EU regulators have once again proven that they would rather look to the past than to the future. They had an excellent opportunity to acknowledge the technology shifts happening all around us and come up with something that doesn’t block their adoption. Instead, they preferred going the safer route of designing and implementing the GDPR.
This may be a contentious perspective since blockchain was still very much in nascent form when the GDPR was drafted. But that said, shouldn’t the regulators have looked into it anyway and at least kept some cards under their sleeves? Or is that too much to ask?
Let’s consider some key aspects of the GDPR to determine whether and how blockchain can survive amidst all such data privacy regulations – especially since there is little reason to doubt that data privacy regulations will likely become stricter outside the EU as well.
The GDPR came into force on May 25, 2018, with the goal of providing a uniform data regulation framework for the EU and strengthening individuals’ control over the storage and use of their personal data. The GDPR calls upon data processors to collect only such data as is directly useful to their immediate interaction with consumers and to have “privacy by design” built into their architectures to ensure that the data is then erased to avoid unintended use. There are many additional organizational guidelines that carry heavy fines for non-compliance. We saw the mad rush in April–May 2018 to be on the right side of the regulation.
If we look at the figure below, we see that blockchain is gaining in both attention and adoption. Personally, I believe adoption rates will eventually exceed these numbers.
However, data privacy regulations are making this difficult. The central idea of the immutability of blockchain conflicts with the premise of the right to be forgotten enshrined in the GDPR. Any blockchain implementation must have data at its core that will continue to stay there and cannot be altered or erased. There are certain sidesteps that blockchain projects are looking at today:
1. Hashing – This involves saving user data in hashed documents that cannot be used without keys controlled by users. Although most attorneys engaged in blockchain projects qualify this as a GDPR-compliant process, it is done in the absence of clear guidelines in the GDPR. Hashing seems to be working in the short run, but there is no guarantee that future regulations will not hamper it in the long run.
2. Personal data on off-chain – This solution actually challenges the basics of blockchain implementation itself considering that data is moved from an immutable to a mutable repository. However, this is gaining ground as a potential compromise from some blockchain projects hoping to survive among data privacy regulations.
In a nutshell, if blockchain implementation continues successfully in unregulated regions, then data privacy regulations are bound to fail. If nothing else, such regulations will have to address the technology for economic reasons, given its huge potential. This will force regulators to look hard at their frameworks and work with the technology community to expand the regulations. It is difficult to say how long this might take, but I am certain it will happen for blockchain.
We are seeing blockchain projects coming up in various sectors including financial services, healthcare, and others. Some of these sectors are data intensive and need these projects to address the regulatory challenges being introduced by regulations such as GDPR. I do expect to see some more innovations coming up through these projects to address data regulations effectively while retaining the purpose of blockchain (immutability, transparency). This is the space worth watching in coming months.