European Data Protection Law and Bitcoin Blockchain

Jerry Brito at Coin Center is worried about European Law. He points out correctly that the Bitcoin blockchain can’t be changed. This is obviously incompatible with some of the rights the Data Protection Regulation gives, especially the right to be forgotten under Article 17.

I agree completely that this might be a problem. I also agree with Brito that the solution should not be to outlaw blockchains. As he explains blockchain technology may very well lead to much better privacy protection. The recent Facebook privacy problems would not have happened if there was no centralized service, but a decentralized structure instead.

I think the solution is to look at Article 17. It gives the data subjects some rights against the “controller”. The term “controller” is defined in Article 4, Number 7:

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

The whole point of a decentralized blockchain like Bitcoin is to have no one in control. Even “jointly with others” there is no entity that determines the purposes and means of the processing of personal data with Bitcoin.

In other words, Article 17 does not harm Bitcoin, since there is no one obliged under it. If there is any entity qualifying as “controller” of a blockchain of some altcoin or other, that blockchain would not be decentralized and therefore just another database, and it should of course be subject to all rules of the Data Protection Regulation.