Public Blockchains were never meant to be anonymous. Transactions and individuals are traceable and information is stored in perpetuity for public access. How can this ever be compatible with the GDPR?
Talium, a blockchain integrator and IT engineering company, posted an article reminding that, prima facie, most advantages of a Public Blockchain directly conflict with the GDPR.
- Data recorded in a Public Blockchain is publicly available
- The immutability of the records (data cannot be modified or deleted once recorded) conflicts with the right of oblivion and privacy which entitles individuals to request the deletion of their data
- The shared governance of a Public Blockchain could conflict with the obligation to appoint an individualized Data Protection Officer (DPO).
According to Talium, technical solutions exist to attempt compliance with most provisions of the GDPR:
- Data recorded on the Blockchain could be anonymized by the use of pseudonyms and alias, and combined with public keys which are renewed frequently, making it much harder to identify the individuals behind a transaction. Some services have already implement this method (*)
- Blockchain could use “self-sovereign” governance and consent systems to replace the DPO (**)
- Adopt a privacy-by-design approach where the law will dictate specific features to be implemented in each application or service, influencing the whole design of the application from the start.
- Obviously, companies must make sure to receive users’ consent to the execution of smart contracts. According to Talium, it is easy to comply with this requirement because the consent is easily traceable thanks to the Blockchain.
Talium adds that, even though authorities have not yet judged the compatibility of the Blockchain and the GDPR, hopes are that serious efforts to comply with the regulation will be rewarded.
To learn more about Public and Private Blockchains, read the full article (in French) on Talium’s website http://talium.fr/rgpd-et-blockchain/
(*) Anonymisation of financial transactions often conflicts with banking transparency and money laundering regulations for paid services (“KYC, Know your Customers”)
(**) To know more about the concept of self-sovereignty: https://sovrin.org/#row_2