According to a research “Blockchain Demystified: A Technical and Legal Introduction to Distributed and Centralised Ledgers” which was published on November 6, private blockchains like interbanking platforms that are set to share information on their users could be compatible with the new European Union privacy laws. The study was posted at “Richmond Journal of Law and Technology”, and was carried out in a joint venture by Queen Mary University of London and the University Of Cambridge, United Kingdom.
A legislation, the General Data Protection Regulation (GDPR) act, came into effect in May this year. The legislation regulates the storage of personal data of all individuals within the European Union. The General Data Protection Regulation (GDPR) states that all data controllers are bound to respect citizens’ rights by protecting and transferring their personal information. If a data controller does not succeed in doing so the potential penalties are set as twenty million pounds which is roughly 22 million US dollars or four percent of global turnover/revenues, the highest of the two is considered.
Richmond Journal of Law and Technologies recently published a United Kingdom study which views blockchain and its nodes in context of General Data Protection Regulation act. The researchers concluded that technologies to crypto could have the rules applicable on them and be considered as “controllers”, provided they store private information about European Union citizens and allow third party participants to operate it. According to the study this could inhibit the implementation of technology in European Union:
There is a risk that this legal uncertainty will have a chilling effect on innovation, at least in the EU and potentially more broadly. For example, if all nodes and miners of a platform were to be deemed joint controllers, they would have joint and several liability, with potential penalties under the GDPR.
However blockchain operators could be considered similar to “processors” instead, according to the researchers, like the companies responsible for cloud technologies that act on behalf of their users instead of controlling their data. The study further illustrates that this concept was mostly applicable for Block-as-a-Service (BaaS) offerings, where the supporting infrastructure is provided by a third party while users store their data and are personally in charge of it.
Land registry and private interbanking solutions which apply “a closed, permissioned blockchain platform with a small number of trusted nodes” are centralized platforms provided as examples, by the researchers. These type of closed systems are able to effectively comply with Global Data Protection Regulation rules, according to the study presented in the report. The researchers state that blockchain networks may also store personal data of the users externally or allow trusted nodes to remove the private key for encrypted information, to meet privacy law, as result leaving undecipherable data on the chain.
More decentralized nets like those concerned with mining and cryptocurrency prove to be extremely difficult to comply with the Global Data Protection Regulation act. Nodes operating with the data of European Union citizens, in such a case, might agree to fork a new blockchain version from time to time, reflecting mass requests for rectification or erasure as a result. The study stated that:
However, in practice, this level of coordination may be difficult to achieve among potentially thousands of nodes.
To conclude the European Data Protection Board was urged, by the researchers, to chalk out clearer guidelines on the application of the data protection law to other similar blockchain models. Even though the current European Union legislation partially harbors similar goals to those of crypto-related technologies, like decentralizing data control, blockchain companies could also face extremely high fees as data controllers.