Study Shows that Private Blockchains Might be Compatible with EU GDPR Privacy Rules

By Zach Blockchain, EU, GDPR

As you may already know, blockchain technology has massive potential to disrupt numerous industries throughout the world. However, the worldwide adoption of the technology is only possible with a supportive regulatory framework.

A study carried out by the University of Cambridge in partnership with the Queen Mary University of London, discusses whether private blockchains are compatible with the recently-adopted European Union GDPR privacy law.

To put things better into perspective, the GDPR law is responsible for regulating how personal data of EU citizens is stored and processed. As such, all companies that control personal data operating within the EU must respect a set of rules concerning the storage, transfer and use of personal data. Failure to do so leads to a fine as large as €20 million EUR, or a percentage of the global revenues obtained by the company breaching the law.

Private blockchains are an important part of the blockchain revolution, and they offer numerous innovative use case scenarios, such as interbanking platforms. By interpreting GDPR law, researchers have determined that firms employing the use of private blockchains could be referred to as data controllers, since the chain stores personal information of its users, while also allowing third party access to the data in question. This would make respecting the GDPR law quite difficult, as the data is publicly accessible.

In regards to this aspect, the study noted that: “There is a risk that this legal uncertainty will have a chilling effect on innovation, at least in the EU and potentially more broadly. For example, if all nodes and miners of a platform were to be deemed joint controllers, they would have joint and several liabilities, with potential penalties under the GDPR.”

Because of this, the study suggests that under the GDPR law, firms employing private blockchains could be considered data processors as well, rather than controllers. This makes respecting the legal framework a little bit easier, as the companies do not directly control user data, but rather act on behalf of the user, after consent has been given.

A full compliance with the current law is tricky to achieve directly, but a workaround is reportedly possible. With this in mind, permissioned private blockchains that only employ a small number of contained and trusted nodes abide by the GDPR rules. Additionally, blockchain companies can choose to store personal user data externally.

On the other hand, compliance is almost impossible to achieve for decentralized blockchains. GDPR law states that when requested, data needs to be rectified or erased, and given the immutable state of the blockchain network, this is impossible. Creating a hard fork to modify data for EU citizens alone isn’t worth the effort and the negative impact it would bring.

Since the GDPR laws didn’t take blockchain technology into account, the researchers have asked EU’s Data Protection Board, to either modify the law, or offer clear guidelines applicable to private blockchains and other similar entities.