Blockchain vs. European privacy law (GDPR)

Under the European Union’s General Data Protection Regulation, companies will be required to completely erase the personal data of any citizen who requests that they do so. For businesses that use blockchain, specifically applications with publicly available data trails such as Bitcoin and Ethereum, truly purging that information could be impossible. “Some blockchains, as currently designed, are incompatible with the GDPR,” says Michèle Finck, a lecturer in EU law at the University of Oxford. EU regulators, she says, will need to decide whether the technology must be barred from the region or reconfigure the new rules to permit an uneasy coexistence.

Here is more from Olga Kharif at Bloomberg.

Comments

Would similar rules apply to a publisher of (paper) phone books? Do all publishers of physical books get a pass? What if they only publish on Kindle? Or how about publishers of email newsletters?

I wonder if this will inspire any businesses to move to paper or email.

Doesn't matter in which form you hold the data, GDPR applies. So paper records also need to comply

'So paper records also need to comply'

Except where they conflict with other laws. For example, payment records cannot be scrubbed at someone's request, as the tax authorities require such records be held for an extended period of time (a decade or considerably more, depending on various factors).

Exactly, are many conflicts with other laws, procedures, business practices, etc. I'm agree is necessary protect the personal data, but the GDPR actually bring more problems than solutions IMO. The law must be B&W and the GDPR is a complete rainbow of things, anybody really understands how fully apply it

And most of those conflicts are meaningless. The record keeping requirement for taxes? Unchanged, of course. All the GDPR does is make a business like Facebooks's considerably harder. Schufa or Crefo in Germany` Not so much. But Schufa and Crefo aren't giving away the data of EU citizens the way that Facebook gave away the data of tens of millions of Americans - and in seeming violation of a binding FTC consent decree, to boot..

What the GDPR does make clear is that data is not something that can be simply commercially collected and used without the permission of the person that is the actual source of permission to use and collect that data. Basically, it says that companies have no explicit right to profit from those who say they have no wish for to participate in such practices. And yes, an ad network like Google or Facebook will find its profitability impacted if such a perspective becomes widespread outside of the EU.

In the software engineerig community there has been a lot of discussion of ways to work around this issue, since a number of private datastores also function as an "immutable log" which cannot be edited, as is the case for blockchains.

It is (perhaps hopefully) believed that GDPR can be satisfied by encrypting the PII (personally identifiable information) before writing it to the blockchain/datastore, such that throwing away the decryption key would be equivalent to destroying the data.

This has obviously not been tested in court yet.

That is indeed the big issue with the (actually any) legislation. Until the first cases make it to court no one knows exactly how to interpret GDPR or how much wiggle room you have

Europe is really becoming a different place than the U.S. It was never identical of course, but it felt like the 2 'cultures' were getting a little closer...but it feels like that's reversed now

Yes, with all the experience of totalitarian surveillance states up until the early 90s, Europeans have a much more intimate grasp of what it means for personal data to be collected without any control, to the benefit of those doing the collecting. And as for the precautionary principle, that was another thing that totalitarian surveillance states were completely uninterested in having apply to their actions.

Wow... if you need a story to fit your narrative, you make it up. What exactly has GDPR to do with refusal of totalitarian state? Do you see any provisions in GDPR on the governments forbidding them to collect data? Yep, there are some provisions in other areas (like EU court declaring that the states required internet operators to gather unacceptadly too much data... ignored by some states). But GDPR is mostly about private companies. I guess the private companies gathering personal data were a huge deal in totalitarian states...except there were no private companies in much of the eastern europe...

I'm very reluctant to call GDPR a 'good thing'; on one hand making people to be more careful with the data makes sense; on the other hand the real costs of the current state don't seem to be very high while the conformance costs are quite palpable, it makes provision of many services more expensive and thus impacting negatively competition.

I live in Germany - you are familiar with Germany's modern history, and its impact on German attitudes to data privacy, right?

'But GDPR is mostly about private companies.'

Exactly - Germans are no more enthusiastic about a for profit surveillance system than they are of the older fashioned government run systems.

'I guess the private companies gathering personal data were a huge deal in totalitarian states'

Of course not - Stasi, with its millions of IM unpaid employees, could only dream of the breadth of surveillance that a company like Facebook, using cell phone data, can effortlessly provide to anyone willing to pay - government or private.

'it makes provision of many services more expensive '

You do know that a majority of German already don't use Facebook, and have absolutely no interest in making things easier for Facebook to profit from personal data, right? Maybe you should check out how Germans continue to react to Google's Street View - 'Germany’s intense culture of privacy means that, even in 2017, many of the nation’s roads remain a mystery — at least to Google’s roving mechanical eyes. Made from Google’s own data, the map sums up a long history of the company’s troubles with Germany. It all started in August 2010, when Google announced it would be mapping Germany’s 20 largest cities by the end of the year. But many Germans were outraged.

Privacy has long been a central issue in Germany. As The Economist and other outlets reported, the legacy of the Nazi’s Gestapo police and East German Stasi still holds power over citizens. That’s had a host of repercussions, including the passage of the world’s first data protection law in Germany in 1970. Naturally, many Germans remain predisposed against the Street View mapping.' https://www.inverse.com/article/32886-google-map-privacy-variation

It did not help that this occurred too - 'It was soon discovered that Google was breaking the law by ripping off personal data stored on unencrypted WiFi networks, a big no-no in just about everywhere, but especially in Germany. To try salvaging the situation, Google took the unprecedented step of blurring not just people caught on camera, but some houses. Eventually, Google just kind of gave up.'

Oh, come on, the people from eastern germany probably couldn't care less. I am living east of germany - most people couldn't care less either. Yeah, and we do have google street maps, we have our own version of these mapping things and it is great.

Actually, looking at what you write, this has nothing to do with totalitarian regimes; it looks more like german privacy fetish.

"You do know that a majority of German already don’t use Facebook, and have absolutely no interest in making things easier for Facebook to profit from personal data, right?"

Thanks for confirming that the totalitaria narrative is nonsense.

'most people couldn’t care less either.'

If you say so - the East Germans I know are no more enthusiastic about Facebook et al than West Germans. There is a generational split, as noted in the linked article, however.

'and we do have google street maps'

Of course - and about half of the houses of the street where I live are simply blurs.

'this has nothing to do with totalitarian regimes; it looks more like german privacy fetish'

Well, the article also draws the point that a few minor historical events have influenced that fetish.

'Thanks for confirming that the totalitaria narrative is nonsense.'

See the point immediately above. Then let me add this bit of information concerning Max Schrems - 'The fallout from Edward Snowden’s NSA surveillance revelations continues to jeopardize U.S. tech firms’ European operations.

On Tuesday, the Irish High Court said it would ask the European Union’s top court to decide whether Facebook (fb) can continue to send Europeans’ personal data to its U.S. operations. And whatever the Court of Justice of the European Union (CJEU) decides will have major implications for many companies, not just Facebook.

Facebook has been relying on a legal mechanism called “standard contractual clauses” for its transatlantic data flows, ever since the CJEU cancelled the so-called Safe Harbor data-sharing agreement between the EU and the U.S. The court struck down the deal largely because it did not guarantee the safety of Europeans’ personal data from the U.S. National Security Agency (NSA) and its PRISM program.' http://fortune.com/2017/10/03/facebook-max-schrems-ireland-cjeu-privacy/

- it's not 'European citizens' that want GDPR. It's mostly the EU, most of the eastern states (that actually did have experience with totalitarian regimes) don't care; their current regimes were enough
- GDPR contains lots of provisions that really have nothing to do with totalitarianism (right to be forgotten (i.e. overwriting history), users own their data etc.)
- you yourself have given first an example that people don't want Facebook to sell their data; and you continue pushing this exapmple; given that this has absolutely nothing to do with totalitarian state, it seems to me that you actually prove me right; nothwithstanding GDPR applying on multitude of activities that has absolutely nothing to do with spying or selling your data (e.g. you probably have a right to be removed from a list of winners of a sport competition...)

So, GDPR does nothing against totalitarian state, most europeans (including yourself) would cite Facebook's profits as a prime example what GDPR should fix.... and this should somehow persuade me, that your narrative that europe supports GDPR because of proximity to totalitarian regimes make sense.

Let's imagine a country has a totalitarian state but it happens to be that only a few private companies have massive amounts of personal data on citizens that could be used by the totalitarian state to facilitate massive abuses. What exactly are the barriers preventing such a state from getting to that data being collected, updated, and stored by the private corporation? What reason do we have to believe that they would hold?

Next, what historical evidence is there that having a robust privacy protection regime makes totalitarianism more likely? Intuitively it would seem to offer a protection against one (not absolute of course but what is?). So what evidence is there that should cause us to reject this assumption?

Third, what reason do we have to believe that private entities couldn't become a threat to liberty? In the US the Founders were concerned with a tyrant who may rise from the political system but they were also concerned with combinations of vested interests taking power and using that power to keep themselves unchecked. What reason do we have to suppose that no accumulation of power by a private corporation could ever lead to a problem?

The problem I have with these questions is that you can literally prove anything. But to answer it: the problem is that the countries these days already have access to so much information, that this won't change a iota their ability to become a totalitarian state.

1 - Ignoring the magnitude of the data that the state has already access to, how exactly does GDPR stop the state from ordering the companies to collect the data the states need? The companies aren't even required to ask for permission if they are collecting the data in order to fulfill some law requirements. So GDPR doesn't have any effect on this.

2 - we don't have any evidence, that not having a robust privacy regime among private individuals would make totalitarianism less likely either

3 - Just wondering how much GDPR changes that. Now we are not talking about facebook and google, we are speaking about millions of enterpreneours, hobbyists and companies in Europe. Do you expect your dentist to abuse his power, vested interest and try to make a coup?

The GDPR does nothing to stop totalitarian state. Supporting GDPR on these grounds is misguided.

andy,

1. I agree the state aleady has access to a lot of data but that's still the tip of the iceberg. Consider what the US gov't 'knows' about me at any given time. Months after the fact, it learns of my income when my employer sends in withholding taxes. It has an overview of my previous year via my tax return....filed after the fact. Possibly it has some medical knowledge if I happen to be on Medicare. Now compare this to what Google knows about you or your cell phone company. There's a reason Cambridge Analytica wanted to get a hold the Facebook data of all voters rather than, say, the Social Security records of the yearly earnings of all voters.

2. True, we don't. To my knowledge no one ever did a blinded study of apartment buildings heated by kerosine heaters versus ones by electric. Yet a working hypothesis is keosine would cause more fires and if we aren't going to do such a study then let's work with the reasonable hypothesis unless someone assembles good evidence it's wrong. I think a modern totaltarian state would be more facilitated by poor privacy than good privacy.

3. "Do you expect your dentist to abuse his power, vested interest and try to make a coup?" No but what harm is there if I call my dentist and say "I'm not coming to you any more please destroy my chart"? I mean ok for liability reasons he may have to keep your chart for so many years but ultimately what does it take for him to shred it? If all the charts are in a cloud somewhere it is even easier to do that. I believe Europe's rules required Google to erase the links of someone convicted of a minor crime long ago but the small websites that carried the story didn't have to delete their articles. I don't know the ins and outs of privacy law but I'm pretty skeptical dentists and hobbyists are groaning under its weight.

4. Not that you mentioned it but I find the contrast with 2nd amendment advocates remarkable. Even the most minor gun regulation is balked at because hypothetically we are all going to form informal militias to stop the rise of the dictator....but assembling detailed profiles on millions of people...something modern totalitarian states do and have done all the time. Nope for that we need 'more proof'

Wouldn't (or shouldn't) this law merely require a company to destroy records linking personally identifying information to one or more Bitcoin addresses? Bitcoin addresses, by design, do not reveal any personally identifying information and a Bitcoin transaction is the financial equivalent of leaving an anonymous blog comment.

Yet another problem that the GDPR intends to wish away.

Odd.
I find that the European'Know Your Customers' rules n finance have the opposite effect. In fact, the effort to know the customer is jamming the Swift system and making it expensive to use.

Left and right hands on collision course, coordination failure alert.

SWIFT? Still around $30 per payment. I've seen no cost increase in the last 5 years.

The only time I've encountered the "Know your customer" regulation was when I asked what I needed to keep an account open in a certain country after leaving. The bank said they required a minimum deposit over 100K. In that way, the expenses caused by regulation were compensated by the money parked there.

However, how many people has an account in another country with no residence there? It's no problem for most of people and a counter-measure for money laundering, what's wrong about it?

OK, I quoted an article I just incidentally saw, and need further look. The equilibrium is in transition as the rules are newly deployed.

Yes, I got itv slightly wrong.
https://bravenewcoin.com/news/swift-explores-solving-the-correspondent-banking-problem-with-the-blockchain/
According to the Bank for International Settlements (BIS), banks are cutting back on correspondent relationships due to the rising costs of regulatory compliance, specifically in light of the Know Your Customers' Customer (KYCC) rules, and the uncertainty about how far customer due diligence should go

OK, Swift is and has solutions to the emerging problem, it may not yet be a swift problem.

Trying to imagine how this might play out. Let's say Amazon creates their own digital currency, AmazonBite. Unlike Bitcoin, it ends up being very stable in value and since Amazon has a huge ecosystem of merchants under its umbrella the currency is adopted worldwide both by Amazon and by millions of small and medium sized businesses.

So each transaction allows the user to embed a short message that is encrypted. Perhaps something like "for payment of invoice ABD1345"..... Let's say the message can only be decrypted by the senders or receivers private key. Great now there's privacy in the transactions but if anyone goes to court saying they were not paid either party can provide the key and prove payment was made.

Now let's say early on in this system Putin's Internet Troll Factory issues some payments back and forth. They put messages like "I had gay sex with John Smith on 3/15/22" or "Trump Jr. did it with our honepot plant, here's a link to a picture of his junk!". Years go by as the chain gets longer and longer until one day Putin gets pissed at Amazon for some reason. He releases the private keys and now anyone who has the chain can access these messages. Like clockwork requests are submitted to eliminate the 'private data' from Amazon's servers. Amazon collapses as a hundred billion dollars worth of currency suddenly becomes worthless. Individuals may continue to use the blockchain but without the ability to use that to pay Amazon it loses a huge amount of value. A move worthy of Rick Sanchez who defeated the evil galactic empire by setting their currency equal to zero of itself instead of one of itself!

But not so fast. I believe that regulation follows innovation rather than the reverse. If this happened courts would probably just rule in favor of Amazon. Or Amazon would simply create a shell company that would collect payment offshore in its cryptocurrency and for a fee convert that to privacy protected Euros to pay it's domestic company. Or Amazon argues that since they themselves never decrypt the personal messages any privacy violation is happening on the computers of individual users. It's a bit like if some smart lawyer found some obscure case that was decided with an error 200 years ago and now he feels he can have all corporations declared illegal. More likely than not the courts would just overturn that case. If not I suspect the huge amount of parties with vested interests would quickly craft an exemption making the blockchain more like a common carrier which has immunity from such suits (just like you can sue someone who defames you by calling people up and spreading lies about you, but you can't sue the phone company for connecting and carrying his calls).

Blockchain technology is the FUTURE; it doesn’t matter if you like it or not but that is just what reality is all about. So, all we require to do is to take advantage of this. I love trading and recently, I have come across this thing called GunBot, it is truly amazing. There is just all that you need to make profits and to do it consistently as well.

With the way Europe approaches technology, sometimes I get the feeling that over time it will look rather Amish -- but without barn raising, since that would probably be illegal too.

Comments for this post are closed