Blockchains record pseudonymous transactions that cannot be altered. This sounds like it complies with data protection and the GDPR soon to be enforced but it’s not that simple.
1) Transactions can be linked to real world people.
There are several ways in which transactions can be connected to a person. For a start, many exchanges require passport identification and these may be requested by governing bodies (e.g. Coinbase by the IRS). Other ways include checking if the person has written their addresses on a blog post. There’s even a company set up to track transactions called Chainanalysis, which has been used by the IRS.
GDPR defines personal data as “any information related to a natural person or data subject that can be used to directly or indirectly identify the person.” Therefore, as these transactions can be identified then they count as personal data. As blockchains are holding personal data, they will be subject to requirements such as being “processed in a manner that ensures appropriate security of the personal data.” Does being on a publicly available ledger count as appropriate security?
2) If transactions cannot be altered, personal data cannot be removed.
Article 17 states: “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her” where one of a set of grounds applies.
Blockchains cannot be altered. Once a chain has been agreed upon, it is fixed on the ledger. If someone from within the EU had used bitcoin, there was a way of identifying them and they wished to have their data removed on one of the grounds set out in Article 17, there would be a breach of GDPR. This could carry a fine for either the data controller or the data processor of up to €20 million.
3) If these are breaches of GDPR, who is at risk? The developers? Miners?
This is the difficult question. In some cases it is clearer, for example the company Ripple is the data controller for XRP. However, for bitcoin there are a group of developers who work on the code. There is no one company and there is no one person in charge. The entire purpose of bitcoin was to be decentralised, to have no one person with the power to decide how it worked. You could even consider the miners are the data controllers because they vote on how the system is upgraded.
Furthermore, who are the data processors? Bitcoin transactions are confirmed by nodes. These are thousands of individuals who use software on their computers to check transactions. Currently there are 11,565 nodes across the world. Could all of these people technically be responsible for processing the personal data on the blockchain and collectively be liable for a fine in breach of GDPR?
As Thomas Leivitz, of Birdchain, sums it up: “GDPR was developed with blockchains not in mind.” It will be fascinating to see whether legislation can catch up with the speed of technological innovation. It will become very relevant when blockchains, such as ones that hold medical information, become commonly used (even though these will typically be on private ledgers). The big question is: how will governments hold decentralised networks to account?
Article written by Tim Copeland
[Disclaimer: I own various cryptocurrencies that may include the topic of the article. My main holdings are in XRP, NANO, ADX, DGB, NAS.]
To exchange for Ripple (XRP), NEO (NEO) or Litecoin (LTC), sign up to Binance.
If this post has informed you or helped in any way, feel free to donate ETH to 0x8c854F441248936BD12EB32373bb16Aa99129483