The GDPR and the Right to be Forgotten: can DAOs forget?
In this part of our legal series surrounding DAOs, we zoom in on the 'right to be forgotten,' considered to be the centrepiece of Europe's privacy regulatory framework, the General Data Protection Regulation —more commonly known simply as the GDPR. The right to be forgotten, included in the GDPR as the 'right to erasure', gives individuals the option to request the erasure of their personal data in certain circumstances. In this article, we will explore what this means for blockchain-based DAOs.
The GDPR’s right to erasure
In May 2014, for the first time in history, an individual had successfully invoked his right to erasure of personal data, on the basis of the previous European data protection law. The Court of Justice of the European Union ruled that under certain conditions, search engines have to remove search results linking to websites containing personal data, on formal request. The GDPR made this right to erasure, also known as the right to be forgotten, a general data protection right by dedicating a separate article to it, Article 17.
Article 17 enumerates seven grounds under which an individual can oblige an organization to delete specific personal data collected about him or her. These scenarios are broadly defined and can potentially apply to DAOs. For example, a person can ask for erasure of personal data when it is no longer necessary for the purposes for which it was collected, or when the individual simply withdraws consent on which the data processing was based.
To tamper or not to tamper
If a blockchain-based DAO is asked to erase certain personal data stored on the blockchain, it will inevitably face practical difficulties since blockchain technology is constructed around the principle of immutability. Tampering blockchain data is, however, not completely impossible since there is always the possibility of a hard fork: where the majority of nodes have to vote for and agree on a single version of truth, and amend the ledger accordingly. Especially in a public and permissionless blockchain where anyone can join the network, this will be an extreme event. Because of this mechanism and the absence of a central authority, a hard fork cannot be forced —even by legislators. Therefore, it cannot be used as a tool for regulatory compliance or to impose legal sanctions.
Even in private permissioned blockchains, which can be selective with their nodes and retain a centralized structure, it is rather unlikely that hard forks will be used to update the blockchain in order to satisfy regulatory requests, as hard forks contradict the primary benefits of using blockchain technology in the first place.
Who to address?
When we look at the execution of Article 17 for blockchain-based DAOs, a second issue arises. When an individual wants to make a request to erase personal data from the DAO: to whom will this request be addressed? The GDPR is clear about this and points towards the data controller —a role that is not clearly determined and does not exist as a single centralized entity in blockchain networks.
As mentioned in our previous blog post, because of the design of a distributed ledger and the GDPR being shaped for centralized organizations, it is cumbersome, perhaps even impossible to determine in a DAO who the data controller is or are.
Is anonymization a solution?
A third trouble point regarding the right to erasure, is that a precise definition or procedure has not been determined. When an erasure request is made, the GDPR instructs organizations to “erase personal data without undue delay” and states that data should “no longer be processed.” The concept of erasure itself is neither defined nor limited. This does not only cause confusion to organizations trying to be GDPR-compliant.
European authorities also hold conflicting interpretations. Complete anonymization is sometimes suggested as a middle-ground alternative. In this case, however, the threshold for anonymization is very high. It is not sufficient to encrypt or hash personal data, as it is still potentially traceable. We think that coherent regulatory guidance that clearly states whether any of these techniques fulfil the standard of 'erasure' is needed.
Minimizing data on the blockchain
Having no coherent guidelines in place regarding true erasure and complete anonymization, one could ask whether a possible solution for DAOs would be to simply not include personal data at all, in order to mitigate the right to be forgotten. This, however, will be arduous, if not impossible, when humans participate in the DAO, as even public keys could be considered as personal data.
One important thing for blockchain architects to keep in mind though, is to respect the right to privacy, which is the cornerstone of the GDPR. With all the potential trouble that may come with processing personal data, we recommend that architects of DAOs adopt a privacy by design approach and limit the information that has to be stored as much as possible, especially on the blockchain.
The path forward
At this moment, application of Article 17 is quite hard for blockchain-based DAOs because it is unclear how its requirements can be met. If no adjustments will be made to these laws, we hope at least that judges hearing future cases will take into account the paradigm shift brought about by blockchains. More ambitiously, we hope regulators will adjust legal requirements to fit decentralized structures, while maintaining the GDPR’s goal of protecting people’s privacy.
[DISCLAIMER]
This article has been funded through the GenesisDAO, but is not biased towards it. This article presents our own views and was written for general information purposes only and does not constitute legal advice.