The ICO train isn’t showing any sign of reaching its last stop just yet. We’re only five months into 2018, but an already staggering $6 billion has been raised across 195 crowd-sales (including pre-sales, private pre-sales, and other convoluted process). For reference, the entirety of 2017 saw 210, with the (considerably smaller) grand total of $3.8 billion raised.
In the midst of the hype, many seem to forget the massive change that European privacy laws are undergoing: the General Data Protection Regulation (or GDPR), set to come into force on May 25th, aims to assert the rights of individuals over their own data. Specifically, it takes aim at organisations storing sensitive information belonging to its users. Failure to comply comes with steep sanctions, with companies being taxed €20 million (or 4% of their annual turnover, if it exceeds this).
Under GDPR, consumers have a much greater degree of sovereignty over their data. The legislation demands not only that companies ensure users' data is kept secure in an adequate manner, but that they also adhere to the ‘right to be forgotten’ — the principle that allows an individual to request the erasure of their information from a business’s database.
Outside of the blockchain space, multiple companies have ceased offering their services to EU based customers, citing the overbearing GDPR as the key cause. Key companies include MMORPG Ragnorak Online, mobile marketing platform Verve and consultancy firm Brent Ozar.
What about blockchain technology?
Do you know what isn’t compatible with privacy and deletion of data? Public and immutable ledgers. Arguably one of the most important qualities of blockchain technology is censorship resistance. It doesn’t matter which government or organization attempts to seize control: until a Sybil attack (a task requiring possession of the majority of nodes) can be engineered, there is simply no way of censoring a truly distributed network. Considering most nodes can be set up on a Raspberry Pi in well under an hour, it's widely accepted that such a feat is impossible.
The rules set out by GDPR apply to any organization dealing with user data. Where blockchain platforms fit into this is unclear. Despite being an incredibly relevant piece of legislation (mitigating the risks of increasingly prevalent data breaches), no guidance has been issued on dealing with public ledgers — it’s clear that it was drafted to address the current centralized structure seen across companies today. Some believe that blockchain technology should be exempted altogether.
There are several questions to ask here. Firstly, what constitutes user data? Pseudonymity has always been inherent to blockchain transactions. Whilst it’s unlikely that something like Bitcoin transactions would be on the radar, due to this (who picks up the fines? Mining pools? Core devs? Node-running users?), second-generation blockchains may face more friction: take the wildly popular Ethereum, that forms the basis for the vast majority of projects in the crypto-space nowadays.
It’s fair to say that this majority has overlooked some of the core concepts of decentralization: there’s an increased number of protocols that trade off traditional consensus for some form of trusted setup. It’s rare nowadays to find a project coined by an anonymous team — just try and find a whitepaper released in the past few months that doesn’t credit a CEO or outline a significant portion of the total supply of tokens to be distributed amongst the founders (or for future improvements to the network).
In the same vein, many ICOs now require registration with some form of know-your-customer (KYC). Again, we can only speculate as to how GDPR will affect blockchain platforms, but it's likely the scrutiny will be focused on publicly-known teams with controlling interests. What we have now is no longer true decentralization, but a hybridized approach that fuses distributed networks with centralized bodies.
It could be that no issues arise from companies using blockchain tech. It's not like directly storing files on a distributed ledger is economically feasible anyways. Remember that in 2016, when a single ether was still valued in dollars in double-digits, appending one gigabyte of data to Ethereum's chain came with a cost of roughly $76,000. The more likely scenario is that companies will use off-chain storage and store hashes on their ledger of choice.
Only time will tell how this plays out. We'll undoubtedly keep you posted on developments after the compliance deadline has passed, and the EU begin to target offenders. Here is a parting thought to be left with: can fines be paid in utility tokens?
Featured image modified from Pexels
Never miss a thing and suscribe to our newsletter.
Law graduate and crypto journalist.