On European Data Privacy, Facebook and Blockchains

Photo by  Drew Graham

Photo by Drew Graham

  • On May 25, the European Union’s General Data Protection Regulation (GDPR) privacy safeguards go into effect.  Key provisions include:  
  • Consent - “companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”
  • Breach Notification - “where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
  • Right to be Forgotten – “the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”
  • Last week, addressing various privacy issues (including Cambridge Analytica) on the Facebook platform, CEO Mark Zuckerberg said “Overall I think regulations like [GDRP] are very positive … We intend to make all the same controls available everywhere, not just in Europe …Is it going to be exactly the same format? Probably not. We’ll need to figure out what makes sense in different markets with different laws in different places. But let me repeat this, we’re going to make all the same controls and settings available everywhere, not just in Europe.”
  • Separately, Jerry Brito, executive director of Coin Center - an industry trade group, said in a blog post, “the GDPR presumes that there will be central intermediaries that can ‘erase’ information, but the world is trending toward ever more decentralized and immutable technologies.
  • "While firms may alter their behavior to comply with the new law, decentralized networks are global and unowned and won’t change.
  • "The result of the law, then, may be that Europe is closing itself off from the future of the Internet to its detriment.”


  • Regarding the impact of General Data Protection Regulation – It is important to understand that while GDPR is an EU initiative, it applies to any organization that works with the data of European citizens. As a result, the GDPR will likely have a global impact.
  • Regarding Facebook – The firm's track record regarding user data is mixed at best and GDPR compliance may help with its battered reputation. Notably, organizations that do not comply with the GRPD 72-hour data breach notification rule (the list of organizations providing delayed disclosure in recent years is long) can be fined up to 4 percent of its global revenue – for Facebook, 4 percent is about $1.6 billion
  • Regarding Blockchains – While Jerry Brito suggest that “Europe is closing itself off from the future of the Internet to its detriment”, 1) GDPR may apply differently to public and private blockchains and 2) a mix of adapting blockchain technology and developing appropriate agreements between blockchain users and blockchain service providers may address GDPR compliance
Paul Dravis