Is GDPR an immovable block to blockchain?

A report has claimed that GDPR could hinder innovation in blockchain within Europe. If that is right, then this could be enough to ensure that the technology stars of tomorrow, the next Amazons or Googles, won’t be European. The report did hint at the opportunity, however.

Blockchain could be as transformative for business as the internet, at least nine out of ten technology professionals think that, or so found a survey by BTL Group.

Whether that is right remains to be seen, there are blockchain cynics aplenty, who question its viability considering the amount of electricity that blockchain applications such as bitcoin use. But if blockchain really will be transformative, then that creates a massive opportunity for companies that can master the technology and create innovative applications – in much the same way as the internet led to the emergence of US and Chinese tech firms becoming the largest listed corporations in the world.

This time, in this potentially burgeoning market, many hope that European companies can emerge as major players.

But could GDPR hold Europe back?

According to a report from the EU Blockchain Observatory and Forum, GDPR could impose a brake on blockchain innovation.

There are two good examples as to why this might happen, but there could be a more general reason why the GDPR and blockchain could be incompatible.

First, there is the right to be forgotten. Under GDPR, a data subject can demand that all data held on that person is removed. The data controller can only refuse that request under certain extreme circumstances, such as that the data held is in the public interest or has to be held by law. Under blockchain, however, the data is stored on every computer that forms part of the blockchain’s network. And this data is nigh on impossible to change. This is the essence of blockchain. In this way, it is virtually impossible for hackers to change records, or for individuals to cheat.

The blockchain is meant to be immutable, data can be added to a network, but not deleted.

Secondly, under GDPR, data controllers are responsible for data processed by third parties, creating particular problems when data is stored on computers outside of a region that signed up to GDPR or has a privacy framework that is not compatible with GDPR. But under blockchain, it is almost impossible to have any control over the location of computers that form the network.

There is a wider point: another word for blockchain is distributed ledger – meaning a record of ownership of an asset is stored across every computer or node that makes up the blockchain network – such a concept seems to be in direct contradiction with GDPR, with its onus on privacy and central bodies having control.

The EU Blockchain Observatory and Forum said: “As long as the legal framework around personal data and blockchain remains unclear, entrepreneurs and those designing and building blockchain-based platforms and applications in Europe face massive uncertainty. That can put a brake on innovation.”

It added: “The law was conceived and written before blockchain technology was widely known, and so was fashioned with an implicit assumption that a database is a centralised mechanism for collecting, storing and processing data.”

Does that mean there is no way out? Are GDPR and blockchain incompatible? The report provided some hope. It said: “Blockchain could, in theory, make it easier for platforms and applications to have this compliance ‘baked in’ to the code, supporting data protection by design.”

Maybe the opportunity for European firms is to develop blockchain solutions that respect privacy – such solutions might become very valuable indeed.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.