Privacy Regulations and Blockchain. Consumer Rights vs Immutable Records (1/2)

Are Blockchain Systems GDPR Compliant? Do Blockchain Systems guarantee Consumers’ Rights granted by recent regulations?

While studying the new GDPR and other “Personal Data Protection and Privacy Laws”, many organizations are realizing that, most of the “Blockchain Applications” and “Blockchain Projects” are becoming “non-compliant” in the European Union, as well as in an increasing number of jurisdictions where similar “Consumer Rights” are being granted.

General Individual Rights

These “enforced” regulations give Individuals several “key rights to control and really own their Personal Information”, like:

  • Right to “oppose” to the utilization and storage of their information
  • Right to “modify” their Personal Information
  • Right to “cancel” any previously given consent
  • Right to “remove” all or part of their information
  • Right “to be Forgotten” (complete removal of all their information and records on any given provider)
  • Right for Personal Information Portability (meaning the Individual can request a copy of all his Personal Information in the hands of one provider -what will have to be given to the Individual by the provider in an electronic file and in a format the Individual can read- so that the Individual will have the possibility to give this information to any other service provider of his choice.
  • Right for “revoking” their given consent.

Obligation to Communicate

On the other side of the relationship, businesses have the “obligation” to communicate to Individuals whose information has been collected:

  • “Where” their information is being stored
  • “Who” is the person appointed by their organization to manage and guarantee their rights related to their Personal Information
  • “What” kind of specific purposes their Personal Information will be used for
  • Until “When” the information will be stored and managed (for some specific time, for the duration of a contract, etc.); after this deadline, whatever it is, Individuals’ Information should be removed from the business records (at contract termination, at a specific campaign termination, after several years…or whatever was agreed and “explicitly accepted” by the Individual.
  • If any kind of “Profiling” and “Automated Profiling Processing” of their Personal Information will be done, explaining “the logics” and “processes” of the Automated Profiling, and the “purposes” of that Profiling, as well as of the resulting information (even if just for statistical purposes).

Organization are also obliged to obtain the “Explicit Consent” from Individuals to collet, store and manage their Personal Information for “Specific Purposes”, as well as to “be able to prove” that they got such an Explicit Consent from Individuals (now or in the past), and provide Individuals proper mechanisms to exercise their rights. And also, to guarantee the “security and safety” of the Individuals’ owned Personal Information.

Individual Rights to Opose, Modify, Revoke…

Obviously, the Individual does have full right to “oppose” to any of the above, and request the partial or complete removal of his information, set or change clear limits to the “purposes” for which his Personal Information can be used for…or even “revoke” any of the given consents on his Personal Information.

From its original inception, a system like Blockchain does not technically and easily allow to exercise some of the above rights and obligations related to Personal Information when stored in an “immutable” Blockchain, like:

  • “Remove” any Personal Information that has been stored
  • “Modify” any Personal Information that has been stored
  • “Guarantee” where the Personal Information will be stored (as it is a distributed and replicated system)
  • To “appoint one single person” to be responsible for the data management (again, system is distributed and replicated)
  • Define (and in most countries “declare and register in front of Authorities”) the specific “files” and “databases”, with their format, information structure, kind of access, who can access, for what purposes and kind of contained information) that the Organization is using to store any kind of Personal Information.
  • “Forget an Individual”…

Some Conclusions

In summary, and as of today…any Blockchain implementation, application and project, might most probably be “NON-GDPR COMPLIANT”, and also “not compliant” with most modern and advanced Personal Data Protection Regulations already implemented or being implemented in the World.

(To be continued… )

Leave a Comment