At the end of May, the European Union General Data and Protection (GDPR) came into effect, which regulates the way companies across the globe collect and process personal information from UK and EU subjects. Personal information includes any information that identifies, or could reasonably be used to identify, a person, such as names, contact details, usernames. The GDPR grants a number of rights such as the right to access, rectify, and erase personal information from the company that controls and collects the data. In light of recent data breaches, such as with Facebook and Cambridge Analytica, the new data policies aim to prevent the misuse of personal information for UK and EU nationals. However, the nature of blockchain technology and the new data protection regulations are at odds with one another.

Blockchain technology, the decentralized ledger, creates permanent records of data. The blockchain can be programmed to be open to the public or for a private group of authorized users. One of the main appealing features of blockchain technology is that it is tamper-proof. Once data is entered and verified into the system, it becomes a part of the permanent record of the ledger and cannot be deleted. Although individuals may not be storing sensitive data on a blockchain, the GDPR defines personal information as any data that can trace back to an individual. This is in direct conflict with the GDPR which grants UK and EU nationals the right to request companies to delete their stored personal information.

Even before the implementation of the GDPR, in 2014 the European Court of Justice (ECJ) held that Google had to remove links from third-party websites that contained personal information in order to protect an individual’s right to privacy.[1] EU regulators and businesses need to strike a balance between protecting users’ personal information without stifling technology. Attorneys across different firms have attempted to find solutions in order for companies to maintain personal data using blockchain technology while complying with the GDPR. One suggestion is that “companies store all personal data in traditional databases and only store on the blockchain hashed data designed not to be untangled … That way, the personal data can be corrected or deleted off-chain and the remaining data held on the blockchain cannot be linked back to an identifiable individual”.[2]

Although this could be a solution for some companies, not all will have the finances and resources to implement it. The company Parity Technologies Ltd. had to discontinue their Parity ICO Passport Service (PICOPS), which “enable[d] individuals to associate a single Ethereum address with their unique identity”, due to the new data regulations in the GDPR.[3] Going forward, companies need to ensure that no personal data of UK or EU subjects appears on their blockchain in order to prevent liability from the EU Commission. Eventually EU regulators and fintech experts will need to collaborate and find a balance that both protects personal data to comply with the GDPR, while also permitting companies to use blockchain technology in a variety of industries. This may ultimately be a question brought to the ECJ.

[1] Google Spain SL et al. v. Agencia Espanola de Proteccion de Datos, C-131/12 (May 13, 2014).

[2] Kochman, Ben. (May 24, 2018) “Blockchain Users To Walk Tightrope In Age Of GDPR.” Law360. Available at: https://www.law360.com/securities/articles/1045951/blockchain-users-to-walk-tightrope-in-age-of-gdpr?nl_pk=90996a46-d723-4b60-bcd8-9866b2ae15a6&utm_source=newsletter&utm_medium=email&utm_campaign=securities. Accessed on June 5, 2018. Per Emily Tabatabai, partner at Orrick Herrington & Sutcliffe LLP.

[3] Parity Technology Ltd. (May 18, 2018) “PICOPS to be discontinued on May 24th, 2018.” Available at: https://paritytech.io/picops-discontinued-may-24th-2018/. Accessed on June 5, 2018.