No Solution Yet Found to Bring Public Blockchains Under EU Privacy Laws
Sam Palmisano — retired IBM chairman and current chairman of United States nonprofit The Center for Global Enterprise — says he doesn’t know of a solution that has been found to make public blockchain networks compatible with European data privacy laws.
Palmisano made his remarks during a joint interview for Bloomberg Markets with David Kappos, partner at U.S. law firm Cravath, Swaine & Moore, which was broadcast on the Bloomberg Technology channel on March 4.
Palmisano and Kappos focused on the interaction between blockchain innovation and the General Data Protection Regulation (GDPR) — a landmark European Union-wide legal framework for personal data privacy, which took effect in May 2018.
Kappos recently co-authored a research paper — in conjunction with multinational law firm Slaughter and May and The Digital Supply Chain Institute — that outlines four guiding principles for establishing GDPR-compliant blockchains.
High-profile GDPR principles such as the right to be forgotten and the other far-reaching requirements the legislation places upon EU firms have sparked debate as to whether blockchain networks — which are notably immutable, and thus do not erase data — can be brought into line with the new framework.
Palmisano, who spent 10 years in his former role as chair of IBM, said that certain private, permissioned blockchains — with adequate governance frameworks in place — can work well under GDPR, and even in some cases help firms with compliance, but that this does not currently hold for public networks. He stated:
“With the public case, it is more complicated because of the nature of the information out there and how it’s being shared […] I do know of research that’s going on to address the public market, however […] I don’t know of a solution that’s been found.”
While Palmisano affirmed the importance of a global policy shift toward tackling data protection, Kappos noted that Europe is currently in the lead in terms of legislating for digital privacy and the U.S. has “nothing that is on par with the EU’s muscular GDPR [initiative].”
Flouting GDPR courts the risk of heavy fines, as Kappos emphasized. The use of a governance framework, he noted, can significantly help blockchain users to ensure compliance:
“A network of companies can […] form a joint venture that describes how they’ll manage data, what they’ll put and won’t put on the blockchain, and how they’ll forget people when they want to be forgotten.”
In November 2018, research conducted by Queen Mary University of London and the University of Cambridge similarly pointed to the prospective compatibility of private blockchains with GDPR.