Gyula Pal from IBM Blockchain argues that the EU’s General Data Protection Regulation is short-sighted in not carving out an exception for blockchains — and that this is a symptom of government’s fundamental incompetence with new technologies, as they can only look backwards:

Without regulators learning the technology behind blockchain, GDPR will only be a victim of its own intent. Once this is changed, not only will blockchains not be blocked by GDPR but effective food safety, carbon cap and trade, and a transparent jewellery supply chain, will be regulations that can be effectively enforced, collectively marking the beginning of the era of proactive regulations.

Of course, all of these use cases are prospective IBM marketing pitches — and none of them somehow require the database to be a permissioned blockchain, rather than a database with some other architecture.

(I’m pretty sure that if the authors of the GDPR did understand blockchains, they’d be delighted to have drafted the antidote.)

But what specifically is Pal asking for?

What is a “blockchain”? It’s whatever I’m selling

“Blockchain” is a buzzword — it has no specific, agreed-upon meaning. There’s a spectrum from Bitcoin-style cryptocurrencies to literally just the Merkle tree, as in Estonia’s KSI Blockchain — which was only renamed “Blockchain” for marketing purposes.

You get bad legislative attempts to define “blockchain” or “distributed ledger technology” — and the EU has one in the works — but I’ve yet to see a legal definition of “blockchain” that would include the things sold as “permissioned blockchain,” but wouldn’t also include any Git repository.

This is because the actual meaning of “blockchain” isn’t a specific technology — it’s the hype around a particular set of unrealistic promises:

totally decentralised, with no central controller!

immune to bad actors!

the blockchain is immutable and incorruptible!

money and data can flow instantly and internationally for near-free!

secured by math — unbreakable!

The promises were originally made for Bitcoin — which had failed most of them by 2014 — and then lifted wholesale to try to market very un-magical and mundane Merkle trees to business. The product is the hype itself.

IBM’s “blockchain” products are distributed databases with centrally-administered access, whose architecture is that the nodes send each other their write-ahead logs in a format that uses a Merkle tree.

That is — Pal is arguing for special treatment for distributed databases, as long as they use a particular data structure to communicate between nodes.

I think this is unlikely to fly with the EU.

Special pleading, on the blockchain

Pal’s post is generic business special pleading. But I’d have expected IBM to be better at it than this.

(I suspect the post is at least partly intended for internal consumption. IBM’s having a hard time coming up with real-world production uses for Hyperledger, despite a couple of years’ vendor-subsidised pilot programmes intended for press releases — per chapter 11 of the book, IBM is responsible for quite a lot of business blockchain press articles.)

There were a fair few pleas for special treatment for blockchains in the last few months before the GDPR kicked in — arguing that this business innovation was so very important, and had such huge potential, that the EU should definitely consider workarounds for them personally.

But there’s no way the legislators were going to give a hoot at that late stage.

I can understand businesses not quite getting around to starting the hard work until the last moment — but how did blockchain people miss an existential threat like this for two years? Did they think the EU wasn’t serious?

Cambridge Analytica, on the blockchain

The GDPR is antimatter to a lot of blockchain use cases — specifically, the ones that first assume a complete surveillance panopticon.

IBM has a few of these. Their pitch is “self-sovereign identity.” IBM really, really want to sell this to you. And Pal thinks the GDPR makes this impossible.

But — what does a blockchain get you that you don’t get with a perfectly ordinary database, like IBM has sold for all manner of administration of people’s personal data for a century or more?

Any data aggregation containing personal data — an even wider category than Personally Identifiable Information (PII) — must be redactable.



A permissioned blockchain offers no new integrity guarantees over just putting a plain data dump in a tamper-evident Merkle tree. Whoever controls the permissions, controls the database — and has GDPR responsibility. You’re just making it ridiculously harder to perform legally-obliged redaction.

No business wants the phrase “Cambridge Analytica, but on the blockchain” next to their name.

Personal data in a proof-of-work blockchain — that’d be flat-out insane. If you knowingly and deliberately put personal data into a blockchain that you literally don’t control, your next question will be whether 20m EUR or 4% of your global turnover is greater than the cost of running a 51% attack.

Of course, some people — such as the UN’s World Food Programme! — still think doing that is a great idea.

What to do: don’t be silly

Dealing with the GDPR is not onerous — unless your business model is to abuse people’s personal information … or you were silly enough to put personal data into an append-only ledger.

There’s no GDPR police looking to catch you out. Certainly for the next few years — until everyone gets a handle on best practices — you’ll get points for sincere effort.

But, just to restate the obvious — DON’T PUT PERSONAL DATA INTO AN APPEND-ONLY LEDGER.

You wouldn’t check personal data into a Git repository and expect redaction to be easy — have you ever had to remove a binary blob from a Git repo? Tedious, wasn’t it? — so don’t even think of doing it with a blockchain.

Anyone trying to sell you a blockchain for personal data is a charlatan, and thoroughly deserves to have their business model broken.