Europe’s data privacy laws pose problems for public blockchains

The very law designed to protect privacy may be the very thing that undermines the technology designed to protect privacy
Thomas Lee
Senior Writer, Digital Assets Group

It’s perhaps the greatest irony of the digital age that it takes massive government effort to protect the privacy of citizens.

And yet this dance between regulation and technology always produces unintended consequences for both parties.

Take Europe. The European Union earlier this year launched implementation of its General Data Protection Regulation (GDPR) a sweeping set of regulations designed to protect personal data and ensure privacy. The law applies to any multinational company that handles data of EU citizens, which means big tech giants like Google, Apple, and Facebook.

One of the more significant parts of GDPR is the right for citizens to be forgotten. Citizens can require tech firms to delete their information when the companies no longer need the data for their original processing purpose. For example, if a company required an e-mail to deliver online tickets, that company must erase that information once the consumer received the tickets.

That presents a big problem for public blockchains in Europe. By design and purpose, blockchains are supposed to be “immutable,” meaning the information on the distributed ledger cannot be altered or removed. Doing so might invalidate the entire blockchain.

The technology is meant to thwart hackers intending to steal or alter the data. But what happens if hackers just wanted to disrupt the blockchain by inserting someone’s personal data into the system?

GDPR requires tech firms to remove data if there’s no legitimate purpose to hold the information. However, removing the data from the blockchain will automatically invalidate the entire chain.

“Companies that implement blockchain systems without managing privacy issues by design run the risk of storing personal data that can’t be deleted without compromising chain integrity,” according to research firm Gartner.

“Any business operating processes using a public blockchain must maintain a copy of the entire blockchain as part of its systems of record,” Gartner said. “A public blockchain poisoned with personal data can’t be replaced, anonymized and/or structurally deleted from the shared ledger. Therefore, the business will be unable to resolve its needs to keep records with its obligations to comply with privacy laws.”

In fact, Gartner estimates 75 percent of the world’s public blockchains will be “data poisoned” by 2021.

The European Union can obviously try to fix the flaw by amending GDPR. However, if the EU doesn’t, GDPR could seriously hamper the growth of blockchain technology on the continent. Say what you want about Bitcoin and other cryptocurrencies, blockchain is a truly transformative technology with the potential to remake industries for the better. I find it unlikely the EU deliberately wanted to sabotage blockchain when it drafted GDPR.

But the issue demonstrates the inherent tension between regulation and new technologies. Despite the idealism that underpinned the development of cryptocurrencies and thus blockchain, there is really no such thing as a truly decentralized system that will always stay completely outside the law or government control.

When it comes to GDPR, blockchains, and data poisoning, the situation is especially ironic. The very EU law designed to protect privacy may be the very thing that undermines the technology designed to protect privacy.