Steemit and the EU's GDPR (General Data Protection Regulation) - Is This The End?
Blockchain is Immutable, But GDPR Says You Have the Right to be Forgotten
source
What is GDPR?
The European Union (EU) has adopted a General Data Protection Regulation (GDPR), effective beginning May 25, 2018. This regulation is extremely important to Steemit for several reasons, but I'm going to focus on the fact that it enforces the ability for any resident of the EU to request all of their personal information stored by a company to be destroyed, if requested.
I won't go into laborious detail of the entire regulation as it is a considerably lengthy document, but instead try to highlight some key points. Here's a link to the regulation's official website if you want to dive into it yourself: https://www.eugdpr.org/.
So, with Steemit storing all of the posts, comments, and other potentially personal information of its users on the immutable Steem blockchain, is there a risk to the future of the Steemit platform?
GDPR FAQ:
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Key Changes:
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
GDPR Fines
As part of GDPR, non-compliance with the regulation could come with steep penalties. How much is steep? € 10 to € 20 Million, or 4% of Total Revenue from the Prior Fiscal Year. Since Steemit Inc likely doesn't have a large income statement, the fines would probably be capped at the € 20 Million mark.
- Could Steem / Steemit survive a € 20 Million fine?
- How would the EU collect the fine?
- How could the EU enforce the fine?
My guess is that the EU would go after Steemit Inc, followed by the Witnesses, followed by any full nodes that are running. Once enough of the full nodes are taken offline, the entire platform would eventually be bogged down by the bots (and any remaining users) and fail.
Here's one of the most important parts of the regulation: It doesn't matter if you're a company Operating in the USA, China, Australia, Singapore, Japan, < -- insert non-EU Country here -- > .. if you have any EU individual's personal data in storage, and they request to be removed from your data storage, you must comply or face the penalties.
Can a New Privacy Policy Save Steem(it)?
A major consideration from GDPR is consent. If all users Consent that their data is posted with the understanding that it can never be removed, is that enough? Not likely.. but it's probably at least worth a try..
Very valid post. The idea of a decentralised blockchain is nothing like Steemit Inc which makes it centralised and attackable so this might become something. If they would not be able to cope with it, then witnesses is next step. They are a bit more difficult to catch but can be traced down eventually. Thats why we will need blockchains like substratum and nexus to redefine the whole internet.
I am implementing GDPR myself now, hell of a job. I have a few last ponderings. Will EU go out of Europe for the fines? It is not Steem who has put our info on the blockchain, we do that. A big warning during registration might do the job. I agree it is my responsibility and this data can never be deleted. But then again, what if you put a picture of me?
I have been thinking in similar lines as your post, we shouldn't ignore this GDPR!!!
Social media is covered under the perview of GDPR, even if the user is posting their own data. As a user, you still own the rights to your data (and how it is used / processed) and the EU GDPR gives EU residents the ability to actually control the extent that their own data can be used.
It will be interesting for sure to see how deep and far the EU decides to enforce this regulation. There are clear statements within the FAQ that GDPR will span across borders, regardless of whether or not a company (or data) of an EU citizen is stored outside of the EU.
I also am working on GDPR in the real world 🙂
GDPR makes a social network on a blockchain totally impossible, i really wonder now how this can be solved in other ways than blockchains going 100% underground, this will definitely become a very big issue in the future. Very, very interesting.
I don't think it makes social networking on a blockchain impossible, but there will likely need to be adjustments to how accessible the data is. There would need to be a "flag" built into the blockchain that prevented user data from being accessed if someone wanted their data removed. Since the data is stored in a hashed format, it would be inaccessible unless the flag is flipped to 'allowed' or something along those lines.
Data is hashed but readable. All data could be encrypted and only decryptable with key of poster which could be made unavailable.
This same technique would also generally allow to put private stuff onto a public blockchain, a thing i am myself very interested in. I develop accounting software and i would love to use the biggest ledger of all times as a true ledger but i can not expect companies to put their accounting details on a public ledger.
Enjoying this topic and discussion... :-)
I think we're talking along the same point with the public/private key encryption aspect + hashing. I was trying to simplify, and likely went overboard and off-center in my simplification.
I don't think that EVERYTHING will be placed on a public blockchain, unless someone figures out how to avoid the massive database sizes generated by blockchains, but a public blockchain is definitely going to be a near-term solution. Look at healthcare - they are already working on implementing blockchain for claims management where the blockchain holds current patient and doctor data to streamline the approval (or denial) of claims. 2018 will be a really exciting time for blockchain across many large industries!
Steemit isn't saving any data anywhere, it just displays data saved on the blockchain by the witnesses.
They're spread all over the world, many behind VPNs.
Perfect explanation @matclarke :)
Please review my response. His explanation is actually missing additional considerations when you factor in more of the regulation.
It sounds like you're trying to argue semantics. The data is stored somewhere. Steemit is the platform displaying the data from the Steem blockchain.
Here are some more points from the FAQ that you should read before assuming that Steemit wouldn't be included as part of the regulation:
Steemit sounds very much like a "Data Processor", and consent is still paramount in the "processing" of data. Steemit would effectively need to "censor" the user data that's requested to be forgotten, or the Witnesses would need to delete the data from the blockchain (or both - in reality).
I never knew about this GDPR. Need to find out more about it.
Thx for another informative post. Easy to read.
Please continue up with creating interesting content - it may be hard at the beginning to build reach and solid followers base.
Steemits needs solid content builders so just dont ever give up! :)
Already followed and upvoted :) Cheers,
Thank you for your response, vote and follow.
It looks like you post a lot. And many of your posts are highly generic, like this one. I suggest that you continue to engage with others, but you should vary your responses a bit more and have them be slightly more human-sounding.
The truth is that Im trying to engage with people here and get to know like-minded people from crypto industry. Im doing my best to sound like human but the problem is that im not native english speaker and it doesnt always work the way I want it.
Thank you for your kind reply. I will follow you closely and I hope we can stay in touch as we share similar passions