WinDeveloper Coin Tracker

  • Home
  • Law
  • GDPR vs Blockchains vs Oversight

GDPR vs Blockchains vs Oversight

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

  • Published: Jun 16, 2021
  • Category: Law, Privacy
  • Votes: 5.0 out of 5 - 26 Votes
Cast your Vote
Poor Excellent

As if achieving GDPR compliance wasn’t hard enough, blockchains have to contend with oversight demands expecting privacy protection to be selectively lifted. Today we conclude this series with a look at other challenges that privacy solutions have to navigate.

In GDPR vs Blockchains - The Conflict and GDPR vs Blockchains - Convergence we focused exclusively on the challenges of GDPR compliance. However, the reality is that even if we satisfied the GDPR lawmakers we are still far from a happy ending.


Privacy, Anonymity and Oversight

The highest degree of privacy is complete anonymity, which unfortunately raises other complications. In a decentralized platform anyone can transact, whether or not one is law abiding. The argument from a law enforcement perspective is that whereas we have a right to privacy, we do not have a right to anonymity when it comes to enforcement.

Law enforcement agencies require data access for various reasons, including taxation and national security. So on one hand we have laws requiring privacy, but on the other we can have enforcement agencies requiring privileged access to the same data. Whereas from a legal perspective making such a distinction is fairly straight forward, implementing something that satisfies both needs, is considered to be very difficult.

The conflict between privacy and oversight is nothing new and is certainly not unique to blockchains. One of the most popular such conflicts arose between the FBI and Apple in relation to the 2015 San Bernardino terrorist attack. One of the terrorists used an iPhone for his communications and the FBI wanted Apple to develop a backdoor for breaking its security. Apple refused to comply claiming that such a backdoor could be used against any iPhone, undermining the privacy of all users.

This is a good example of the fundamental conflict that arises when providing a backdoor or some sort of privileged access. This conflict is true both for centralized applications like iOS as well as for decentralized blockchains.

In the blockchain space, news that the US wanted a crack-down on privacy coins has been circulating for some time. Furthermore, last January some exchanges decided to delist privacy coins like Zcash and Monero, without providing an explanation. Yet, the most logical explanation seems to be that these centralized exchanges were fearing that some sort of enforcement was forthcoming.

When looking at such news, one might think that this only concerns single purpose blockchains providing private coins. This is not the case. First of all, privacy coins are very similar to private fungible tokens running on DLT platforms. Thus, enforcement in this space is relevant to them too.

Secondly tokens are an important building block in various applications, not related to decentralized finance DeFi. A common example is the one using a private token to represent a vote in an election. The technologies used for building DeFi private tokens are the same used in non-DeFi applications. Thus, a broad crackdown on blockchains providing privacy is potentially debilitating to a much broader set of applications.

Even though this discussion largely concerned US enforcement, this is still very relevant to European business entities. Any business with global ambitions, that is implementing a GDPR compliant DLT application, cannot ignore the impact of such enforcement. Furthermore, a similar crack-down could also happen within the EU. So again, we end-up with a lot of uncertainty. This time, around whether we are providing too much privacy.


Quantum Disruption

Most blockchain privacy solutions today are built on top of elliptic curve cryptography, a technology that is not quantum resistant. Thus, we are working with technologies whilst knowing that on the horizon there exists a technology that could break their fundamental security assumptions.

This threat is real, so much so that NIST is currently leading the research for post-quantum cryptography standards.

If we look closely at privacy solution implementations, we see that some rely on storing encrypted data on-chain. This data should only be readable by the intended transaction recipient. The permanent storage provided by blockchains, means that such data is permanently available for its privacy to be attacked.

This can be an issue with GDPR article 5 that requires that data must be secured from "unauthorised or unlawful processing". Thus, as quantum computers advance in their computational power and their potential of breaking today's encryption becomes clearer, the responsibility for complying with this article will grow accordingly.



In ICT, cryptographers have always been regarded to be the champions of applied privacy. The blockchain community harbours a movement of the most extreme privacy supporters. It is hard to see a conflict of intents between them and GDPR lawmakers.

The privacy limitations in today's blockchains can be attributed to a number of factors. One of these is the success registered in applying deanonymization techniques.

Another is the need for decentralized blockchains to mature further. DLT platforms, could certainly provide better built-in privacy support. Also maturing are the privacy preserving technologies themselves. Research around Zero Knowledge proofs and other technologies gained significant momentum in the last few years. This push confirms the community's commitment towards privacy.

However, in the long term, the biggest challenge seems to be reconciling privacy and oversight. Today we have a situation where the technical community/industry is expected to provide solutions for conflicting needs. Privacy coins like Monero and Zcash are testing the waters for the rest of the industry. The ongoing crack-down might define what kind of privacy blockchains can provide.

Revising GDPR to clarify the uncertainty of how it applies to a decentralized world would be beneficial to everyone. The outcome might be that decentralized entities require more individual responsibility. Ideally this would give the industry a clearer path of how it can innovate with minimal regulatory risks. The public would also benefit from having a clearer understanding of how far the law can go.

Decentralization can be a tool for much more effective direct democracy. It can bring about more transparency in institutions bogged by bureaucracy. There might be the need for us to change our ways, where "us" includes everyone, including those setting the rules.


Copyright 2024 All rights reserved.