Blockchain may break EU privacy law—and it could get messy

Blockchain technology may offer greater levels of security than the internet at large, but a new research paper claims its approach to privacy may be in violation of European law.

In recent years, the European Court of Justice has ruled that citizens have the “right to be forgotten.” This doesn’t necessarily mean that damaging news articles about someone (or their embarrassing photos) would be deleted forever, but a person may be entitled to have Google search results and Wikipedia references that link to them expunged—the equivalent of removing a book from a library’s index system. Now, someone would only be able to see this content if they knew exactly where to look.

But Dr Kirsten Wahlstrom, an emerging technologies researcher at the University of South Australia, believes blockchain amounts to a privacy minefield—arguing that many networks will struggle to comply with the law in its current form. She said:

“Once someone’s details are embedded in a blockchain, the system never forgets—yes, those details might be encrypted, but they are also part of an irreversible ledger, and one that’s on the cloud. As long as a blockchain is in existence, it clashes with the European ruling that people have the right to retract data.”   

A nasty dilemma

All of this leaves the blockchain industry in a massive quandary. This technology’s transparency and immutability, meaning it cannot be edited later, is one of its biggest selling points. It’s also why massive enterprises have been drawn to using it.

But if someone wanted to invoke their right to be forgotten—and order entries about themselves to be erased from the blockchain—networks may be duty bound to comply under court order. Here’s the kicker: in some cases, it may be near impossible to obey these orders because of the sheer levels of computing power required to edit a blockchain. And in others, the decentralized nature of some networks may mean it’s impossible to pin down someone who can be held responsible for fulfilling the court order.

As part of her research, Dr Wahlstrom looked at a variation of blockchain technology that is known as Holochain. She concluded that it could be more compatible with the “right to be forgotten” legislation because of how its distributed database breaks the blockchain up—meaning it is easier for a smaller node to prevent contested data from being reshared.

“This allows individuals to verify data without disclosing all its details or permanently storing it in the cloud,” she added. “But there are also still a lot of questions to answer about how this affects the long-term viability of the chain and how it obtains verifications.”

Ultimately, Dr Wahlstrom is calling for the issue of privacy to be anticipated and addressed as new technologies are developed, “rather than just treated as a secondary issue that can be tackled reactively and retrospectively.” But this isn’t the only thing that the researcher believes is being treated as an afterthought:  

“In respect to privacy, I think the crucial first step is for the industry to develop a clear definition of what ‘privacy’ actually is—what we are trying to protect and why—and then agree standards to ensure those requirements are met across the board.”

Which isn’t to say that the EU is always a champion of personal privacy—at least when it comes to protecting personal information from the government.

In December, three European cryptocurrency firms shut down over concerns about the privacy implications of new EU anti-money-laundering regulations. Citing moral concerns about customer privacy, Bottle Pay, Chopcoin, and Simplecoin all shut their doors in advance of the regulations coming into force at the beginning of this year.

The right to be forgotten

The whole notion of the right to be forgotten may be a little alien if you’re a reader in the U.S., but the background to this landmark ruling is nothing short of fascinating.

Back in the 1990s, a Spanish man called Mario Costeja González had financial difficulties that were reported about in an online newspaper. Although the issues were later resolved, the dated article would still appear prominently in search results whenever someone typed in his name. In May 2014, the European Court of Justice said Google had an obligation to remove links that were no longer relevant to González’s situation.

As you’d expect, this legal precedent opened the floodgates—as of last year, the tech giant has received more than 845,000 requests for data to be forgotten, with about 45% of them being approved. However, the guidelines for the request being successful are clear: the sensitive information at hand must now be “inadequate, irrelevant, no longer relevant, or excessive.”

Google had a victory of its own last September when the European Court of Justice ruled that the right to be forgotten legislation does not apply internationally. This means links to certain search results can only be removed for users in Europe. At the time, the tech giant expressed fears that an international rollout of this rule could enable authoritarian regimes to cover up human rights abuses.

Although González may have made legal history, and paved the way for thousands of others, it’s fair to say he ended up suffering from the Streisand effect. Named after singer Barbra Streisand, this is where attempting to censor information results in it being publicized even more.