The
GDPR (General Data Protection Regulation ) entered into force on 25 May 2018, although not all today's companies (especially startups and small organizations) are ready to it. In short, the GDPR is a new set of rules designed to give EU citizens more control over their personal data. In particular, it guarantees certain
data subject rights to individuals from the EU. Some of these rights are:
- Right to rectification (Art. 16)
- Right to erasure/right to be forgotten (Art. 17)
- Right to restrict processing (Art. 18)
So, if you participate in some projects or use some services, your data is officially protected by the relevant laws. In theory. In practice, when it comes to blockchain projects, your rights are most likely violated.
In general, GDPR is incompatible with (many) blockchain projects. Many, because maybe there are several projects which I just don't know about and which are compatible (can you suggest any?).
Firstly, transactions on a blockchain are immutable. You cannot change or delete these transactions once they are written on a blockchain. This is one of the main benefits of the blockchain technology (the blocks cannot be deleted or modified to ensure the security and accuracy of the data), but this is also against GDPR requirements.
Secondly, everybody can browse through the complete history of transactions on a public blockchain. Transparency is another benefit of the technology, we need it and do not want to lose this feature. As a blockchain user, you agree to send your data on a public blockchain, so I believe this is not a problem for a while. However, you also have the right to leave the project in future if you wish, but your data will still remain there.
Thirdly, an essential aspect of GDPR is the data storage location. A company must specify where it stores and transfers your data. The best practice is not to transfer the data outside the EU. However, when it comes to public blockchains, there is no control on who hosts a node.
Of course, GDPR relates to the personal data, so the regulation does not cover a blockchain that uses fully anonymized data. But many blockchain-based projects involve the use of users' personal data.
Blockchain developers must reckon with the law, especially taking into account the support of the technology in Europe - many of your customers will be from there. Some ways to deal with the problem was described
here. The main idea is to store the personal data off-chain and store the reference to this data on the blockchain. Not the most optimal solution for obvious reasons, but I could not come up with a better one yet.
An alternative solution would be a revise (extension) of the law for crypto projects. But until that happens, we have to cope with these restrictions by ourselves.
As blockchain developers (if there are any here) are you going to support all the GDPR requirements? Which means do you use to implement user rights, for example, the rights to portability or erasure?