When it comes to job-creating innovation, Europe needs all the help it can get. Buckling under already heavier regulation than other jurisdictions, any additional one could be the proverbial "straw that breaks the camel's back".
Blockchain and GDPR could have coexisted peacefully. But any new and complex regulation gives lawyers a weapon to hold both existing organizations (the juiciest target) and innovators (collateral damage) to ransom.
While there are blockchain-friendly lawyers (especially when on the payroll of technology firms), the legal profession has a strong financial incentive to wield that weapon when holding (incumbents as well as) innovators to ransom with an innocent sounding "It depends, it's a case by case decision" which often translates as "Pay up to have me advise you how to do it to stay compliant." With no guarantee of course that, later on, a Court will not find that you were still not compliant ...
Not to mention that there are also lawyers genuinely averse to this technology. And that, for lawyers employed by the public sector, natural risk adversity combines with the hard-wired satisfaction all humans enjoy when exercising power. The power to say "No, you are not allowed to do that".
It is my conclusion that blockchain innovators' only recourse is to unite and devise a coherent, coordinated response. That could be either:
- a provoked landmark legal challenge that would provide clarity for the industry, or
- a plea with the legislators to define in law a "blockchain domain" and adapt the GDPR to accomodate the existence of said domain.
"As men, in their natural state, regardless of all religion, know not, in their disagreements, other laws than those of beasts, the right of the strongest, the establishment of societies must be seen as a kind of treaty against this unjust law; a treaty aiming to establish, among the different parties of mankind, some sort of balance."
The **Regulation (EU) 2016/679 of the European Parliament and of the Council** of 27 april 2016, also known as the "General Data Protection Regulation" (or **GPDR** in short) has entered in force on May 25th, 2018.
I wanted to write my personal analysis of what GDPR means for blockchain innovators. And maybe I'll do, given enough time. Take this text as an "immediate response" and "work in progress".
A visionary law
When we consider the way our societies are transformed and impacted by the advance of information technologies, the GDPR stands out as the most advanced and visionary pieces of legislation our representatives have put forward.
In an era when "Data is the new oil" the overall context is detailed in the regulation's "recitals" (of which there are 173 ...)
Data Protection: A fundamental right but not an absolute right
The protection of natural (note: not "legal", i.e. companies) persons in relation to the processing of personal data is a fundamental right (recital (1)), following from the Charter of Fundamental Rights of the EU and from the Treaty on the Functioning of the EU (TFEU).
GDPR is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons (recital (2)).
Why is important to stress that out ? Because of the "Spirit of the Laws". Laws are crafted by the legislator, after consultations with the subjects of the future law, with a purpose. Only part of that overarching purpose can ever be captured in the Letter of the Law. When the law is followed and applied, all the actors must keep in mind and respect the Spirit of the Law
There are fundamental differences between the legal systems of Continental Europe, based on the Roman law and influenced by the Napoleon's Code, and the Anglo-Saxon "common law" system that is in force in the UK and the US.
In the former, the Legislator has purpose and intent - consequently the Spirit of the Law proceeds from those. The Judiciary applies the law by looking at the Letter and the Spirit (as it can be inferred), both proceeding from the Legislator.
In the "Common law" system the Spirit of the Law is something on which the Judiciary has a say, and which evolves with each actual application. As judgements are incorporated through "precedent", the Judiciary partakes in the legislative power ...
The much higher power the Judiciary branch (and all the legal profession) has in the Anglo-Saxon legal system when compared to the Continental system is plain for anyone to see: from lawyer salaries to the widespread litigation, everything sets the US and UK apart from Continental Europe.
Let it be said that I strongly believe the GDPR is a Continental law and should be interpreted as such.
The 4th recital
The fourth recital of the GDPR is probably the most important to keep in mind when making sense of it:
The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
Blockchain is a complex, revolutionary technology. GDPR is an almost unprecedented legal attempt at regulating a relatively new domain. It is a complex piece of legislation. As a consequence, interpretation requires not only a bright legal mind but also one with a deep understanding of technology.
When technologists express themselves in the belief that they understand law (as is my case), the lawyers can simply shrug and ignore them. But the opposite could not be farther from the truth.
When lawyers, even those with the flimsiest grasp of technology, give an opinion, they can sink a business and potentially nip in the bud what has been called by some "the game changer of the 4th industrial revolution". Or at least prevent Europe from being in the lead ...
Because when confronted with an intractable situation, there are as always three possible responses:
- freeze (give up attempting to innovate)
- flight (to more forgiving jurisdictions, at least until you make enough money to afford the lawyers)
EU Blockchain Observatory and Forum
The EU Blockchain Observatory and Forum organized today a workshop about blockchain and GDPR. My "take away" from a full day of heated debate is that ... while the legislator has probably never intended to ban blockchain (see "spirit of the law" above), some lawyers will clearly try to make the most out of the grey areas and apparent incompatibilities
It gets even more complicated when the regulatory bodies enter the picture. The national "Data Protection Authorities" were sending representatives to an arcane body cryptically called "Article 29 Working Party" (A29WP) which will now morph and become the EDPB (European Data Protection Board).
GDPR has been designed to be as independent of technology as possible, hence it leaves quite a bit of space for interpretation, which is sensible. Having an authority that continuously monitors technological development and interpolates the prescriptions of the law, and formulates opinons and recommendations is also a sensible thing.
The A29WP was that body ... which immediatly signals a problem ... because thereafter the same Data Protection Authorities (DPA) that are represented in the A29WP proceed to enforce its recommendations! In a way, the DPA are both "making the law" (technically "filling in the - numerous - intentional blanks in GDPR") and "enforcing that same law" (applying fines on the basis of the interpretations they themselves have decided)!
The Need to Act
My alarmed conclusion is that those who care about saving blockchain innovation in Europe, those who grew tired of Europe being yet again the laggard in advanced technologies, have only one choice. They cannot freeze, nor can they flee. They must come together and act quickly, before it's too late and "blockchain" becomes yet another area where Europe is a "rule taker", after Cloud Computing, Big Data / AI, and other advanced fields.
While the original intention of the legislator was no doubt to protect the EU citizens from "data predation" by quasi-monopolistic corporations, two side effects risk having terrible consequences:
- the incentive structure of the legal profession is such that it's rational for them to use a new, complex law which maps awkwardly on a disruptive new technology as a "fee extracting tool": "You want to innovate? It might be possible to comply with GDPR... I can tell you how if you pay my fees ..." In Europe this is usually less of a problem than in the US because of the specificities of the legal system mentioned above, but with GDPR we are in virgin territory. Add here natural risk adversity and, for lawyers employed by the public sector, the mere feeling of power humans enjoy when saying "No, you are not allowed to do that".
- the enforcement architecture puts too much unchecked power in the hands of the A29WP / EDPB. The DPAs are supposed to nominate both lawyers and technologists in this body but because of the structural social asymmetry of the two roles (an IT guy will often shake before a lawyer, never the opposite), the decisions are likely going to be made by the lawyers. Which would be less of a problem if blockchain technology was less complex and easier to grasp. The risk here is of "mission creep" and the DPAs starting to protect people against themselves, in the process condemning them to forsake the prosperity and abundance that blockchain technology could bring about.
Referring back to D'Alembert's quote above, currently I've seen no balance. What I sensed is a strong hostility to blockchain innovation
I want to finish on a positive note: I have received a fresh research paper (so fresh Google cannot find it yet) "On Blockchains and the General Data Protection Regulation" by Luis-Daniel Ibanez, Kieron O'Hara and Elena Simperl, all from the University of Southampton. I've only managed to read about half of it (it's heavy) but it seems really well balanced, which is a good sign after the depressing read by Dr. Finck
Other posts on blockchain technology that you might enjoy:
- Blockchain revolution: the CIOs' dilemma
- Blockchain and the End of the Western Civilization
- Toward a pan-EU blockchain infrastructure
- Sovereign identity on blockchain
- Blockchain revolution: Money and Credit
- The Holy Blockchain
- Blockchain, Credentials and Connected Learning Conference
- Decentralized Learning: The Future of Student Mobility in Europe
- Poker Champion Tony G turns MEP Blockchain Champion!
Other posts on the impact cryptocurrencies are likely to have on our societies:
- The future of society
- The Church of Bitcoin
- Hack Your Life in 3 Easy Steps!
- Small worlds
- Steemit and the Fractal Society
- The Press needs to be Freed from the Tyranny of Money
- Steem $10Bln!
- A New Hope
- Immigrate to Romania!
If you enjoy my posts, please approve @lux-witness as a witness!
Also, why not optimize your own rewards and benefit from my pledge as explained in this post: