Private Blockchains Could Be Compatible with EU Privacy Rules, Research Shows

Published at: Nov. 11, 2018

Private blockchains, such as interbanking platforms set to share information on customers,  could be compatible with new E.U. privacy rules, according to research published Nov. 6. The study was conducted by Queen Mary University of London and the University of Cambridge, U.K.

The General Data Protection Regulation (GDPR) act, a recent legislation that regulates the storage of personal data for all individuals within the European Union, came into effect this May. According to the law, all data controllers have to respect citizens’ rights in terms of keeping and transferring their private information. In case a data controller fails to do so, the potential fines are set as €20 million (about $22 million) or four percent of global turnover/revenues, whichever is higher.

The recent U.K. study, published in the Richmond Journal of Law and Technologies, views blockchain and its nodes through the length of GDPR. According to the researchers, crypto-related technologies could fall under these rules and be treated as “controllers,” given that they publicly store private information about E.U. citizens in the chain and allow third parties to operate it. This, the study reveals, might slow down technology implementation in EU:

“There is a risk that this legal uncertainty will have a chilling effect on innovation, at least in the EU and potentially more broadly. For example, if all nodes and miners of a platform were to be deemed joint controllers, they would have joint and several liability, with potential penalties under the GDPR.”

However, the researchers emphasize that blockchain operators could be treated like “processors” instead, the same as the companies behind cloud technologies who act on behalf of users rather than control their data. This, the study continues, is mostly applicable for Blockchain-as-a-Service (BaaS) offerings, where a third party provides the supporting infrastructure for the network while users store their data and control it personally.

As an example for such type of blockchain platform, the researchers cite centralized platforms for land registry and private interbanking solutions that set up “a closed, permissioned blockchain platform with a small number of trusted nodes.” Such closed systems could effectively comply with GDPR rules, the report continues.

To meet the privacy law, blockchain networks might also store personal data externally or allow trusted nodes to delete the private key for encrypted information, thus leaving indecipherable data on the chain, the researchers state.

However, the GDPR rules are extremely difficult to comply with for more decentralized nets, such as those concerned with mining and cryptocurrency. In this case, the nodes, operating with the data of E.U. citizens, might agree to fork a new version of the blockchain from time to time, thus reflecting mass requests for rectification or erasure. “However, in practice, this level of coordination may be difficult to achieve among potentially thousands of nodes,” the study reads.

As a conclusion, the researchers urge the European Data Protection Board, an independent regulatory body behind GDPR, to issue clearer guidance on the application of data protection law to various common blockchain models.

As Cointelegraph wrote earlier, the GDPR could both support and harm blockchain. Despite the fact that current E.U. legislation partially has the same goals as crypto-related technologies, such as decentralizing data control, blockchain companies could also face extremely high fees as data controllers.

Tags
Blockchain
Privacy
United Kingdom
Research
European Union
Baas
Related Posts
It Is Time for Databases to Get Fully Decentralized
Across Europe, a privacy row has been brewing over various efforts to use coronavirus contact tracing technology. Contact tracing is the cornerstone of the efforts to track the spread of COVID-19 in an attempt to prevent a second wave by quarantining those exposed to the infection. After all, it proved to be successful in China and South Korea. However, the contact tracing efforts in China and South Korea are generally considered to breach user privacy to an extent that’s culturally and legally unacceptable across much of Europe. Nevertheless, it seems that many governments are now prepared to compromise on their …
Decentralization / June 13, 2020
Self-custody, control and identity: How regulators got it wrong
The recent European Union proposal requiring centralized crypto exchanges and custodial wallet providers to collect and verify personal information about self-custodial wallet holders shows the dangers of recycling traditional finance (TradFi) rules and applying them to crypto without appreciating the conceptual differences. We can expect to see more of this as countries look to implement the Financial Action Task Force (FATF) Travel Rule, initially designed for wire transfers, to transfers of crypto assets. The (missing) link between self-custody, control and identity The aim of the proposed EU rules is “to ensure crypto-assets can be traced in the same way as …
Adoption / May 1, 2022
Blockchains Are an Excellent Solution for Privacy, Part 3
Some entrepreneurs have been trying to increase data privacy by combining encryption and blockchain technology. There are projects like Oasis Labs and Enigma that focus entirely on preserving users’ privacy. Meanwhile, others have been focusing on preventing data retention by companies. Thus, there is no way to guarantee that personal data is deleted in a company’s data system. Blockchain technology’s reliable consensus ensures that people’s data is used correctly. Protection against software and hardware attacks Companies like Oasis Labs, which designed the Ekiden system, run smart contracts outside the blockchain within a Trusted Execution Environment, or TEE, node to enable …
Blockchain / June 22, 2020
European Commission taking bids for blockchain pre-commercial procurement
The European Commission is inviting tenders for the European Union blockchain pre-commercial procurement, or PCP. In general, a PCP is a public sector purchase of research and development services to adapt new or emerging technology to its needs. This PCP will focus on developing a novel blockchain solution that builds on the EU legal framework such as the General Data Protection Regulation, the Electronic Identification, Authentication and Trust Services regulation and the Network and Information Systems directive. The process will involve awarding several research and development contracts in parallel to existing service providers considered to offer the best value-for-money. These …
Adoption / Dec. 9, 2020
Big banks think new furniture is innovation, but they are wrong
When banks finally come to improve their technology experience, they go no deeper than changing the front end. They’ll make a button blue instead of green or create rounded edges on buttons instead of square ones. They think in terms of their interfaces, not the back end. If a bank were to truly innovate its technology, it’d dig deeper into the back end and transform its legacy technical infrastructure, which has been the same for decades. Few today even know how to work on those old programming languages of yesteryear, such as COBOL, so they’re stuck with upgrades that turn …
Technology / Nov. 28, 2020