Basic data protection regulation: What does this mean for Bitcoin, Ethereum & Co.?

The time has come: The Basic Data Protection Regulation (DSGVO) comes into force. The problems caused by the new data protection law with public blockchains are highly problematic and unclear to many. The right to be forgotten clashes with the right not to be able to forget. The principle of central responsibility stumbles over decentralisation. How can this be reconciled with the blockchain and crypto currencies?

After a grace period of two years, the DSGVO finally enters into force. With its seemingly endless scope of application and the hefty penalties of up to 20 million euros or 4 percent of the worldwide annual turnover, it has already caused a sensation in the entire business world. So far, it has attracted less attention in the area of blockchains.

Does the Bitcoin loophole even apply to blockchains?

When initial questions were asked about the compatibility of Bitcoin and the DSGVO, some objected that the block chain was anonymous. As everyone now knows, the blockchains at Ethereum and Bitcoin loophole are not anonymous, but pseudonymous. The DSGVO may therefore be applicable.

In addition, the scope of application of the DSGVO is extremely broad.

First of all, in territorial terms it is de facto applicable worldwide due to the digital network and the attractive European economic area, namely according to Art. 3 DSGVO in simplified terms whenever data of EU citizens are processed or data processing takes place within the EU.

In addition, data processing is an inherent part of the functioning of a blockchain, which places it more in the focus of the DSGVO.

Personal data in the news spy

Of course, the processing of any data is not sufficient. It must be personal data – the news spy clarifies this directly in its first articles (Art. 1 para. 1 and Art. 2 para. 1 DSGVO). According to the definition of scam in Art. 4 para. 1 DSGVO, personal data are „any information relating to an identified or identifiable natural person […]“.

The blockchain stores all transactions ever carried out. With this transaction data, it contains information about the credit balances and payment flows assigned to the individual Bitcoin addresses. With the appropriate additional knowledge, this makes it possible to establish a link to the persons behind the data (more and more easily). The stored hashes serve to identify the user. Thus they are person-related for those persons who have or can obtain the necessary knowledge to assign this information (by relative means) to a specific person – for example, if a trading exchange, a marketplace or an online shop is involved.

The DSVGO is thus applicable to public blockchains.

Persons responsible in a public block chain
Against whom can the associated obligations be enforced at all? Who is responsible for any infringements of the DSGVO? According to Art. 4 No. 7 DSGVO, the person responsible is the person who alone or jointly with others decides on the purposes and means of processing personal data. It is therefore about the actual power to determine the blockchain.

The example of Satoshi Nakamoto makes it clear that it cannot be the person who programmed and started the blockchain: After the start he gave the control completely out of his hand.

The miners cannot be seen as responsible either. Their influence is limited only to the calculation of new blocks. They have neither influence on the content nor any real decision-making power. They only provide the computing power.

But this is different with full nodes: Whoever carries out a transaction and thereby distributes information or enters the blockchain into his copy, processes data, participates in the network and pursues his own economic purposes – and is responsible according to the DSGVO.

K.O. through rights of data subjects
In addition to a number of other rights and obligations, the DSGVO regulates the right to be forgotten as the strongest right (Art. 17 DSGVO). Thus the obligation to delete applies to the respective responsible node.

It is in the nature of the blockchain that data in it are not changed or deleted, but should remain permanently stored. This is what establishes the decentralised public faith or public trust in the first place. In addition, the complete deletion of data in public blockchains is theoretically possible, but extremely difficult in practice. Deleting individual data would change the hash of the block and all blocks that follow it.

After all, the basic idea of the blockchain has become so popular precisely because of the fact that the hash of the block and of all blocks that follow it can be deleted in its hash.