14 December 2018
In October 2018 the EU Parliament passed a resolution: ‘Distributed ledger technologies and blockchains: building trust with disintermediation.’ The resolution was introduced by Eva Kaili, a Greek MEP. Kaili has said she wants to make the EU the ‘leading player in the field of blockchain’ but has warned that ‘regulators need to make sure that all this effort will be embraced by the necessary institutional and legal certainty.’
Blockchain technology has been the subject of increasing scrutiny by a diverse field of industries. Many are exploring the potential application of rebuilding data processes so that digital information is distributed rather than copied. With companies such as AIG, Maersk, Microsoft, De Beers, Google and IMB all using blockchain on a diverse range of projects (covering everything from cloud infrastructure to smart insurance policies, to food safety monitoring and import controls) a wider understanding appears to be emerging that the technology genuinely has a multitude of useful applications beyond the cryptocurrencies that ushered it into existence. According to Kaili, who is also the chair of the Parliament's Science and Technology Options Assessment Panel, ‘blockchain and distributed ledger technologies in general have a strong disruptive element that will affect many sectors’ but any regulations applied need to be ‘open-minded, progressive and innovation friendly.’
The Parliament's October Resolution included the following key recommendations:
• that a legal analysis is done as to the legal enforceability of blockchain smart contracts among Member States;
• that technical standards for distributed ledger technologies are developed;
• that universities and training institutions adopt blockchain based curricula;
• for any consideration of regulation on blockchain to cover the removal of barriers and approach the application of rules using both a technology and business neutral model;
• for the EU Commission and European Central Bank to identify risk when it comes to incorporating cryptocurrencies into the European payment systems;
• that analysis is conducted to ensure no competition issues arise by decentralising infrastructure to the extent that monopolies are created; and
• that an examination of the decentralisation of EU citizens data is conducted to prevent misuse.
During the debate in the Parliament a concern emerged on the final point, namely, that although blockchain technology may facilitate the decentralisation of EU citizens' personal data, how could such public ledgers ever be compliant with the General Data Protection Regulation (GDPR)? For instance, the right to be forgotten under Article 17 of GDPR provides for the erasure of personal data of any EU citizen upon request. However, a fundamental principle of blockchain technology is that information held on the chain can only be added rather than taken away. Whenever personal information cannot be deleted, there would appear to be a direct conflict with GDPR requirements.
Some technologists have pointed to methods that can be deployed when storing information via blockchain without contravening data protection principles. For instance, some propose that if the information stored on a blockchain is sufficiently limited, say to 180 bytes, it could still function and potentially not constitute processing of "personal data" under the GDPR. Additionally, information stored on the blockchain can often be encrypted so that personal information is sufficiently hidden and anonymised without affecting transaction verification. This approach forms the basis of emerging 'privacy coin' technologies such as Dash and Zcash.
The October Resolution acknowledges it is of the ‘utmost importance’ that blockchain technologies are compliant with the GDPR (and calls upon on the European Data Protection Supervisor to provide further guidance). However, it appears that privacy concerns under GDPR may prove to be an irresistible force meeting an immoveable object when it comes to the deployment of the technology in certain instances. While there is considerable potential to be explored, companies, organisations and regulators need to understand that the standards of GDPR are not easily applicable to blockchain. They will need to consider the potential impact on privacy and not just possible benefits to improving processes.
With the October Resolution, the EU Parliament appears eager to promote Europe as a leader in the development of the global blockchain market. It is also clear that there will need to be work done with Member States to protect the rights of citizens, particularly when it comes to data protection. Although the October Resolution establishes only non-binding recommendations at this stage, there is a clear appetite from both the regulatory and commercial sectors to focus on the potential of this technology. Undoubtedly, it could be profoundly disruptive to established intermediary processes. However, it remains to be seen whether the technology likewise (and inevitably) might be disruptive to concepts of individual privacy in the era of GDPR.