EU’s GDRP and its Effect on the Blockchain

Rohan Pinto

Blockchain, as we all know, a decentralized, peer-to-peer system with no central authority managing data flow, and immutable database that not only records the financial transaction but also stores media files, digital identities, ownership, contracts and various forms of data.

Certain features of the blockchain such as top-tier security, privacy, & transparency, resistance to single points of failure or censorship and pseudo or complete anonymity made it quite popular not only among the common people but also the financial institutions and government of various countries. Though the problem raised when certain countries allowed their citizens to have top-most control over their personal data and that’s where the blockchain has failed to meet the requirements carried out by the government.  In 2016, European Union had decided to form set of new rules that allows the resident of these countries to have good grip and control over their personal information.

The Problem

Being an immutable data base, the data that stored on the blockchain can never be deleted nor edited. By their very nature, transactions on a blockchain aren’t meant to be deleted, but to be recorded permanently. It would also be difficult to stop every place transmitting a Bitcoin transaction. This is by design… It’s the basics of blockchain technology.

And that’s where blockchain violates the recent rule formed by EU. All the data including transaction history, digital identity, media files and so on, of an individual stored on the blockchain cannot be deleted at their will. While the rule set the people free to delete or edit their private information on any network at their will. This means that European people who are using blockchain for various purpose cannot delete their personal data and it will be stored there forever.  Let’s dig deep into what does the new set of rules states and how will it affect the further adoption of blockchain technology in European countries?

The GDRP or General Data Protection Regulation

The General Data Protection Regulation (GDPR) will take effect on May 25th, under the new rule companies will be required to completely erase the personal data of any EU citizen who requests that they do so. The problem is that with blockchain, a complete erasure of any stored personal data might not be possible. Let’s go deep into the story.

In 2016 the European Union passed the General Data Protection Regulation (GDPR) in order to give European residents more rights and control over their personal data. It comes in to full force on 25 May, 2018, and will affect any company holding data relating to private EU citizens or residents, whether or not the company holding the data is based in Europe. Compliance will be essential, as penalties can be as much as the highest of 4% of worldwide turnover or 20 million euros. The regulation has profound significance to blockchain systems in three regards:

  • Data stored on a blockchain is tamper proof, so deleting it later on is not an option.
  • Blockchains are distributed, so control of the data put on them is relinquished.
  • Smart contracts will fall under the auspices of automated decision-making, and may therefore be contested.

Hence, Under GDPR, an organization that constructs a blockchain may have to remove a block or modify some data to comply with a request to forget someone.  A medical record would refer to “Corp-ID Client 192734.” If that person wished to be forgotten, the organization would re-assign that pseudo-ID to a null ID, eradicating the link from the person to the data. And by doing so, as stated by Andries Van Humbeeck, co-founder and blockchain consultant at

“If you purge a block of transactions, the truthfulness of all subsequent blocks of transactions becomes questionable. All Bitcoin transactions after that purged block become untrustworthy, which would undermine the complete system.”

So how would they do it? Erasing or editing the blocks is near to impossible when especially when you are on public blockchain. But creating number of private blockchain may put the end to this problem where an organization can audit the data of individual.

It is not fully fledge solution that does not violate the GDRP but it is only limited to group of people who are associated to certain organization. Which means that not every single individual can erase their data from the blockchain but some can do at their will. Though there have been thoughts flying around regarding the development of new mechanism that allows the people to audit their personal data. Till then blockchain may face issue in European countries from this May of 25th.

GDPR does not prohibit blockchain, but it does put some procedural requirements around blockchain’s use in commercial enterprises. For individuals who opt into a blockchain, there is no authority to amend or correct a block once it is incorporated into the chain. For them, caveat emptor. For organizations, make sure you have a mechanism that will allow you to disassociate an individual with their blockchain contributions, either as a miner or as a data subject.


Enabling Digital Business with Decentralized Identity
Read Here

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Rohan Pinto

Co-founder of 1Kosmos

Rohan is the co-founder of 1Kosmos. He is a go-to security and identity management expert and the founder of several businesses that have made considerable advancements in blockchain and identity management.