In the "You Don't Know What You Don't Know" Dept

On May 25, 2018 the General Data Protection Regulation ("GDPR") goes into effect in the European Union. That's this Friday for those of you playing along at home. It is a comprehensive system for the protection of "Personal Data" applicable to any resident of the European Union.

The GDPR is quite comprehensive, and I won't go into all of it. Relevantly, though, it requires that "Data Controllers" (entities that collect data from users) or "Processors" (entities that process data for Data Controllers) disclose the collection of  "Personal Data" ("any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address") and require that "Data Subjects" have control over the Personal Data. There is a whole litany of resources on how Data Controllers and Processors can comply with the GDPR.

The GDPR, among other things, contains some interesting rights, for example:
- The Right of Erasure
- The Right to Data Portability
- The Right to Rectification

Here's the interesting rabbit hole: The GDPR recognizes the concept of "pseudonymization" - “[T]he processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” So, this isn't "anonymization" or removing any marker of Personal Data, but rather adding an intervening step to figure out to whom the Personal Data belongs. Perhaps through the process of "hashing" or "encryption."

It turns out that such pseudonymous Personal Data is not exempt from the GDPR, and thus it is still subject to the Rights enumerated therein (unlike truly anonymized data which is exempt).

You say: "That's not that interesting"

"Ah, but what about THE BLOCKCHAIN?" I say.

I'm not going to into too much detail here because multiple authors have tackled this better than I possibly could (see, Van Humbeeck, Andries, The Blockchain-GDPR Paradox, The Ledger, Nov 21, 2017 and Luvai, Kennedy, How Blockchains May Comply with GDPR Mandates, May 2, 2018). But the basic gist is this: when data is written to a blockchain, it is, more or less locked in place and can't be deleted (the word is "immutable"). New data does not overwrite old data, instead new data is "appended" to the chain. Moreover, data on public and private blockchains is frequently "hashed" and/or "encrypted" because blockchains, by their nature, are transparent. Meaning that any node can see transactions that occur on its chain; if there is data stored in a block, that data is often hashed or encrypted to prevent it from being truly public.

I'm sure you are beginning to see the problem: if the data in a block on a blockchain is GDPR Personal Data and the GDPR mandates that Data Subjects have a Right of Erasure of their Personal Data, it is functionally impossible for the blockchain operator (we'll ignore the question of how we even determine "who" the Data Controller or Processor is and assume we can even identify such an entity on a particular blockchain) to comply with the GDPR Right of Erasure.

Thus it seems that that the unstoppable force (blockchain) has met its immovable object (GDPR). Grab your popcorn for this show!