GDPR seemed to be on a collision course with blockchain technology due to some of its fundamental characteristics. However, new university research in the UK has shown ways that the new regulation and technology can indeed complement each other. Shashank Venkat reports
The General Data Protection Regulation (GDPR) which came into force this May has changed the way businesses operate in the European Union (EU) and beyond. However, its strict rules on data management have also meant an inherent conflict with blockchain technology which thrives on decentralisation and immutability of data. But a new piece of research done by the University of Cambridge and Queen Mary University of London now shows that
blockchains could indeed be compatible with the EU's new privacy legislation.
As discussed in our
earlier blog, one of GDPR's biggest points of conflict with blockchain is that it stores the private data of citizens which could be accessed by third parties. From that sense, any blockchain would generally fall under the category of
data controller. In addition, blockchain is characterised by immutability, another aspect that is at odds with GDPR which mandates that it should be possible to delete personal data upon request.
The new research argues that blockchain should be looked at through the lens of micro-level transactions where individuals are actively in-charge of submitting their data on the blockchain by determining the purpose (conducting a transaction) and means (choice of blockchain platform). They deem a micro-level perspective more accurate since the law is concerned with the processing of personal data and conclude that users be considered as
data controllers and blockchain nodes and miners be taken as
data processors.
They have further strengthened their argument by likening blockchain platforms to cloud computing service providers, pointing out that while accessing computing resources from cloud providers, the customer acts as a data controller whereas a cloud provider processes data on their behalf. Similarly, any blockchain platform simply provides access to a distributed platform for storing and processing transactions. While the study puts more responsibility on customers as data controllers, it has also added that if nodes and miners take a more active role with regards to personal data, they may be considered data controllers.
The research further adds that it is easier for private blockchains to comply with the provisions of GDPR. For instance, data controllers and processors need to establish their data protection responsibilities contractually, which is easier to implement within a private, centralised platform as opposed to a public, decentralised blockchain like Bitcoin. Moreover, private blockchains can support erasure of personal data and implement limited visibility thereby complying with the data subject rights of GDPR. For public blockchains, technical approaches such as off-chain storage are still a subject of research and not an active solution yet.
According to the researchers, it would be helpful if regulators can issue detailed guidance around the various common blockchain models. However, regulators must not try and force fit GDPR into blockchain which is a completely new paradigm with many different technological aspects. Nevertheless, for the citizens of Europe, it is in their best interests that the technology and regulation co-exist to ensure greater transparency and control.