Will GDPR block Blockchain?

As someone who has worked in data policy and data protection for 20 years, I read privacy policies for a living. I take notice when I get the occasional email telling me that a website is updating their privacy policy or terms of service. Lately, that trickle has become a torrent in my inbox. The thing they all have in common is the effective date - May 25, 2018, the day the European Union’s General Data Protection Regulation (GDPR) goes into effect.

GDPR is a unified privacy regulation that largely harmonizes the various and disparate legal frameworks that cover the more than half a billion European data subjects, or as I prefer to call them, people. GDPR gives specifically articulated rights to people over their data so that the phrase, “you own the data about you” has meaning.

These rights are enshrined in European law but making them actionable has not been simple. Adding complexity to the task is the fact that technology has a habit of changing quickly. It’s well known that technology often leapfrogs ahead of existing regulatory frameworks, leaving legislators and regulators to play catch-up. Consider the example of blockchain.

Blockchain has existed as a concept since 2008 but it has only recently exploded into public consciousness through valuations of cryptocurrencies like Bitcoin. Many technologists believe that blockchain will be more transformational than the internet itself.

But whilst many people equate blockchain with Bitcoin and cryptocurrency, they are not the same. “Blockchain is a cryptographically-secured transaction record that’s created without a central authority,” explains the World Economic Forum's Head of Blockchain, Sheila Warren.

Blockchain data can't be deleted. So will its applications be illegal?

Because blockchain relies on a distributed ledger system that is decentralized and immutable, it's intended to be a permanent, tamper-proof record that sits outside the control of any one governing authority. This is what makes it such an attractive and useful technology. But because data stored on the blockchain, including personal data, can't be deleted, there is no way to exercise the right to erasure that people are granted under GDPR. Blockchain is not designed to be GDPR-compatible. Or rather, GDPR is not blockchain-compatible the way it is written today.

While European policymakers were debating and finalizing aspects of GDPR, blockchain wasn’t on most people’s radar. This is yet another example of where regulation is addressing a problem in the rear view mirror rather than looking at the road ahead. This is the nature of most traditional regulation and illustrates how quickly technology shifts, pivots and morphs at a speed much greater than laws and regulations are designed to move. In this case, while we wait for the rules to play catch up, the question we have to ask is whether existing blockchain applications that store personal data are now rendered illegal in Europe until this is sorted.

Policy needs to be as flexible as technology

Government regulation has a critical role to play in creating accountability, ensuring responsible use of data and providing enforcement mechanisms to penalize bad actors. I am not arguing against regulation, nor am I arguing against GDPR. I am arguing instead for a layered and cooperative approach to policy making. We need future-flexible frameworks for governance that allow us to realize the benefits of data and technology while minimizing harms. This is much easier to say than to do.

If our collective goal is to ensure a future where we cure cancer in our lifetimes through better medical research, improve infrastructure and service delivery in connected cities, increase crop yields to feed more people, better understand and predict extreme weather patterns, create durable digital identities for refugees and people who have no documentation of their existence, provide more immediate disaster relief in times of crisis - then we will need to use data more than ever to realize these benefits.

Governments must work in collaboration with civil society, academia and the private sector to co-develop policy with a process that is as dynamic as technology. Policy makers and the regulatory processes they use need to be reimagined to be as nimble as the technology they seek to regulate, in order to help create the future we all want to see.