10

GDPR expects it's citizens to have the 'right to be forgotten'. A company failing to fulfill this obligation is expected to pay a hefty fine. How will decentralized autonomous communities who store immutable data on the blockchain about its users deal with such a legal obligation?

Let's take the case of an alternative that ETH developers build for Facebook. They ought to store the users' names and other identifiable information on the blockchain, correct? What measures do they have to take to be compliant with the law? Should the founders remain anonymous so that nobody is held liable? Please talk about how social DACs can grow in such conditions.

Able Joseph
  • 203
  • 1
  • 4
  • 1
    Related: https://law.stackexchange.com/a/28858/372. If retaining info is necessary, you can continue to do so. – TRiG May 28 '18 at 10:55

4 Answers4

3

With the GDPR, and the actual blockchain researching stage on where we are now, two things can be said.

  • DAPPS won't let users to post any personal info (on identity terms talking) because: With GDPR, an user can obligate to the DAPP owner to remove all of it's data (users collected data) from the database (the blockchain), and nowadays that's impossible, because that info will be always stored on the blocks that contain requester user's info.
  • One possible solution will be to separate the data. The identity part of the blockchain will be stored on a normal server, and the transactions info on the blockchain. We can relationate the user with it's transactions with ERC identity tokens.

Hope it helps.

CPereez19
  • 2,835
  • 13
  • 41
  • Wouldn't this beat the narrative of 'giving power back to the people' if there is one entity who stores personal info about their users on centralized servers (Facebook doesn't have much to lose in this situation)? Also, how can we truly build an autonomous community when a person or company is required to collect and store data? – Able Joseph May 28 '18 at 11:56
  • We can't truly build it, that's the problem. There are a few solution proposals about this, but the thing is that GDPR is too recent to give some good solutions in order to solve the problem you expose. Identity on blockchain is now on of the main problems for the Dapps. – CPereez19 May 28 '18 at 15:39
1

The solution is simple. Do not publish personal information (name, email) in any public media, including a blockchain or other public ledger. It is a bad idea and usually illegal regardless of GDRP or not.

Mikko Ohtamaa
  • 22,269
  • 6
  • 62
  • 127
1

Let's read the directive, Article 4:

(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

So, the authors of distributed software might constitute "controllers", and every single node in the network is a "processor".

Some people will jump to the conclusion that this renders blockchain technology completely incompatible with GDPR, but I think at this point an argument can be made about what constitutes a legitimate basis. That gets out of questions of withdrawal of consent.

See "whereas" clause 47:

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.

In which case you'd need a sufficient warning to the user that all actions on a blockchain are irrevocable, plus a declaration that the user is effectively a co-controller of the data.

You could also contact the EU Blockchain Observatory for an opinion?

Community
  • 1
pjc50
  • 111
  • 1
0

The second clause on the article you have linked highlights the ability to abandon the service at any point. This could be achieved by:

1) Abandoning your Public key or even private key used with the service.

2) If KYC/ AML is of concern than that could be stored off chain(as it is done as of now) or encrypted with the users private key giving them control over when it could be deleted.

Vignesh Karthikeyan
  • 1,950
  • 1
  • 12
  • 40