GDPR and Blockchain — Key Stumbling Points

The European Union General Data Protection Regulation (GDPR) came to force on 25 May 2018, as the most important change in data privacy in the last 20 years. The GDPR has a huge impact on both large and small organizations across Europe. In this article, we will explore its impact on the blockchain technology.

Image for post
Image for post

Difference between CRUD and CRAB

CRUD stands for Create-Read-Update-Delete. These are the basic operations of persistent storage. Now let’s remember that one of the basic principles of blockchain is that you cannot delete written transactions. It’s not even possible to update existing transactions since they are immutable.

Instead, operations on blockchain are described as CRAB: Create-Retrieve-Append-Burn. The folks from BigChainDB invented the ‘CRAB’ concept. The Create and Retrieve parts do not need explanation. The Append, which replaces Update, implies that you can only append new transactions to a blockchain, thus changing the ‘world state’ (sum of all past events/transactions up until now). The Burn operation in CRAB means that the encryption keys are forgotten, making the person unable to Append new transactions and change the world-state of this asset any further. Instead of forgetting the encryption key, we can also set the transaction to an “unsolvable” private key by picking a completely random public key, thereby locking ourselves and everyone else out.


The entire official GDPR document can be found freely on the internet.

An essential aspect of GDPR on blockchain is the fact that personal data is not allowed to leave the EU. This poses a significant problem with public blockchains since there is no control on who hosts a node. The problem is not as big when it comes to private or permissioned blockchains. To tackle it, IPDB set up a foundation that could ensure data stays in the EU because it is publicly accessible (client) but permissionly hosted (node) blockchain.

There is also a separate section under article 17 called the ‘Right to be Forgotten.’ This section is critical as it speaks about ‘erasure of data.’ However, nowhere in the document, not even in the article 4 which contains definitions is there any explanation of what the term erasure of data actually means.

The GDPR most probably only had CRUD in mind (always being able to delete a piece of information) when dealing with persistent storage. The issue pops up when we look at blockchain technology where this isn’t possible. Currently, since we do not have a definition what exactly “erasure of data” means, we probably need to interpret it strictly. This means that burning/throwing away encryption keys in the blockchain technology are not acceptable as “erasure of data,” following the GDPR.

The Paradox

The paradox appears when we compare the goal of GPDR to the blockchain technology goals. The goal of GPDR is to “give citizens back the control of their personal data, whilst imposing strict rules on those hosting and ‘processing’ this data, anywhere in the world.” GDPR likewise states that the data should be erasable. Since burning encryption keys is not the same as “erasure of data,” GDPR does not allow us to store personal data on the blockchain. By doing so, we are losing the ability to enhance the control of our own data which is — ironically — the goal of GPDR.

GDPR should optimize the act to deal with the problems surrounding immutability of transactions and the fact that data cannot be erased from the blockchain.

Still, whatever solution they choose, the fact that things are getting more complex poses a severe disadvantage for all of us.

Having questions? Feel free to post them in the comments! You can also join the burning discussion about privacy in our Telegram group.

Written by

Secret Contract Platform for Privacy 2.0

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store