When the GDPR Meets (Public) Blockchains:
Looking through the Lens of Public Communications to Users
by Shujun Li and Rahime Belen Sağlam
Institute of Cyber Security for Society (iCSS) & School of Computing, University of Kent, UK
9th March 2021
The article originally published in PenTest Magazine's edition entitled "Privilege Escalation in Practice" available at: https://pentestmag.com/product/pentest-privilege-escalation-in-practice/
Our lives today highly depend on computer and Internet technologies, and we are disclosing personal data to online and physical service providers, governmental bodies, and many other organisations on a daily basis. In order to meet the increasing needs of personal data protection in such a highly digitised, networked and globalised world, in 2016 the European Union (EU) adopted a new regulation called the General Data Protection Regulation (DGPR), which became enforceable from 25th May 2018 in all EU member states (including in the UK since Brexit happened only after this date). The GDPR’s adoption was later extended to cover three EEA (European Economic Area) countries: Iceland, Liechtenstein and Norway. While leaving the EU, the UK also implemented the GDPR and defined a new Data Protection Act 2018, since Brexit happened only after the effective date of the GDPR. Since its adoption in the EU, the GDPR has had a global impact and attracted a lot of attention from individuals, organisations, governments and legislatures, not just within the EU and the EEA. A number of non-EEA countries have since followed the GDPR as a model to define their own new data protection regulation, such as Brazil’s LGPD (Lei Geral de Proteção de Dados Pessoais, or General Data Protection Law), Japan’s Protection of Personal Information (APPI) Act and the California Consumer Privacy Act (CCPA).
As a very recent regulation, the GDPR introduces a number of new principles and legal requirements to the landscape of data protection law. Examples include ‘the right to erasure’ (also known as ‘the right to be forgotten’), the requirement for explicit consent, and a significantly increased maximum penalty fine for non-compliance, which have been key highlights in public media. Some data protection principles and legal requirements defined in the GDPR have led to a tension with some new and emerging technologies. One such technology is about distributed ledgers, more commonly known as blockchains.
A blockchain is a distributed (peer-to-peer) database where data is stored not on a central server, but among all its users. A distributed consensus protocol (e.g., proof of work) and some special incentivisation mechanisms (mostly in the form of a cryptocurrency) are normally used to encourage participation of users to make the system self-sustainable. Blockchains follow the distributed trust model and embrace transparency (all can see the data), security and anonymity (the use of cryptography and pseudonymous IDs for addresses). The first and the most widely used blockchain system (and cryptocurrency) is Bitcoin, which was invented and implemented by someone with the pseudonymous name Satoshi Nakamoto in 2008. Since Bitcoin, many blockchain systems and cryptocurrencies have emerged, mostly after the second half of the 2010s, e.g., the currently second largest blockchain system Ethereum went live in 2015. According to who can read and write to the distributed ledger, blockchain systems can be classified into three major categories: public (permissionless) – anyone on the blockchain network, permissioned – only a number of privileged nodes with the right permission, and private – a single or several private users.
One unique technical feature of almost all existing blockchain systems is that, once a piece of data is stored on chain, it will remain there permanently. This feature is particularly important for public blockchains due to the lack of a centralised trusted party. It cannot be easily fixed by tweaking a blockchain system’s design and implementation details. This immediately leads to a direct conflict with the right to be forgotten defined in the GDPR, and users would have to give up this right forever if they want to use a blockchain system. In addition, blockchain systems, especially public ones, also have other tricky GDPR compliance issues to address, such as how to define the data controllers and data processors (who are responsible for data protection), how to obtain explicit consents and support withdrawal of consents, etc. It deserves noting that, due to the distributed and (pseudo)anonymous nature of most public blockchain systems, and according to the territorial scope of the GDPR (see the 2019 dedicated guidelines from the European Data Protection Board), the GDPR should apply because data subjects and/or data controllers/processors can be from the EU or EEA.
The tension between blockchains and the GDPR has been noticed by the blockchain community. In October 2018, the EU Blockchain Observatory & Forum published a thematic report “Blockchain and the GDPR” to summarise the collective understanding of the community on this issue. This report acknowledges that the problem is particularly problematic for public blockchains, and recommends storing personal data off chain when possible or at least in an encrypted/anonymised form. The report also recommends that blockchain system developers and service providers should “be as clear and transparent as possible with users”. In addition, the report also voiced the opinion that public keys or blockchain addresses should be considered personal data. This means no blockchain systems can avoid storing all personal data, since blockchain addresses must be used for any transactions on chain.
In order to understand how transparently public blockchain developers and service providers have been communicating the blockchain-GDPR tension to their users, together with our collaborators (Çağrı Burak Aslan, Lisa Dickson and Ganna Pogrebna), we conducted a data-driven study based on three different types of public communications of blockchain developers and service providers: public-facing legal documents including privacy policies and T&C (Terms and Conditions) documents, and public tweets. We selected 320 active cryptocurrencies with a market capitalization size greater than $10 million as of 17th April 2019 on CoinMarketCap, and used them as proxies to identify 314 different public blockchain systems. In May 2019, we visited the official websites of the 314 blockchain systems and identified 189 with links to privacy policies or T&C documents or other relevant legal documents and 310 official Twitter accounts. We then downloaded all the legal documents and timelines of the official Twitter accounts, and conducted qualitative and quantitative analysis of the collected data to see how the tension with the GDPR was communicated.
The results were both surprising and worrying. Only 86 of the 314 studied blockchain systems (27.5%) had covered GDPR at least once using any of the studied public communication channels. Only 27 systems (8.6%) had actually talked about the GDPR in at least one of the public-facing legal documents. As a general pattern, there was a systematic lack of details about why and how the blockchain-GDPR tension was addressed, and many systems made problematic statements about if they are GDPR compliant. Our work clearly indicated that most blockchain developers and service providers were not as clear or transparent to their users on the GDPR compliance issue, which is opposite to the recommendation from the EU Blockchain Observatory & Forum. Considering the high profile of the GDPR and the EU Blockchain Observatory & Forum in the blockchain community, it would be surprising if most blockchain developers and service providers were unaware of the issue as late as in May 2019, nearly after a year after the effective date of the GDPR and more than half a year after the publication of the EU Blockchain Observatory & Forum thematic report.
- “Accordingly, by design, a blockchain’s records cannot be changed or deleted and is said to be ‘immutable’. This may affect your ability to exercise your rights such as your right to erasure (‘right to be forgotten’), or your rights to object or restrict processing, of your personal data. Data on the blockchain cannot be erased and cannot be changed.”
- “IF YOU WANT TO ENSURE YOUR PRIVACY RIGHTS ARE NOT AFFECTED IN ANY WAY, YOU SHOULD NOT TRANSACT ON BLOCKCHAINS AS CERTAIN RIGHTS MAY NOT BE FULLY AVAILABLE OR EXERCISABLE BY YOU OR US DUE TO THE TECHNOLOGICAL INFRASTRUCTURE OF THE BLOCKCHAIN. IN PARTICULAR, THE BLOCKCHAIN IS AVAILABLE TO THE PUBLIC AND ANY PERSONAL DATA SHARED ON THE BLOCKCHAIN WILL BECOME PUBLICLY AVAILABLE.”
Although our work was conducted in 2019, we did a quick check of some selected blockchain systems’ websites in March 2021 to see if some systems have updated their public communications. The results looked largely aligned with what we observed in 2019. Another more formal validation was conducted between March and May 2020 on 50 public blockchain systems whose corresponding cryptocurrency had a capital market size over $150 million on CoinMarketCap. In this new study, we looked at the 50 blockchain systems’ GDPR-related communications on the following online channels: blog and web forums, and GitHub repositories. We also looked at blockchain users’ discussions on Twitter. The new research re-confirmed our results in 2019 that blockchain systems were not playing an active role in communicating the blockchain-GDPR tension to their users. Interested readers who want to read more are referred to our research papers [1, 2].
Our work showed a worrying picture that many blockchain users may be left in the dark regarding the permanent loss of some of their important data protection rights due to the lack of active communications from many blockchain systems. We call all blockchain developers and service providers to take urgent actions to follow the EU Blockchain Observatory & Forum’s recommendations and the best practice set by GNOSIS to update their privacy policies and other relevant documents to allow users to make their fully informed decisions. Not doing this right can risk or ruin the reputation of the sector and users’ trust.
 Rahime Belen Sağlam, Çağrı B. Aslan, Shujun Li, Lisa Dickson and Ganna Pogrebna, "A Data-Driven Analysis of Blockchain Systems' Public Online Communications on GDPR," in Proceedings of 2020 IEEE International Conference on Decentralized Applications and Infrastructures (IEEE DAPPS 2020), pp. 22-31, IEEE, 2020, https://doi.org/10.1109/DAPPS49028.2020.00003 (authors’ version for free downloading: http://www.hooklee.com/Papers/DAPPS2020.pdf)
 Zeynep Chousein, Hacı Yakup Tetik, Rahime Belen Sağlam, Abdullah Bülbül and Shujun Li, "Tension between GDPR and Public Blockchains: A Data-Driven Analysis of Online Discussions," in Proceedings of 13th International Conference on Security of Information and Networks (SINCONF 2020), Article No. 17, 8 pages, ACM, 2020, https://doi.org/10.1145/3433174.3433587