Over the past two years, more than two thousand ICOs have been run, and almost all of them have collected personal data. For many projects, personal data is the basis of the business model. If the Europeans participate in the ICO, then it is necessary to comply, first of all, with the European regulatory standards. This is the General Data Protection Regulation (GDPR) – the European General Data Protection Regulation.
Will blockchain industry, which capitalization already exceeds half a trillion USD, comply with the European Union’s data protection act?
The GDPR began operating in the European Union on May 25, 2018. The document regulates the collection and use of personal data in the European Union and is notable for at least two points:
- Companies that collect and use personal data must comply with high technical, organizational and documentary requirements;
- The Regulation applies not only to European companies but also to all outside the EU who offer services to Europeans or collect information about them.
Blockchain startups also have to reckon with the protection of personal data, since contact and documentary data of investors, users and other interested parties are collected and used. An ICO that is conducted in the EU or involves Europeans will have to meet the requirements of a GDPR.
Consider common examples:
- Formation of a white-list during the ICO – personal data is not recorded in the blockchain, but simply formed into a list of investors who buy tokens
- Verification of users during fundraising (KYC compliance) – data is collected to confirm the identity and lawfulness of the investor, they will also not be associated with blockchain technology;
- Authorization in the personal account of the ICO-investor (not used blockchain);
- Creating digital identification on the blockchain (validating identities on a blockchain) – in this case, the blockchain will be used to record personal data. This will make it possible to identify an individual using blockchain data.
In the first three cases, the requirements for the protection of personal data will be similar to any e-commerce project. Difficulties with GDPR-compliance may arise in companies that provide blockchain identification services in the European Union. This implies the fixing of information (name, contact and passport data, financial information) of customers in the blockchain, which may cause problems with the implementation of certain requirements of the Regulations.
The revolutionary technology of blockchain is that the data is recorded so that it is impossible to delete or correct the information after that. The main idea is distributed information storage. Information is written to the blockchain by validators (or nodes, as they are called), which work according to the algorithms of consensus Proof-of-Work, Proof-of-Stake and others. Nodes are servers on which information is stored and which, according to the results of mathematical calculations, confirm or reject the recording of data in the blockchain.
Nodes can be located in different parts of the world, and each of them will record information. When the data is confirmed and recorded, the information is distributed to the rest of the server nodes, which write new data blocks to it. The reliability of the previous blocks is checked with copies of the blockchain of the other nodes.
Such a model leads to the fact that if the previous records are mismatched (compromised) by one of the validators, the other nodes do not confirm the accuracy of the data, and the subsequent blocks collapse. As a result, other participants in the system reject the dishonest player, making the blockchain resistant to fraud. Information that was once entered into the database can no longer be corrected or deleted since subsequent records are in cryptographic communication with the previous ones.
In 2009, it was proposed to reform the EU legislation on the protection of personal data. The previous Directive of the European Union on the protection of personal data 1995 (Data Protection Directive) did not provide protection according to the modern standards, as it was adopted when personal data were not yet of exceptional value.
Today, companies personalize most of the digital services, and this requires an analysis of preferences and the widest possible information about the user. Structuring and correct use of information provide a competitive advantage and generate significant profits. These features, on the other hand, lead to the abuse of personal data, which is why a reform of their protection was required.
The first draft of the GDPR was published back in 2012. At that time, Bitcoin capitalization was only $ 50 million (now $ 121 billion), and the first Ethereum issue took place only three years later, on July 30, 2015. The blockchain had not yet gained popularity, so the European Parliament did not take this specificity into account when developing reform.
In 2016, the EU adopted the final version of the GDPR (with the introduction of the action in 2018), and the features of the blockchain have not been taken into account. It turns out, at the time of the adoption of the Regulations, it was already outdated for the current realities. Therefore, the conflict between reality and legal regulation raises questions when writing data to the blockchain.