The European Union (EU) General Data Protection Regulation (GDPR) is a law designed to enhance the protection of personal data and give individuals greater control over their own data. While the law applies to individuals and personal data resident in the EU, many organizations and services are taking the opportunity to revise their policies and practices for all users. As the GDPR comes into effect today, May 25, 2018, many cryptocurrency service providers have made changes to bring their policies and practices into compliance.
GDPR and Blockchain
A key objective of the GDPR empowers individuals (or data subjects) with various rights. Some of these rights align well with blockchain technology. For example, the GDPR includes a right to information, giving individuals the right to request how their personal data is being shared and processed. The right to access is also a step towards greater transparency, as it allows individuals the opportunity to view their own personal data that has been collected by an organization or service. IBM has released a white paper outlining some key ways that blockchain technology can be used to support the goals of GDPR and enhance compliance.
However, the GDPR also enforces “the right to be forgotten”, which provides individual data subjects with a right to request the deletion of personal data. Immutability is a core feature of blockchain technology, and without a central authority to oversee the erasure of any personal data, this part of the GDPR presents a considerable challenge for any open blockchain network that has stored personal data on the blockchain.
Andries Van Humbeeck, Blockchain consultant for TheLedger.be, highlights this potential clash between GDPR and the blockchain:
And here is the paradox: The goal of GPDR is to “give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.” Also, one of the things GDPR states is that data “should be erasable”. Since throwing away your encryption keys is not the same as ‘erasure of data’, GDPR prohibits us from storing personal data on a blockchain level. Thereby losing the ability to enhance control of your own personal data.
Source: The Blockchain-GDPR Paradox, Andries Van Humbeeck, November 21, 2017.
GDPR and Cryptocurrency Services
If you use cryptocurrency services, including exchanges, wallets, and peer-to-peer marketplaces, you probably have received emails over the past month advising you of revisions to privacy policies and terms of service. While the specifics of these changes will vary, here is a brief overview of a few trends to be aware of:
- Consolidation of personal data: In anticipation of user requests to view, modify, move or delete personal data, you can expect some services to restrict users to the use of a single account. You can also expect to see services implementing portals and tools that display all personal data connected to an individual user in a single location, and allow users to make requests regarding that data.
- Detailed rationale around personal data collection & usage: The GDPR expects service providers to provide clear, plain-language explanations of why your personal data is processed at a detailed, granular level. This is an excellent opportunity to understand where data is being collected for regulatory purposes, where it’s being collected for the purposes of operating a given service, and where it’s being requested for the purposes of advertising and revenue-generation.
- Identification of third parties with access to your data, and how they are using it: Service providers often allow third-parties to access and process your data as part of service delivery. These third parties may be processing your data for a wide range of purposes, including identity verification, transaction processing, tracking how a service is used, and identifying & correcting bugs or service errors. Updates to privacy policies and terms of service should clarify where third parties may be used to process your personal data. To some extent, this also allows users to “peek behind the curtain” and learn more about how their chosen service providers conduct their businesses and who they partner with.
- Restriction of service and features based on geographic location: While some service providers are bringing changes into effect for all users, regardless of geographic location, others have established separate policies and practices for EU residents. For example, Coinbase has implemented separate Privacy Policies for the UK and the US and is currently only allowing EU residents to access the privacy rights dashboard. Some North American sites and news organizations have blocked EU residents from access or shuttered operations entirely, including peer-to-peer network CoinTouch, which announced its closure due to the costs of implementing GDPR compliance in early May.
Is GDPR having an unexpected impact on a cryptocurrency or your preferred cryptocurrency service provider? Let us know in the comments.