2018 April 16 - Volume.2 Issue.15

Goto Previous Issue - Next Issue

2018 April 16 - Volume.2 Issue.15

Goto Previous Issue - Next Issue

Hyperledger, R3 Remain Sober on GDPR Implications

While users of public Blockchains will have to beware of their own footing regarding their personal information, upcoming EU General Data Protection Regulation (GDPR) has complicated matters slightly for enterprise blockchains in order to be compliant. Speaking to Diar, Hyperledger Executive Director Brian Behlendorf remains calm about the EU framework as agreements between validating participants to amend the ledger in extreme circumstances could potentially address any grey areas, should concerns arise. (Jump to GDPR Primer)

Enterprise blockchains are soon to be entering unchartered waters with the EU General Data Protection Regulation (GDPR) that will take full effect on May 25. Whilst subtle, there are key differences between how the US and EU describe personal information (see table). But as with any new laws without previous precedent, technical details remain up for interpretation on what constitutes personal information that could ultimately lead back to an individual, and what can be stored.


There are opposing views on whether or not public keys constitute personal information, or would be exempt under the regulations rules as it would be part of transactional data. Mr Behlendorf tells Diar that “the point of a public key is to intentionally share it so other participants can verify the signature. There isn’t something that it reveals about person unlike other Personally Identifiable Information (PII) like IP addresses.”

Michèle Finck, an EU law lecturer at the University of Oxford believes otherwise however –  the purpose of public keys is to identify the author of the transaction, it is reasonable to think that reusable public keys will qualify as personal data.

The same view was reiterated by former R3 Director of Market Research Tim Swanson, now Post Oak Labs, who spoke to Diar. Mr Swanson said that “from a theoretical and academic standpoint, it makes sense that public keys could be personal data because they are connected to specific persons. Therefore, they can violate GDPR. However, this has not been tested in court yet so there is no concrete answer.”

Ultimately, the new regulations lead to the question on whether or not immutable blockchains could actually function without violating EU rules. Washington-based Blockchain and digital assets advocates Coin Center think not. GDPR is fundamentally “incompatible with the reality of open blockchain networks” and suggested that if blockchain is not exempt, “Europe is closing itself off from the future of the Internet.”


Mr Behlendorf believes “there is going to be a period of time after the launch of the GDPR when some of these questions about what specifically it applies to will get addressed. You wouldn’t want to store PII such as medical information into ledger even in encrypted form because the landscape of what’s decryptable will change throughout the lifetime of these blockchains. We will need to wait on the regulatory bodies to weigh in.”

And as noted by Mr Swanson “Blockchain enterprise platforms always try to be compliant because otherwise they would never actually be used. If the blockchain platforms get implemented, it is only with the approval of the customers that will ultimately use the blockchain.”

It then falls on the consortia that are currently building enterprise geared Blockchains to address the issues. And while the answers aren’t clear, there are some ideas on the drawing board.


In current conditions, the enterprise blockchain solutions that want to comply with the GDPR will have to be either mutable by consensus or mutable by a central administrator. Personal data can be deleted retrospectively if an individual exercises their right to be forgotten. This could ultimately lead to more centralization and begs the question whether a mutable blockchain is not just a database.

However, Mr Behlendorf suggested another potential method that Hyperledger may explore.  “Instead of actually erasing the data from the blockchain, it might be possible to have a legal agreement between all the participants of the permissioned blockchain, in which everyone agrees that if one participant tells the rest to “forget” the data, the rest will be legally obliged to never export the data, never use it or render it in any end user interface. Even though the data will still be there.” Whether or not regulators would be appeased by such a method is to be established.

Accenture seems to be have taken a different, more direct approach. Last year the company filed a patent for an editable blockchain that can be changed or deleted by a central administrator under extraordinary circumstances. Whether or not an editable blockchain would effectively mean the equivalent of a shared database as it strips immutability as a key feature, Accenture said that the solution would “allow enterprises to resolve human errors, accommodate legal and regulatory requirements, and address mischief and other issues, while preserving key cryptographic features.” Accenture says since GDPR requires personal data to be redactable, its solution will be one of the few to be compatible.

And Neepa Patel, R3 Chief Compliance Officer, told Diar that “transaction information begins from a point to point communication system instead of from a public broadcast model, so there is less data propagation, pseudonymous or not. Pseudonymization techniques are inherently built into the platform. Corda is currently exploring sophisticated anonymization techniques to comply with the “right to be forgotten” – a challenge faced by all blockchains.”

Ethereum Enterprise Alliance may potentially have more of a problem as their platform will be built on an immutable ledger. The foundation did not respond to our request for comment.

GDPR’s main intention was to protect citizens against centralized services controlling personal data. It hasn’t taken blockchain into account, which can actually give people more control about their own data; especially through self-sovereign identity which would store data at source rather than aggregate it and keep in big datasets. It is unlikely that the EU will exempt blockchain from GDPR but certain aspects have yet to been clearly defined by the regulators. And just lurking behind GDPR are extensions to the law, the ePrivacy Regulations that looks to address confidentiality of communications. Whether or not the EU can creep in amendments to satisfy Blockchain as part of open internet services and applications leaves the window cracked open – even if ever so slightly.

US versus EU Definitions on Personal Data

[wpdatatable id=98]

Hyperledger - Brian Behlendorf’s Course of Action

1. When designing a blockchain solution, it’s wise to minimize if not eliminate the amount of PII stored in a ledger.

2. Let’s pursue self sovereign identity, through which we can actually implement what the GDPR suggests we do, which is store data at source rather than aggregate it and keep in big datasets.

3. Work with regulators to meet us halfway and allow us to demonstrate that data can be kept around in the ledger to keep around to verify the integrity of the ledger. But it will require the industry to demonstrate good faith and do the right thing

Onus on Blockchain or Regulators?

“Some blockchains, as currently designed, are incompatible with the GDPR. EU regulators, will need to decide whether the technology must be barred from the region or reconfigure the new rules to permit an uneasy coexistence.”

Michèle Finck, EU Law, University of Oxford

“Financial institutions will have to go through a careful audit process, which is why it has taken so long to implement these solutions. Therefore I think that the likelihood of lawsuits is small because banks will not use a system that is not found to be compliant with GDPR. Various banks and regulators will likely want to have the ability to delete the information because of the right to be forgotten.”

Tim Swanson, Post Oak Labs

“Just like you can’t tell a person to forget a specific piece of information, you shouldn’t be able to go back and delete something from a blockchain because otherwise, the immutability of a blockchain will not be preserved. The immutability has so many other advantages to it that going back and deleting the data should only be done as a last resort.”

Brian Behlendorf’, Executive Director, Hyperledger

EU General Data Protection Regulation Primer
The General Data Protection Regulation (GDPR), a European Union (EU) privacy protection regulation, will come into effect and become enforceable on May 25th. The aim of the GDPR is to “protect all EU citizens from privacy and data breaches”. It will replace the Data Protection Directive, which came into force in 1995. Unlike a directive, regulation doesn’t require national governments to implement it and therefore GDPR is directly binding and applicable in its entirety across the EU.

Any organization handling personal data of any EU citizen (called data subjects) must comply with the GDPR, which means that the regulation also applies to organizations located outside of the EU as long as they are handling personal data of EU data subjects. Personal data is as any information that can be used to directly or indirectly identify the person (name, photo, email address, bank details, IP address etc.). Individuals whose personal data potentially leaves the EU can only be made with the individual’s informed consent and it’s possible to opt out.

The GDPR provides a tool for gaining control of one's personal data through three fundamental rights for citizens - a right to access one’s data (data portability), a right to know when one's data has been hacked and a right to erasure (right to be forgotten).

The right to access one’s data will result in individuals having more information about how their data is processed. It will also protect users from having their data stored in closed platforms by allowing to download the data in an interoperable format making it easier to switch between different service providers.

The right to know when one's data has been hacked mandates organization to notify the data protection authority (DPA) and affected individuals within 72 hours of the data breach which puts individuals at risk.

The right to erasure says that when an individual no longer wants their data stored and when there are no legitimate grounds for retaining it (such as compliance with a legal obligation), the organization will have to respond or erase the data within one month.

GDPR really becomes an issue for enterprise blockchains as it’s the responsibility of organization that is deploying it and thus must comply with regulations. If it is found to breach the GDPR, it can be fined up to 4% of annual global turnover or up to €20Mn, whichever is higher.

EU Looks to Counter Balance Silicon Valley with Blockchain Funding

22 European Union (EU) member states gathered in Brussels last week signing a partnership agreement that would see €300Mn being invested into decentralized projects after having already invested €80Mn under the banner of what the block has dubbed as the “Digital Single Market.” The funding, aimed at addressing key areas of interest, have seemingly also been a bane to European regulator’s past.

While “Blockchain” has become a grand buzzword to throw around as the all-mighty answer to everything that is wrong in the world, the EU has narrowed down their outlook on potential use cases looking to address at least their own concerns.

With €300Mn up for grabs, the EU plans to fund decentralized projects that seek to provide social benefits from harnessing democratic participation and health record management, to everyday use technologies (see table).

But the European Commission, short of pointing fingers, also seems to have a clear target in mind stating that “social networks, search engines and clouds” have become highly centralized services that expose “personal data to potential commercial and political misuse by the owners of the platforms.”

Their fears are with precedent. European regulators have been imposing hefty fines on major US tech companies for antitrust breaches for quite some time – and investigation are on the rise (see table, chart). But large fines as may be, they merely represent a rounding error on the company’s books. As a potential counter balance to the thrones of Silicon Valley, the EU is backing decentralized applications that could minimize the opportunity for abuse and the tight-noose around benchmark applications.

And it is seemingly a timely proposition following Facebook’s user data ending up at the behest of Cambridge Analytica – which the EU is currently investigating, and have requested CEO Mark Zuckerberg appear in front of the European Parliament for a second round of grilling after the US Senate last week.


With EU General Data Protection Regulation (GDPR) coming into full effect May-End, and lurking close behind, the amendment ePrivacy Regulations, the use of immutable distributed ledgers becomes a bit of perplexing tool to wish as a fallback option as the platforms would require – effectively – a centralized point of accountability for people to exercise the right to be forgotten and delete all traces of their activities on any platform (see story above).


While other European Blockchain initiatives are looking into the financial sector, they merely scratch the surface on the real-time potential of transparency using Blockchain, and focus on cross-border payments – something that, at least within the EU, has picked-up speed sans Blockchain with the launch of SEPA Credit Transfer Instant (SCT Inst) end of 2017 (Diar, 27 November 2017).

Little to no attention has been given to banking compliance who has seen US & EU fines skyrocket in recent years and estimated to hit a cool $400Bn by 2020 according to financial consulting firm Quinlan and Associates, dwarfing any infractions by tech companies.

[wpdatatable id=100]

EU Fines For Anti-Trust, Fair Trade Violations

[wpdatatable id=101]

EU Investigations on US Tech Companies

Global Lenders Payout $321Bn In Penalties Since 2009 (Bn USD)

Source: Bloomberg, BCG

Samsung Confirms ASIC Chip Production for Mining Hardware

Samsung has confirmed in January that it has started to manufacture ASIC chips used for mining. Supposedly, it has been confirmed that Samsung is producing the ASIC chips for Halong Mining’s hardware. Halong Mining is a new entrant on the ASIC hardware market, which has been dominated by Bitmain. Canaan is also a relatively new player on the market (see table). Both Bitmain and Canaan use Taiwanese-based TSMC chips in their mining hardware.

Halong Mining has been criticized for the lack of transparency and even accused to be a scam - most prominently by Cobra, a co-owner of bitcoin.org who has since apologized to Halong for being wrong. Halong’s mining hardware is supposed to be ”the world’s most efficient Bitcoin miner”. Indeed, the early tests proved that the hardware was able to reach close to 16 TH/s, which 2 TH/s than Bitmain’s most powerful mining hardware. On the other hand, Halong also consumes more energy and the retail price is more than $200 higher.

[wpdatatable id=102]

Antminer Revenues Fall to 1-Year Low (USD)

Mo' Power, Mo' Money - Hashpower Growth, BTC Revenue Decline

Stock Exchanges Start Eying Cryptocurrency Operations

Sowa Labs, a fintech subsidiary of Börse Stuttgart, announced that it will launch a cryptocurrency trading app dubbed Bison. The trading app will support bitcoin, ether, litecoin, and ripple and is planned to be released in September 2018. Sowa Labs initially specialized in predictive real-time data analytics of financial markets but since being acquired by Börse Stuttgart in December 2017 has since focused on development of the cryptocurrency trading app.

Similarly to Robinhood in the United States, Bison will offer crypto trading without any fees. Ulli Spankowski, Managing Director of Sowa Labs, said that “cryptocurrency wallets are not needed", which points to being an IOU brokerage, just as Robinhood, as opposed to a full cryptocurrency exchange. At first, the app will only be available in Germany but support for the rest of the European Union is expected at a later date as well.

Mr Spankowski reiterated that Bison will become the first cryptocurrency trading app owned by a traditional stock exchange. While true, just last month, TMX Group, a company that operates the Toronto Stock Exchange, announced that its subsidiary will be launching a cryptocurrency brokerage. The company will launch the brokerage desk in Q2 of 2018 and it will only support bitcoin and ether at first. And while not acquired, an honorable mention goes to the New York Stock Exchange who has invested in Coinbase.

Bloom Rolls Out Next Phase of Platform on Testnet

Bloom, a project that looks to counter the monopoly of FICO, has released their latest version on the Ethereum Testnet last week. Users will now be able to sign-up and create a BloomID, a verified identity on the blockchain.

The latest release sets up the opportunity for  further development in the whole ecosystem, and integrating dApps. And more importantly, the company is now a phase-shy of credit scoring and loan applications.

Bloom has developed several partnerships to build into their platform as a one-stop shop for what the ambitious project aims to achieve - a decentralized cross-border credit platform. But any success for loans would currently also require the implementation of tying in a stablecoin, which this publication understands will be Maker's Dai.

[wpdatatable id=103]

Coinbase Acquires Browser Competitor
Coinbase announced the merger of ethereum browser Cipher last week as part of one of the company's expansion phases providing a client-facing platform. But with little adoption of any deployed dApps on Cipher, and Coinbase's own Toshi, it seems more of a head-hunting opportunity, rather than competition knock-out.
Digital Currency Group Backs Carbon
The giant blockchain investor has now backed its second stablecoin, Carbon. The company raised $2Mn in a seed round and now eyes a piece of they stablecoin pie against Marker's Dai and Basecoin – the later also being backed by Digital Currency Group. As with all stablecoins projects currently, they aim to be US Dollar pegged.
Santander Goes Live with Ripple's xCurrent Solution
A win for Ripple as there blockchain software xCurrent goes live with a major bank. The announcement by Spanish Banking group Santander last week brings instant cross-border settlement through a new service they've dubbed as "Santander One Pay FX". The platform will be available in Spain, the UK, Brazil and Poland.
Exchange OKEx Follows Binance into Malta
Hong Kong based cryptocurrency exchange OKEx, whose volumes are close to $1Bn on any given day, announced its move to Malta following Binance's footsteps. The move is most likely to bring the potential of fiat trading pairs into the mix, as it only trades crypto pairs to date. Malta is also examining a new ICO framework.

Receive Diar Every Monday – The Digital Assets & Regulation Trade Publication

Something went wrong. Please check your entries and try again.


Disclaimer: Unless otherwise specified, the content of the articles published on www.diar.co constitutes intellectual property of Diar Ltd and may not be reproduced or republished in whole or in part without prior written consent. The information contained in the articles published on www.diar.co does not in any way constitute financial or investor advice and is only intended for informative purposes. Readers may not rely on such information to decide on investment or financing options or otherwise rely on such information in making decisions with monetary or financial effects. Diar Ltd does not accept any liability of any kind with regards to the validity of the information or with regards to any damage suffered as a result of reliance on such information. © 2018 Diar Ltd. Contact: newsdesk@diar.co