Given the massive amount of personal data collected and moved online, it’s encouraging to see regulators taking steps to protect consumer privacy using Web3 and EU GDPR.
However, these laws – which range from the “right to be forgotten” to the ability to access a database to discover what information they have on file about you – may clash with the Web3 that the blockchain sector is creating.
The fundamental advantages of crypto are that it is open, transparent, and immutable. Blockchain-based web apps must be distinguished from the multibillion-dollar “walled gardens” already dominating the internet. The old web of Facebook and Google was in mind when privacy regulations were drafted.
It’s unclear if blockchain can evolve in a way that satisfies the criteria of modern digital privacy regulations while retaining the qualities that have made it so effective. This is especially true with the European Union’s “General Data Protection Regulation,” the most important data legislation on the books today (GDPR).
The GDPR in Europe: A Quick Overview
GDPR is the king of privacy regulations. It regulates how personal data about individuals can be used in the ICT and other industries that fall under the EU’s jurisdiction. It applies to all organizations that keep user records, whether they are situated in the EU or not.
GDPR effectively prohibits firms from acting indiscriminately or recklessly with private, personal data ranging from a person’s Google search history to a Twitter user’s social graph.
Privacy “by design” or “by default” is a term used to describe a policy regarding personal data that applies to both software and hardware. It has far-reaching consequences for blockchains, which are, by definition, publicly auditable systems.
Blockchains should be “privacy-preserving by design,” according to GDPR guidelines, which means that developers must consider user privacy while creating and developing crypto platforms products, and services.
The immutability and wide availability of data is a clear difficulty for developers on public and permissionless blockchains. It’s a delicate balancing act between ensuring users only disclose as much personal data as is absolutely necessary to complete the task at hand and adhering to the key concepts of this revolutionary technology.
During an after-hours interview, Michael Kunz, a senior legal associate at MME, a Swiss law firm specializing in crypto and fintech, observed, “After all, blockchains do not forget.” “As a result, it’s critical that developers get it right from the start.”
A detailed examination of GDPR’s existing policies involving users’ personal data can benefit crypto entrepreneurs.
Articles 16-17 of GDPR Section 3: Right to Data Rectification and Erasure
Article 17 of the GDPR defines the conditions under which an individual’s personal data may be destroyed. Similarly, Article 16 offers users the right to provide a supplementary statement to amend inaccurate personal data in any organization’s database. While an individual’s legal authority to change or erase data is conditional, it contrasts with blockchain’s key tenant of data immutability.
By storing users’ sensitive data off-chain and using cryptographic technologies for on-chain verification to verify data authenticity, crypto initiatives can discover answers to existing data correction and deletion regulations.
Decentralized networks don’t need data operators, just as decentralized exchanges (DEX) aren’t required to be financial intermediaries. System decentralization, conversely, must be agreed upon by definition.
In the future, a precise legal framework would be implemented that considers people having complete control over their data and sharing it directly with third parties, as well as understanding exactly what the data is being used for and why.
Article 15 of the GDPR: Right of access
Article 15 of the GDPR compels companies to follow data protection and privacy principles in addition to a data subject’s express rights to access and erase his or her data. As a result, organizations must operate so that unnecessary data collecting is minimized and user privacy is prioritised rather than treated as an afterthought.
This could cause problems for public blockchains, which allow anybody to access information recorded on their ledger anonymously without any restrictions on how often they can do so or any records of when, when, or by whom the information was viewed.
On a blockchain, enter true privacy. When it comes to regulatory compliance, it’s important to distinguish between the transparency of the process and the transparency of the data involved in that process.
Technical solutions to this challenge include zero-knowledge proofs and multi-party computation. Zk-proofs and MPC, in their current form, provide a mechanism to retain data recognised and verifiable on-chain without being explicitly attached to a person.
According to Adam Gagol, chief technical officer of Aleph Zero, an enterprise-grade and privacy-preserving blockchain, these features will successfully address most regulatory concerns regarding uncontrolled data access.
Chapter 4 of the GDPR addresses data controllers and processors.
Because of the decentralized nature of blockchain, identifying a singular “data controller” is nearly difficult. It’s hard to imagine a world where regulations allow totally decentralized groups to operate freely without the capacity to hold a legal entity liable for what occurs on the network.
On the other hand, even if decentralized autonomous organizations (DAO) register as legal entities, it’s improbable that every project will be able to identify a legal party who can be held responsible for every transgression that occurs on their network.
As a result, there is no easy way to comply with GDPR’s requirement for an accountable party. Concerned crypto projects could be better off limiting their total risk by establishing tougher KYC/AML (know-your-customer and anti-money laundering) regulations to prevent malicious user conduct that could bring the entire network into disrepute.
So, how can totally decentralized systems comply while reaping the benefits of a network’s openness? Pawel Kuskowski, the former global head of anti-money laundering at the Royal Bank of Scotland and the founder of Gatenox, a decentralized identification (DID) system built on top of the Aleph Zero network, and I had a chat. “The key is to clearly separate the responsibilities of creators and operators of a given blockchain, as well as smart contract developers, self-governed identity providers, and users of these solutions,” he says.
This will become even more critical given the exponential rise of the crypto markets. The concern is whether cryptocurrency developers and organizations such as DAOs will recognize the ethical imperative to follow legislation.
Protecting users in a proactive manner
The preceding is merely a summary of a few issues the blockchain sector faces, particularly those related to privacy. A more comprehensive investigation should include a description of specific policy frameworks and user applications.
Although I cannot make exact predictions for the future, I believe that, rather than approaching the entire business as an unpleasant, privacy-violating monolith, regulators will eventually write reasonably permissive policies that allow for responsible data exchange and growth.
Rather than waiting for regulators to decide, crypto entrepreneurs must proactively protect their users’ personal data while maintaining full online responsibility. To put it another way, we should not be afraid of well-balanced, well-intentioned privacy legislation today or in the future.
