Blockchains Are GDPR's Kryptonite

Vlad Costea
  • While the GDPR is threatening many data collection-driven business models, public blockchains offer an alternative where immutability prevails over arbitrary interference.
  • Legally speaking, the situation is problematic for governments and the European Union - who can they fine or coerce in order to apply the provisions of the Regulation?

The European Union's General Data Protection Regulation (GDPR) is fundamentally a good idea, but it came a little too late and only regulates old protocols. According to Article 4 of the document, "personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

In a nutshell, pretty much everything that people do online and gets collected by a non-governmental third party should be presented in an open way and knowingly consented by the internet user.

If you interpret the provisions in a broad way and take a look at the "online identifier" and "economic" key words, you soon realize that blockchains are theoretically under the jurisdiction of GDPR too - the only problem is that immutability and the storage of files across an entire network is too difficult to regulate or to impose legal actions on.


The main quality of public and open blockchains, which give generated cryptocurrencies value, is censorship resistance. Decentralization is the only vision of Satoshi Nakamoto that everyone can agree on, and the concept makes international organizations, financial institutions, and governmental officials throughout the world scratch their heads and regard the situation in disbelief.

If data is permanently stored into blocks that are generated every few minutes, and the information gets spread across a distributed network that stores it, then how are you supposed to make use of your authority and legitimacy as a political actor? It seems as if this blockchain invention, as long as it's truly decentralized, brilliantly bypasses attempts to regulate internet content.

In Article 17 of GDPR, we (re)learn about the right to be forgotten. Good luck with that on a blockchain!

The concept of being forgotten on the internet is pretty unnatural, but legitimate in some cases: if someone spreads false rumors about you or you get imprisoned for abusive reasons which get debunked after presenting further evidence, your reputation is going to take a hit that it may never recover from.

 It used to be easier in the times where newspapers, radio, and television dominated: you either caught the informative bit in a limited amount of time, or had to formally request access to archives in order to do research.

Conversely, the internet never forgets: if somebody wants to defame you and gets it on search engines, you'll likely struggle in order to keep on making a living. Anyone can look up your name on a search engine to check your record, and lots of data gets shown even in the cases of more privacy-oriented individuals who only have e-mail and social media accounts.

Then there's the issue of fake news and websites that simply make up facts and information in order to pursue a social or political agenda. Should news reports that promote the violation of fundamental human rights or misinform readers be allowed to exist? Does juvenile pornography or video footage of murder have a place in this amazing network of computers which was first started with the goal of enabling cross-border communication and spreading information in an open way? Definitely not, it's all despicable.

But on the other hand, there's the Orwellian argument about having a Ministry of Truth to censor or rewrite history: can our civilization move on from this era of protectionism and actually perceive the internet as an accurate reflection of our culture and society? Well, we don't really have a choice with blockchain. If the data is immutable and the network nodes don't reject the transaction before it's written into a block, then we're bound to have lots of nasty footprints of humankind's nastiest and most gruesome behaviors. 



GDPR is for the old world, as blockchains will fundamentally change some of our paradigms as a society.

If anything, blockchains resemble natural law: everything gets created as a result of a harmonized mutualism, and agreements are written into stone. There is no workaround, and the only way to stop the system is to completely destroy it (just like the only way of eliminating Earth's gravitational field is to blow up the planet).

On the other hand, rules like GDPR are purely political and openly neglect several aspects of natural law just for the sake of imposing new social norms. Our entire society is an unnatural mutually-agreed convention where participation is incentivized by personal security and a set of fundamental rights which ensure the well-being of individuals.

The EU's latest big regulation follows this logic and tries to rewrite what is and what is not permitted in terms of data collection on the internet. This is a measure that's meant to empower the user with more knowledge and restrict the grounds on which third parties can collect data.

Yet this won't happen to a project like Bitcoin: if anyone finds something offensive that's stored in a block, nobody will be able to do anything about it (unless you take the Ethereum path and create a dangerous precedent for your blockchain's immutability).

If the internet transitions towards getting stored on a blockchain (by virtue of the "Blockchain, not Bitcoin" school of thought), then we're going to adjust our social norms. For the first time in their existence, legislators will have to deal with the fact that they can no longer interfere and dictate what is normal and what isn't, and our society will have to develop a strong foundation to adapt to the changes.

Just imagine a world where everything that you do is permanent and irreversible. Sounds a lot like real life, right? This doesn't mean that your actions cannot get punished by governments when you do something illegal, it's just a way of saying that your act of rebellion has left a permanent mark on society. Correspondingly, people will have to learn to forget without having Big Brother to tell them to, develop conscience-preserving ignoring skills, and establish personal values that are strong enough to withstand anything nasty that they might find out.

If Bitcoin is exempt from GDPR, then blockchain companies aren't.

Part of the cypherpunk ethos which led to the creation of the blockchain demands for the removal of the greedy practices of political and financial elites. Abusive regulations would get replaced by open-source, transparent, and inclusive protocols which fulfil some of the functions of centralized institutions.

But the utopia isn't very applicable in the real world, and the system needs companies to integrate the technology into various projects. Perhaps the biggest visionary in this field was Ethereum creator Vitalik Buterin, who thought about allowing applications to get built on an open blockchain in order to develop the scope of the technology and fasten its adoption. It all came at a price, though: further centralization and the integration of the company-driven business model in the space, which creates some issues in itself.



The best example is the Parity ICO Passport Service which had to shut down due to the GDPR provisions. The service doesn't run on its own blockchain (and operates on one which has a bad record in terms of immutability and might be coerced into reversing transactions in the future), functions as a company which is compliant to national and international law, and processes the kind of personal data that the GDPR covers in its provisions.

As legislators get a better grip of the principles of the Ethereum network - as well as those of Cardano, NEO, Tron, and others which serve a similar function - we can expect many more situations where blockchain businesses get affected by strict regulations.

While the technologies are innovative and disruptive, they are a threat to some existing business models, and billion-dollar lobbyists will do their best to preserve their dominance. No bank wants the Celsius Network or OmiseGo to succeed, and governments might see money laundering potential in games like Crypto Kitties. While Ethereum moves away from Proof-of-Work and seeks governance for its blockchain, dApps will also have to adjust their revolutionary scopes to meet the challenges of the real world.

In many ways, Bitcoin is the only blockchain project that carries on cypherpunk ideals. It's going to be interesting to see how governments try to take down something that doesn’t have a single point of failure. GDPR can't censor the newspaper that Satoshi Nakamoto put in the Bitcoin genesis block, transactions that get validated and written into blocks remain immutable, and it all acts as a big chunk of kryptonite for regulators worldwide.