Blockchain, the technology behind Bitcoin and Ether, can securely record transactions, store huge amounts of data forever, and offer transparency by letting anyone view the information it contains. That makes it ideal for virtual currencies and some applications in insurance, health care, and other industries—and a thorny problem for a new European law on privacy.
Under the European Union’s General Data Protection Regulation, companies will be required to completely erase the personal data of any citizen who requests that they do so. For businesses that use blockchain, specifically applications with publicly available data trails such as Bitcoin and Ethereum, truly purging that information could be impossible. “Some blockchains, as currently designed, are incompatible with the GDPR,” says Michèle Finck, a lecturer in EU law at the University of Oxford. EU regulators, she says, will need to decide whether the technology must be barred from the region or reconfigure the new rules to permit an uneasy coexistence.
Compliance headaches could afflict thousands of companies. More than 1,000 apps are being built on the Ethereum blockchain alone, according to the stateofthedapps.com directory. “I think it will impede some of the applications,” Greg McMullen, a lawyer based in Germany and blockchain expert, says of the law. “We’ll get a bit of a reality check on what the right kinds of applications are to build on a blockchain.”
Under GDPR, the definition of personal data is deliberately a very broad one. In principle, it covers any information that relates to an identifiable, living individual, such as a person’s name or social security number. But it could also include any type of data that could directly or indirectly identify an individual.
“Some of the most important areas of guidance have been issued in the last two, three, four months,” says Jules Polonetsky, chief executive officer of the Future of Privacy Forum, a privacy think tank that works with chief privacy officers, academics, and policymakers. “There’s a lot of detail, but still a lot of subjective interpretation.”
It’s possible that even an individual’s public Bitcoin address—a string of letters and numbers used to send and receive the digital currency—could be considered personal information. “Encrypted data will often qualify as personal data and not as anonymous data,” the law firm Hogan Lovells said in a recent note. “This means that in most instances the privacy rules will be applicable to at least some of the data involved in blockchain systems.”
Some companies may have to redesign their software and buy costly traditional databases to move any personally identifiable information they possess off a blockchain. That would help with compliance, but it could remove some of a blockchain’s benefits. It will be harder to ensure that documents stored outside a blockchain haven’t been tampered with, for example. And moving off a blockchain could be expensive, especially for startups. Maintaining their own databases costs more, and such companies might need to raise funds to build IT infrastructure.
Not everyone sees GDPR as blockchain’s death knell. Some of the technology’s boosters say the features that appeal to blockchain users could be used to assist businesses in meeting the law’s requirements. “This is all something a blockchain can be quite helpful with,” says Brian Behlendorf, executive director of Hyperledger, a consortium of companies that builds blockchain software. Software provider Cambridge Blockchain and security company LuxTrust SA are testing this idea. Together they are developing software to help businesses—banks, for example—better manage personal data in compliance with “know-your-customer” rules. That information might have to be managed differently because of GDPR.
The consequences for companies that can’t or don’t want to adapt could be huge. “I think you are going to see quite a few industries and companies completely pull out of Europe, and many that shut down, and you are going to see bankruptcies,” says Mark Rudnitsky, CEO of HealthHeart, a Chicago startup that’s working on managing electronic health records via the Ethereum blockchain. Of course, since GDPR has yet to be implemented, it’s hard to know what the precise regulatory expectations will be.
“I suspect that GDPR will also have to adapt to the blockchain in a way,” says Winston Maxwell, a privacy lawyer at Hogan Lovells in Paris. “GDPR is robust, but it’s also flexible. It doesn’t close the door on blockchain. It means people have to slow down and ask, who is responsible for what, what safeguards go around which data, and are we getting consent?”
(Updates the second paragraph with a fuller quote from Michèle Finck.)