Why the European Union needs a blockchain framework

In this guest post, the Asia Observatory team explains why the European Union (EU) needs a framework for handling Blockchain technology.

Two years after the implementation of the General Data Protection Regulation (GDPR), some significant fines have been imposed on companies like Google, British Airways, and Marriott. Nevertheless, the regulation has only just begun to touch its broader objectives on the surface in order to improve data protection for all.

With 7.9 billion records uncovered and tens of thousands of reported leaks, the past year was the “worst year in existence” in the EU alone in terms of the number of DSVGO violations worldwide. In addition, 2020 is already on track to set a new record, with 5 billion records leaked this year in the U.S. alone.

DSVGO and Blockchain: There is room for improvement

Emerging technologies also seem to have been neglected. Blockchain technology, which stores data transparently and unchangeably, has been unclear at DSVGO since the regulation was implemented. Now that regulators in Europe have rethought their initial concerns about technology, attention is slowly turning to privacy and data protection.

Last summer the European Parliament published a study in which the question was asked whether the blockchain could be reconciled with the DSVGO and pointed out that there are “multiple points of tension” between the two areas. Could blockchain be targeted soon if regulators across the continent put privacy and data protection under pressure?

Blockchain and GDPR: the basic conflicts

The first core conflict has to do with one of the core features of the blockchain; with unchangeable entries. One of the principles of the GDPR is the storage limitation; which means that the data should not be kept longer than is necessary; for the purposes for which the personal data are processed.

Another principle is the “right to deletion”; which means that users have the right to have their personal data deleted within one month of a request. The problem is that with most blockchain systems, the data is stored permanently and cannot be deleted.

The second core conflict has to do with the organizational form of blockchains. This means that anyone involved in the consensus of a blockchain can be considered to be responsible for data processing. Most decentralized blockchains are ultimately managed by participants who are far from the original developers.

It is these “data controllers” who are responsible for compliance with the GDPR. So if responsibility is shared between hundreds or thousands of individuals around the world, who is responsible for GDPR violations?

The CNIL, the French data protection authority, already has an answer to this question. In a report published in 2018 the CNIL came to the conclusion; that in many cases all participants can be considered responsible. In the report’s action plan; proposals were made to work with European counterparts to create a basis for the common regulation of blockchains. However, almost two years later, the CNIL is still the only European regulator to publish such a proposal.