The GDPR blockchain blind-spot: Regulating data and everything else

The apparent incompatibility of blockchain technology with General Data Protection Regulation (GDPR), marks the entering the age of post-industrial proactive regulation that some identify with the age of Web 3.0.

On May 25 of this year, the ground-breaking data privacy regulation of GDPR came into effect. While it is an important step in the direction of regarding data not just a resource (“data is the new oil”, anyone?), but something intrinsically linked to its subjects, the regulation falls short spectacularly in capturing the reality it wants to regulate.

The limitations of GDPR have been noted by Anne Toth, Head of Data Policy for the World Economic Forum, a think tank responsible for organizing the annual gathering of world leaders at Davos. She discusses the contradiction of between GDPR and blockchain, and identifies a blind spot of policy-makers when it comes to understanding how the new regulation will affect a technology that “exploded into public consciousness” while “European policymakers were debating and finalizing aspects of GDPR.”

She identifies the root cause of this problem as being the general phenomenon when “regulation is addressing a problem in the rear-view mirror rather than looking at the road ahead.”

You may think this is nothing new. After all, many people believe we are unable to regulate the complex systems that surround us. Harvard historian Niall Fergusson, goes as far as to make the point that instead of preserving our civilization (and I would add our planet), the explosion of regulation contributes to its degeneration.

Anne Toth, as previously mentioned, concludes that “policy needs to be as flexible as technology” and calls for a “layered and cooperative approach to policy making.” While I agree with her that GDPR wouldn’t be the same if the regulator understood blockchain technologies, I think there is a deeper cause for this recurrent failure of regulatory policies to address the complex reality they intend to regulate.

I don’t believe the reason is simply that regulation is progressing slower than technology. This is certainly part of it, but I think it is a way to look at technologies simply as previous rather than latest, so the only thing we need to make sure of, is that we fix the inclusiveness of the policy making process to be more reactive to the technology changes. I think the key is a better understanding of technologies as language (our first social technology after all), as mediators of our understanding of the world. Only this approach could create a proactive regulation, the only regulation we know works, the regulation we find within the natural world. After all, we would not survive if our bodies didn’t regulate our body temperature!

Tech philosophers Mark Coecklbergh and Wessel Reijers conceptualized the theory of narrative technologies that comes to our rescue. They say that, “not only do humans make sense of technologies by means of narratives but technologies themselves co-constitute narratives and our understanding of these narratives.”

Based on this theory, the regulation of data as resource reflects the narrative of the Industrial Age, where the industrial ensembles, through the organizations that control them, are trying to unilaterally determine what a resource is and how it is processed and controlled. As mentioned in the linked article above, consider the case of the emerging data giants of the Web 2.0 age, who are effectively data monetization machines. This technology is narratively inflexible, generating passive-abstracting narratives leading to similarly inflexible and reactive attempts to regulate it. Hence the terminology of GDPR which appears to be reminiscent of the Industrial Age: data processorsdata controllers and others.

But as Anne Toth has correctly identified, blockchain technologies are generating flexible, pro-active (or active-abstracting) narratives. The data is not simply a resource anymore, but something that is organic to an individual, an organization or a community.

Therefore, the conceptualization of data privacy looks different when we factor in the existence of technologies that make every data movement consensual as opposite to unilateral. For example, is a digital picture that I send to you regulated by our consensus or by your unilateral decision (to send it to a third party)?

Thus, blockchains make it possible for data to never really detach from the person and makes sure the data is always used for a pre-defined purpose. This is the idea behind the self-sovereign identity, new trust economy enabled by blockchains.

Without regulators learning the technology behind blockchain, GDPR will only be a victim of its own intent. Once this is changed, not only will blockchains not be blocked by GDPR but effective food safety, carbon cap and trade, and a transparent jewellery supply chain, will be regulations that can be effectively enforced, collectively marking the beginning of the era of proactive regulations.