The Bittersweet Relationship Between Blockchain and GDPR

Wednesday June 27th, 2018 by Silvan Jongerius

An adapted excerpt from Silvan Jongerius’s (CEO) talk on Blockchain and GDPR at the National Library of Latvia in Riga at Digital Era 2018

With the GDPR now in full effect, improving upon the currently bittersweet regulatory relationship between Brussels and blockchain networks is critical. Thanks to its unique structural advantages and decentralized framework, blockchain technology is a true enabler of innovation worldwide, but this makes its pragmatic regulation an especially tricky task. While advising the European Commision and the Bundestag as a contributor to the German Blockchain Association, and in particular co-authoring the position paper on Blockchain, Privacy and the GDPR, I have seen firsthand just how important it is to achieve the right level of understanding between regulators and innovators – as well as the potential consequences of misunderstanding the process. When it comes to GDPR compliance, the blockchain is as much an asset as it is an obstacle on the path to supporting online privacy.

Blockchain: Technology Unchained

Blockchain is as the name suggests; a chain of blocks of transactions, linked together through a secure code that ensures its integrity. Within these public networks, no single party is in control. The network is distributed, the important tasks are financially incentivized and there is no off switch. All players in the network are equal. Such an environment enables disintermediation, bypassing middlemen, and a true peer to peer economy.

This is in stark contrast to say, email, where there is a clear institutional middleman in the form of a host (Google, Yahoo, etc) and one is not really sending as much as they are duplicating information. When a user emails another user a photograph, for example, they are copying something from one place to another, but it also remains on the original computer.

Although this is fine for sending images and text, it is obviously problematic when sending a payment: you would duplicate money, which defeats its purpose. Blockchain registers transactions differently. With bitcoin, for example, peer-to-peer transactions can be proposed by anyone. Miners (those verifying and including the transactions for a reward) ensure that the sender has the funds and permissions, followed by proposing inclusion in a new block. Indeed all blockchain entities exist inside an environment where transactions are authenticated through a network of nodes that ensure each action correlates with a history of previous transactions. It is not any particular individual, but math and clear rules that regulate the blockchain.

When Things get Bitter

Though this is great for cryptocurrencies, the distributed nature is not helpful when trying to establish responsibilities as ‘clearly’ defined by the GDPR. That is, if person or institution is responsible for protecting data after it is collected, and who will be responsible to comply with subject requests. Additionally, the incentive structure that keeps blockchain networks running can be at odds with how regulators look at personal privacy. Regulators are used to dealing with institutions that assume a central responsibility in their activity. Blockchain, on the other hand, self-regulates with a decentralized approach.

If Facebook, for example, experiences a data breach, they are regarded as responsible under the GDPR for losing that data because they are the party that collected it. If there is a data breach in a peer-to-peer network, however, it’s not immediately clear who is legally responsible. This is already a problem with cryptocurrencies, and as more and more services (not to mention the swaths of personal data that accompany them) increase their reliance on blockchain technology, answers to these and other questions are only going to become more important.

Regulatory Challenges

When you have peer to peer transactions occurring over a long span of time, a regulator is met with the daunting challenge of assigning responsibility for data security on a network rather than an institution – a major headache. Blockchain’s own self-regulating, highly-networked incentive structure has to be better understood by legal authorities if the GDPR is to be properly implemented within the constraints and capabilities of the technology in its current form. Regulate poorly and you’ll stifle growth. Regulate wisely, and the capacity for both higher privacy standards and more dynamic markets are vast. Before that can happen, however, there are more risks to consider.

Since data passes through many nodes on the blockchain, identifying whether or not encrypted information is indeed personal data is easier said than done – requiring a delicate interpretation of when exactly a user is consenting to share their information, and with whom. While encryption algorithms may be safe today, they may be broken into tomorrow, so one should generally not rely on storing personal data in encrypted form on a public blockchain. History has proven that it is only a matter of time before an encryption mechanism is broken, usually through advancements in technology, with only one really old and inefficient exception. And thanks to the advancements in quantum-computing this may now accelerate.

Sweetening the Deal

Though the nature of blockchain technology poses a series of unique challenges in terms of how it can effectively comply with the GDPR’s privacy mandates, it can’t be understated to what degree the technology is also a huge asset in ensuring individual privacy as well. If done effectively, proper oversight of blockchain technology won’t just help us meet our current regulatory requirements for privacy, but surpass it.

Organised in Europe GDPR Blockchain

Blockchain can also provide a secure proof of historical events, which can be helpful for registers. In the case of the GDPR, this can be a great way to register users who consent to share their data with a third party. A number of providers have implemented this already and provide a highly secure way to prove that consent was collected at a specific point in time.

Self-Sovereign Identity on Blockchain

Another example is the self-sovereign identity. Blockchain can store verifiable proofs of information that eliminate the need for a hefty background check – a miracle for public record keeping. Imagine government authorities and reputable private institutions being able to verify one simple fact, such as your identity, on a blockchain rather than using traditional methods. Through multiple proofs from different instances, you will be able to prove a certain fact, such your age, or even more privacy-friendly: prove that you are over a certain age, without having to reveal much else.

Binding Network Rules?

Blockchain may also come to need its own established rules of engagement if these tools are to be put to full use. With the German Blockchain Association’s privacy working group, we are exploring the possibility of introducing ‘Binding Network Rules’, analog to ‘Binding Corporate Rules’. These are binding and internationally enforceable rules that can govern international data transfers, the internal relationships and the rights and responsibilities of participants. This can help blockchain networks build a stronger legal structure around how they operate and establish conditions for using an entire network. Such a structure would limit the required bureaucracy to enforce such rules and would enable blockchain technology to make a real impact on privacy through decentralization, rather than bending to the often draconian needs of heavy-handed central authority.

There are many obstacles that blockchain networks currently pose to pragmatic enforcement of the GDPR.  But those obstacles can be more than offset by the opportunities that these decentralised peer-to-peer networks create. With the right mix of informed regulatory action and innovative practices, business progress need not come at the cost of supporting individual privacy – or vice versa.


To learn more about data privacy and the GDPR, follow us on Twitter



Silvan Jongerius


Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Blockchain & DLT under the GDPR explained to the European Commission
June 4th, 2019

One year of GDPR: GDPR enforcement and awareness
May 25th, 2019

Our first open GDPR Canvas workshop
May 21st, 2019

WiFi-Tracking and Retail Analytics under the GDPR
April 8th, 2019

How to develop Artificial Intelligence that is GDPR-friendly
February 28th, 2019

Artificial Intelligence (3)
Beyond EU (5)
Big Data (2)
Blockchain (11)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (1)
GDPR Canvas (1)
GDPR Status (1)
Germany (1)
IoT (4)
Privacy by Design (7)
Regulation (1)
Speaking (1)
Startups (1)
Strategy (1)
Terminology (1)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
Cold calling
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
Retail Analytics
right to be forgotten
right to erasure
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (5)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.