Given the stupendous amount of personal information stored and transferred online, it's good that regulators are moving to bolster consumer privacy. But these rules – ranging from the "right to be forgotten" to the ability query a database to see what information they keep about you on file – may bump up against the web the blockchain industry is building, sometimes called Web 3.
Crypto's primary benefits stem from being open, transparent and immutable. Blockchain-based web apps are necessarily different than the multibillion-dollar "walled gardens" that dominant the internet today. Privacy laws were written with the old web in mind, the web of Facebook and Google.
This article is part of CoinDesk's Privacy Week series.
It's an open question whether blockchain can develop in a way to meet the requirements of contemporary digital privacy laws while still preserving the attributes that make it successful. This is especially true for the most significant data legislation on the books today, the European Union’s "General Data Protection Regulation" (GDPR).
Europe’s GDPR: An overview
GDPR is the grandmaster of privacy frameworks. It governs how individuals’ personal data can be used across tech and other industry sectors within the EU’s jurisdiction. It covers all businesses that maintain records of users, regardless of whether or not they’re based in the EU.
In effect, GDPR means that companies cannot act wantonly or reckless with private, personal information ranging from someone’s Google search history to a Twitter user’s social graph.
This policy towards personal data is sometimes called privacy “by design” or “by default,” and applies to both software and hardware. It has major implications for blockchains that are, generally speaking, publicly auditable protocols.
According to GDPR rules, blockchains should be “privacy-preserving by design,” meaning developers must consider user privacy while designing and developing crypto platforms, as well as crypto-based products and services.
The immutability and broad availability of data on public and permissionless blockchains is an obvious challenge for developers. It’s a balancing act between ensuring users only provide as much personal data as actually needed to get the job done and the core tenets of this novel technology.
“After all, blockchains do not forget,” Michael Kunz, senior legal associate at MME, a Swiss law firm specialized in crypto and fintech, said during our after-hours chat. “So it is essential that developers get it right from the get-go.”
Crypto founders can benefit from a close look at GDPR’s existing policies regarding users’ personal data.
GDPR Section 3 Articles 16-17: Right to Data Rectification and Erasure
Article 17 of GDPR outlines the circumstances under which an individual has the right to have their personal data erased. Similarly, Article 16 gives users the right to rectify incorrect personal data within any organization’s database by providing a supplementary statement. While an individual’s ability to alter or erase data is conditional, that person's legal ability to do so at all clashes with blockchain’s core tenant of data immutability.
Crypto projects can find solutions to existing data rectification and erasure requirements by, for instance, storing users’ sensitive data off-chain and using cryptographic systems for on-chain verification to ensure data authenticity.
Decentralized networks don’t necessarily need to be data operators, similarly to how decentralized exchanges (DEX) might not be classified as financial intermediaries. However, by definition, system decentralization needs to be agreed upon. One might certainly hope that in the future a precise legal framework will be introduced that takes into account users having full control over their data and sharing them directly with third parties, knowing exactly what the data is being used for and why
GDPR Article 15: Right of access
In addition to a data subject’s explicit rights to access and erase his or her data, GDPR’s Article 15 also requires organizations to abide by the principles of data protection and privacy. As a result, businesses must operate in a way that minimizes extraneous data collection and ensure user privacy is a foundational consideration, rather than as an afterthought.
This may present issues for public blockchains that allow anyone to anonymously access information stored on its ledger without any limits to how often they do so, or records of when, where and by whom this information was accessed.
Enter actual privacy on a blockchain. Whenever discussing regulatory compliance, we ought to differentiate between transparency of the process and transparency of the data included in that process.
Zero-knowledge proofs and multi-party computation are technical solutions to this problem. As they are deployed today, zk-proofs and MPC offer ways to keep data recognizable and verifiable on-chain, without being explicitly tied to an identity.
Adam Gagol, chief technology officer for the enterprise-grade and privacy-preserving blockchain Aleph Zero, thinks these tools would effectively address most regulatory concerns about unrestricted data access.
GDPR Chapter 4: Data controllers and processors
Blockchain’s distributed nature makes it essentially impossible to identify a specific “data controller.” It is difficult to envision a world in which regulations permit fully decentralized organizations to operate freely without the ability to hold a legal entity responsible for what happens on the network. At the same time, even if decentralized autonomous organizations (DAO) register as legal entities it is unlikely that every project will be able to identify a legal party that can be held accountable for each and every infraction that occurs on their network.
As a result, there isn’t a simple solution to GDPR’s need for an accountable party. Crypto projects concerned about potential legal liabilities on this front might be better off mitigating their overall risk by enacting stricter KYC/AML (know-your-customer and anti-money laundering) policies to curtail malicious user behavior that may implicate the entire network.
So how might fully decentralized systems remain compliant while still benefiting from a network’s public nature? I’ve had a sit-down with Pawel Kuskowski, former global head of AML at the Royal Bank of Scotland and a founder of Gatenox, which offers a decentralized identifier (DID) system built on top of the Aleph Zero network. Here’s what he thinks: “The key is to clearly separate the responsibilities of creators and operators of a given blockchain and smart contracts developers, self-governed identity providers, as well as users of these solutions.”
This will become all the more important given the exponential growth of crypto markets. The question is whether crypto developers and organizations like DAOs will see the ethical mandate to comply with regulations.
Proactively protecting users
The above is just an overview of a few challenges the blockchain sector faces, especially those concerned about privacy. A deeper exploration should entail a discussion involving specific policy frameworks and user applications. Although I cannot offer specific predictions for the future, I believe regulators will eventually draft relatively permissive laws that allow for responsible data sharing and growth, rather than treating the entire industry as an undesirable, privacy-violating monolith.
Rather than waiting to see what regulators decide, it’s up to crypto founders to proactively protect their users’ personal data while ensuring full online accountability. In other words, we should not shy away from balanced, well-intentioned privacy regulations – either now or in the future.