GDPR and Blockchain - A problem for Blockchain

[manish9841]

Because data can´t be deleted in blockchain, and this violates one of the article about right to be forgotten regarding personal data in GDPR - this could be a serious problem for blockchain focused technologies and companies.

How are geeks going to find solution for this?

https://www.ccn.com/gdpr-a-game-changer-is-coming-for-cryptocurrency/

[LeGaulois]

Blockchain and blockchain is not  the same

Now referring to the Blockchain (from Bitcoin) it's not a company and GDPR is targetting precisely companies. When to consider another blockchain, from a company or not, I am not sure if it really matters because we're just a number, inside...

And if I am wrong then Verge won't be considered as a privacy coin anymore so...

[manish9841]

Ok. So, there´s a difference between permissioned and permissionless blockchain. But still can´t understand the difference between blockchain and distributed ledger.

[buwaytress]

It will be a massive problem but only for all the private blockchains and the hundreds of ICOs thinking they did themselves a favour by collecting KYC, who will certainly need to assign data controllers and data management officers to purge data off the blockchains - finding a way to satisfy three parties: GDPR enforcers, EU citizens exercising their rights to be forgotten and all their blockchain participants who require all manipulation and amendment of data be made transparent to them.

GDPR isn't just going to be a recommendation either. No transposing of it, flat out directive that needs compliant.

[andrew1carlssin]

Because data can´t be deleted in blockchain, and this violates one of the article about right to be forgotten regarding personal data in GDPR - this could be a serious problem for blockchain focused technologies and companies.

How are geeks going to find solution for this?

https://www.ccn.com/gdpr-a-game-changer-is-coming-for-cryptocurrency/

GDPR (permanent link -> https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679

was made to protect Personal Data Information from Other Part Entities / Third Part Entity. Two conditions here
[1] ..

In order to the others principles, such as Data Portability, Right to be Forgotten, etc to be applied
you need firstly relate data stored on the blockchain to a PII ( personally identifiable information )

So my understand and interpretation is ...
data can exist forever on the blockchain as far as it not linked to a person.

Now, the tricky puzzle.
thought experiment ..

If you decide to prove your ID, lets say, by sign a message with your private keys would it not be ultimately your own responsibility since nobody
controls the BTClockchain ?  and Lets say you decide that BTClockchian is controled by distinct entity ... who/what that entity would be ?      

[1] GDPR Jargon
Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

[manish9841]

So as long as PII is not linked to blockchain data, it doesn´t apply, I see. On other cases if it is linked, does things like masking and encryption could be handful to mitigate the risk.

[DooMAD]

While I'm not a lawyer, my understanding of it is that only the information you've supplied to the company yourself can be requested to be forgotten.  So there's the obvious things like names, DOB, mailing addresses, email addresses, phone numbers or any other personal contact information.  Then for social media platforms, any posts you've made, along with photos, videos and any other content you've uploaded.  But, if a company assigned you an ID/reference number to store your records, there's nothing that prevents them using that ID/reference number again once they've purged all your other details.  So for any altcoins that generate their own addresses with public and private keys and that don't have any other personally identifiable information attached, it shouldn't (again, not a lawyer) even matter if it is a private blockchain.  The only thing being stored would be the payment addresses the software has generated itself, which I don't think users would have any rights over.

How many company-owned blockchains which are used to store their users' personal information could there be?  I don't think that many altcoins will be affected at all.

Maybe if, for example, you run a business that offered to store a couple's wedding vows and marriage date/time/location/etc on a private, but still distributed blockchain (because I can imagine someone doing something that crazy), you should pretty much close your company down now, heh.

[expert4knowledge]

People have the choice to not use it so I don't see the problem, people who want data to be erased should not use a system that has as main purpose to keep data, common sense

[intellicorepress]

Because data can´t be deleted in blockchain, and this violates one of the article about right to be forgotten regarding personal data in GDPR

This issue may be solved in the future by allowing for "restriction of processing" in cases in which there are significant technical barriers to deletion of the data, too. Currently, this solution is applicable only when the data subject doesn't want their data to be processed, but doesn't want them to be deleted either, and a couple of other special cases.

[manish9841]

Ok now I had an impression that proper consent management would significantly mitigate the risk.