GDPR Is Growing: How Will Blockchains Handle Privacy Regulations?

Jul 10, 2019, 12:43PM
4 min, 42 sec READ

Privacy regulations such as GDPR could affect blockchain and cryptocurrency platforms. How are blockchain projects adapting to this new force?

Privacy is one of the most basic features that cryptocurrency and blockchain have to offer. Yet, at the same time, blockchain technology exists alongside more general privacy regulations, which also aim to protect the rights of Internet users. The E.U.'s GDPR rules are perhaps the most widely observed privacy regulations, but similar regulations are beginning to take shape elsewhere. Here's what some of the biggest blockchain projects have to say about GDPR and other privacy regulations.

Blockchain vs. GDPR Privacy

First, let's compare both privacy models. Bitcoin and other blockchains offer virtually untraceable transactions, as they don't record information that could identify you. However, Bitcoin does make some data public: its transaction data is stored on an immutable, transparent ledger that anyone can view at any time. Usually, this doesn't compromise user privacy, because it doesn't involve personal data.

This privacy model is largely at odds with privacy regulations. That's because privacy regulations deal with personal data that is already being collected. Websites and advertisers are very interested in collecting and monetizing user data, and GDPR regulations prevent this from happening without user consent. GDPR rules basically ask users to agree to share personal data, whereas Bitcoin never deals with personal data to begin with.

GDPR rules also give users the "right to be forgotten," or a right to request data erasure, which may at first seem incompatible with blockchain's permanent, immutable ledgers. The reality is much more complicated, but, in any case, several blockchain companies are taking an interest in these matters.


Brave is one of the most vocal GDPR proponents in the blockchain sector. This June, Johnny Ryan of Brave visited the U.S. Senate to advocate for American regulations that resemble GDPR. Ryan also discussed how existing privacy regulations might be enforced more effectively. Brave's pro-GDPR efforts have been ongoing since last fall, and this has made Brave popular with Internet users who are skeptical of big data companies such as Google and Facebook.

Brave is also well-known for its web browser and user reward program, which uses blockchain to ensure that its advertising partners do not violate user privacy. Brave additionally distributes its own cryptocurrency as a reward to users who view its approved advertisements. It is not clear how Brave would operate under the U.S.-based privacy regulations that it has advocated for, but suffice to say, those regulations are entirely in line with its business model.


IOTA, meanwhile, has attempted to distinguish its privacy model from GDPR regulations. Koen Maris of IOTA argues that GDPR merely allows users to give full control of their data to third parties (or opt out altogether). IOTA, by contrast, is designed to give users the ability to manage and monetize their own data on their own terms. IOTA co-founder David Sønstebø has made similar comments elsewhere, noting that IOTA "wants to give users complete control over their own data."

It should be noted that IOTA isn't just aiming to handle financial transactions: it is designed with IoT devices in mind, which makes its privacy model particularly important. For example, IOTA could be used to handle very personal information, such as medical data that has been gathered from wearable tech. It's not clear if IOTA's plans will meet regulatory standards, but the project is clearly trying to achieve this.


Zcash is a privacy coin that has attempted to explicitly comply with GDPR regulations. Zcash offers "shielded addresses," which means that it reveals almost no information―even less than Bitcoin does. Zcash describes itself as "GDPR-compliant by default," and it has commissioned a report to back up that claim. As such, Zcash's privacy model could provide a template for other crypto projects that need to comply with privacy regulations.


Enterprise blockchains like Hyperledger are specially designed to handle commercial and financial data. This data is not public, but it is stored on an immutable ledger, and these facts must be reconciled with the GDPR's "right to be forgotten." Brian Behlendorf of Hyperledger has discussed one possible solution: by storing data off-chain while verifying data on-chain, enterprise blockchains could erase user data on request. Other enterprise chains are reportedly taking a similar approach.


Ethereum has not taken a stance on GDPR regulations, but its creator, Vitalik Buterin, has made his opinions known. Buterin argues that regulations make control of user data a liability. He suggests that this will possibly incentivize developers to relinquish control of their platforms to their users. This means that privacy regulations could inadvertently promote decentralized blockchains like Bitcoin and Ethereum, which have no central authority, even though this is not the intent of regulators.

Buterin's views roughly describe Ethereum in practice. The Ethereum blockchain is unaffected by regulations because nobody can stop its decentralized network from performing transactions. However, the services that are being built around Ethereum are treading very carefully. For example, a specialized Ethereum wallet from Parity was discontinued last year due to GDPR complications. In other words, Ethereum is going strong, while small parts of its expansive ecosystem are bowing to pressure.


Most privacy regulations take a paternalistic, top-down approach to user privacy. This is largely at odds with most blockchains, which have privacy built in as a fundamental feature. However, both approaches may be appropriate at different times, and several blockchain projects are considering how those differences can be handled. As GDPR and other privacy regulations become more widely observed, it is likely that many other blockchain projects will weigh in with an opinion.

Disclaimer: information contained herein is provided without considering your personal circumstances, therefore should not be construed as financial advice, investment recommendation or an offer of, or solicitation for, any transactions in cryptocurrencies.