides off it like handcuffs on a ghost.”

However, as the report goes on to explain, with Private Blockchains, it’s a much better fit. “There’s definitely still a grey area , but at least the GDPR definitions apply, and six of the seven principles are pretty much do-able.” Explains Bird, “The biggest problem is the immutability of blockchain, the unchangeable nature of the data on it. Nothing can be deleted. It would be like taking a link out of a chain. One of the rights afforded by GDPR is the right to be forgotten, the right to have your data deleted. This is literally impossible for blockchain to do.” The report goes on to detail a possible fix, which involves encryption rather than deletion, which would require the consent of the individual.“ Ultimately, says Bird, the question is, do we have the right to amend our own rights? Perhaps that’s the ultimate in consumer rights, being able to choose which ones we want, individually.” No doubt Satoshi would approve.