The Right to Privacy
The right to privacy, is widely recognized in European Union member states. Starting from The Universal Declaration of Human Rights, moving forward to the European Convention
on Human Rights and the Charter of Fundamental Rights of the European Union, privacy is enshrined as a fundamental human right.
Even so, the threats for eroding this right, continue to multiply. Advancements in technology, keep increasing the ability for collecting, storing, and processing information.
Huge corporations behind social media platforms and search engines, built business models around their ability to entice people to hand over information and their ability to
extract value from it.
This aggressive attack on privacy served as the backdrop for the General Data Protection Regulation GDPR that was adopted in 2016 and became enforceable in 2018 across the
European Economic Area EEA. This replaced the Data Protection Directive from 1995 and harmonized national data protection across European states. A regulation that matured slowly
over the years giving muscle for safeguarding privacy.
Whilst GDPR was taking its time to be enacted, a new highly disruptive technology was taking off. In late 2008 the Bitcoin Whitepaper was published. A technology that initially
went unnoticed by lawmakers. But by the time GDPR was ready for enforcement, its disruption became a lot more evident.
Bitcoin's Privacy Promise
The Bitcoin whitepaper was originally posted to the metzdowd.com cryptography mailing list targeting
the cypherpunk community. It aimed to on-board the community for developing, testing, and running the first blockchain nodes. This community is characterized by its knowledge of cryptography
and their advocacy for privacy, as we can see from their manifesto: "Privacy is necessary for an open
society in the electronic age... Privacy in an open society also requires cryptography."
Consistently, the Bitcoin whitepaper includes a section explaining its privacy goals, "The public can see that someone is sending an amount to someone else,
but without information linking the transaction to anyone". Following that, the paper advises using a new key pair for every transaction to further safeguard privacy.
Bitcoin had no wish to erode the privacy of its users. The true limitations of the Bitcoin privacy promise and the blockchains that followed, only became evident a few years later.
Dorit Ron and Adi Shamir in 2013, published their study analysing the Bitcoin transaction graph. This paved the way for clustering
addresses, mapping them to a single owner. It was through such studies, that the inadequacy of these privacy measures became fully apparent.
Blockchain vs GDPR
Looking at some of the most fundamental pillars of public blockchain we can easily see how these seem to be irreconcilable with GDPR.
Immutability - the property that guarantees that past transactions cannot be modified. The longer a transaction sticks to the blockchain, the harder it gets for it to be deleted.
Public Verifiability - the property allowing anyone to read and verify transactions.
It is easy to see how these properties come into conflict with the very principles behind this regulation. How can, a blockchain whose data is public for anyone to read, satisfy the principles
of purpose limitation and confidentiality? How can, data that cannot be deleted, satisfy the principle of storage limitations and accuracy?
These are very real challenges, especially if we look at the most widely used public blockchains, Bitcoin and Ethereum, both of which have very little in-built privacy protection.
An article on this topic highlights some opinions that are widespread in the blockchain
community pointing out that GDPR assumed that it would apply to centralized services, and thus needs updating. This line of thought is supported by the fact that the GDPR largely hinges on
identifying legal persons fulfilling the roles of Data Controllers and Data Processors.
The same article also quotes Jan Philipp Albrecht, the MEP who spearheaded GDPR saying, "This does not mean that blockchain technology in general has to adapt to the GDPR, it just means that it
probably cannot be used for the processing of personal data".
Whereas upholding the right to privacy is commendable, one must point out that if European companies had to operate in a stricter regime than the rest of the world, they would be at a competitive
disadvantage. On the other hand, since GDPR also applies to companies from outside the EEA that process the information of its citizens, relocating would not shield companies targeting the
All these arguments are valid and highlight a conflict, but this is not the complete story.
Is GDPR Enforceable?
The enforceability of privacy laws leads to an important observation when it comes to the choice between private, consortium and public blockchains. Non-public blockchains are based on
centralized governance. Governance is the key here, since even if the technology is architecturally decentralized, governance is what allows for identifying legal persons. Once governance
is centralized, GDPR enforcement can easily target whoever controls the blockchain.
In this space, a number of private blockchains started off by customizing the code of popular decentralized blockchains such as Ethereum. Here we observe that such projects still need to
implement significant changes to satisfy privacy laws.
When it comes to decentralized blockchains, identifying Data Controllers can be much harder. In this regard
the article quotes Albrecht saying that it might be up to the users themselves to
ensure that the blockchain used, is GDPR compliant. This highlights how even if not GDPR compliant, decentralized blockchains can be elusive when it comes to enforcement.
Whereas today it is unclear how GDPR can be enforced against decentralized entities, the same is not necessarily true for distributed ledger applications
running on top of them. Such applications are often deployed by companies within the context of their business activity. Thus, we end up with centralized governance running on top of
decentralized architecture. The profile of a legal person acting as a Data Controller is fulfilled, making such actors an easy enforcement target.
Even so, GDPR will not always be easy to enforce when it comes to DLT applications. Smart contracts can be developed collaboratively and deployed such that the contract is self-governing.
Decentralization is thus achieved both at the blockchain and at the application level.
The notorious Decentralized Autonomous Organization DAO smart contract that led to the split between Ethereum and Ethereum Classic had such a self-governance property. Hence why, countering
the hack to which it fell victim, required a hard fork. Contracts cutting-off their link to any legal person again give rise to enforceability challenges.
Problems with enforceability lead to uncertainty. One may consider this as an opportunity for a free-for-all. However, uncertainty is also an inhibiter. Revisiting privacy laws and clarifying
how these apply to a decentralized world would be beneficial to everyone. EU citizens today might be giving up personal data under the false impression that GDPR is enforceable for providing
redress whenever their privacy rights are not respected.
Likewise, business entities are also less ready to invest in technologies around which there is regulatory uncertainty. This can hurt start-ups significantly more than established companies that
have the legal resources to navigate such uncertainty.
Summing it up
Today we highlighted the conflict between GDPR compliance and decentralized blockchains. We also talked about how decentralization exposes the enforceability limits of GDPR.
Despite this conflict we should never forget that Bitcoin originates from a community of strong privacy advocates who certainly had no wish to erode the privacy of its users.
Watchout for the next part as we explore the potential convergence between these two seemingly irreconcilable foes.