Blockchain is here as a future economic foundation. According to a recent Gartner report, the business value-add of blockchain will grow to slightly more than $176 billion by 2025, and then it will exceed $3.1 trillion by 2030.
It is vital that as with all new economies foundations that it grows in tandem with standards… Europechain has developed a systematic solution to enable blockchain services to be compliant with the GDPR standard.
Blockchain obviously has not been the focus of the people that drafted the GDPR. The technology wasn’t widely available then.
The GDPR regulations are written with some sort of central control in mind, which is the opposite of how blockchain technology is supposed to work. The opportunities that arise because of this new technology, the possible drawbacks, and the way Europechain deals with these drawbacks are detailed in this blog post.
Understanding data controllers
One can give many rights to a human, but without knowing against whom they can be revoked, they don’t mean anything.
Therefore, the GDPR regulations introduce a “data controller”, a person towards whom the people may turn if they want to invoke their rights. A GDPR “data controller” is, as the name suggests, the person or entity which controls the data. It determines what data can be used, and how it can be used.
E.g. if a company stores, and uses data to communicate with its clients, that company “controls” such use, making them the data controller.
If a controller decides to hire third parties to help with the processing of data, these third parties referred to as “data processors”. “Use”, “store” and many other actions regarding data are called “processing” in the GDPR.
How does this work with blockchain technology?
If a company uses blockchain to run software (dApps) that company is the controller for the data which the dApp processes.
But how about a public blockchain? Is the blockchain the hired hand? The “data processor”?
There is no contract between a dApp and the “blockchain”. The blockchain is not a single entity, but software which runs in a decentralised way. Node operators are often anonymous, and the company just launches the dApp. So it is unclear. Yet, the blockchain is not a controller: it merely performs instructions it gets from the dApp.
What about data a blockchain processes without dApps?
For example, processing such as transferring tokens and storing transactions? The blockchain should be data controller. But yet again, the blockchain is not an entity. In this event, are all the nodes controllers? But they don’t “control”. They just “mine” transactions.
How could they be controller? Blockchain is designed in a decentralized way.
It is therefore safe to say, that it is impossible for a public, permissionless blockchain, to establish or even determine a data controller and processor. For this reason alone, such a blockchain, can never be compliant with GDPR.
A GDPR compliant public blockchain
A GDPR compliant public blockchain is possible, but it needs some form of centralization and control. There has to be an entity where the people can turn to with their questions and demands.
Additionally, this entity needs to ensure that sensitive personal data is not stored on chain. This entity needs to have enough power to ensure GDPR compatibility of the blockchain, but not enough that it could tamper with the blockchain’s immutability, and threaten the very core of blockchain technology.
There are many blockchains that have central entities involved to some degree. Often a foundation that decides on code upgrades or similar matter. It is possible to give that entity enough controlling powers to make it the controller – if the software and its concrete set up, allows for that.
Europechain, built on DPOS software, is an example of a set up that is compatible in this respect.
As with everywhere else, with Europechain the dApps are data controllers. They must conclude a processing agreement with the limited liability company Europechain B.V., which will be the data processor. Before dApps are allowed to deploy on the Europechain public blockchain, they will have to prove that they will not store sensitive data on chain.
Europechain B.V. concludes sub-processor agreements with all the nodes (the block producers). Without concluding a (sub)processor agreement, a party cannot run a dApp or become a node.
If there is no dApp involved in transaction (e.g. in the event of token transfers on the base layer) Europechain B.V. is controller. In that event the nodes are not sub-processors but processors. The agreements are drafted such that they allow for that.
These agreements have dispute resolutions in them so that the powers of Europechain B.V. are in check and the nodes can be easily forced to comply with Europechain B.V.’s instructions.
This set up allows for adequate control to ensure the people are informed, and are able to submit their request with a competent and compliant entity. Furthermore, this allows for the contractual infrastructure required under the GDPR.
Given that the powers Europechain B.V. has are tailored to its position as a data controller and given that they are kept in check by the dispute resolution system, there is no way Europechain B.V.’s position may endanger the blockchain core values.
Europechain’s setup proves it is possible to find the right balance. A balance that is necessary for blockchain to become a mainstream infrastructure.