Why I Love this Video
Any video that explains boring legal issues in an easily digestible way with graphics and animations deserves a shoutout. Simply Explained is one of my favorite YouTube channels. They have some great videos the explain potentially complex technology topics. I recently found this video on channel that covers the tricky topic of the European Union’s General Data Protection Regulation (GDPR).
In the U.S., privacy laws tend to be very domain specific. For example, amongst other laws, there are very specific privacy rules regarding health information (HIPPA), and rules protecting the information of children online (COPPA). The result is that generally in a given specific situation the rules may be very clear, but there is not a general overarching rule set that dictates rights and responsibilities. In Europe the trend is toward the opposite approach. The GDPR defines rights for all those who are subject to the law and it is up to industries interpret how those general laws apply to their specific industry.
Blockchains have some interesting characteristics that bring GDPR rules into play for any company in the world using them.
- Data Processing in Europe: Because blockchain data is processed by miners all around the world, any given blockchain application is likely processing data in the E.U. even if all developers and users of the application are outside of the E.U.
- Potential Conflict with Right to be Forgotten: Art. 17 of the GDPR provides data subjects with the right to have their data erased. This is a potentially big problem for blockchain data.
Where the Video is Incorrect
This video addresses the issues above and more. One part of the video I take issue with is that the video makes it sound like GDPR only applies to the personal data of E.U. citizens. This is a very poor interpretation of the regulation. The GDPR does not say that it protects the data of E.U. citizens. Rather, it protects the personal data of E.U. “Data Subjects” which is not the same thing. Here are two examples of situations where GDPR might apply that you may not expect if you think it only applies to E.U. citizens:
- Personal data of stored or processed in the E.U.: So if you had a server physically located in the E.U. that contained data of only U.S. citizens the GDPR would likely still apply.
- Personal data of people who have citizenship or permanent residency in an E.U. country: So if an E.U. citizen is traveling to the U.S. and provides their data to a U.S. company, that data may be subject to the GDPR.
Potential Penalties and Legal Risk
If you’re building a blockchain application and plan to deploy it to the world, you should defiantly consult with an attorney who is familiar with the GDPR before that deployment. Penalties for violation of the GDPR are potentially $20 million Euro or 4% of global revenue, whichever number is higher. Those are some scary numbers for any business.