The European Union (EU) has indicated its strong interest in protecting the personal data of its countries’ citizens by recently passing one of the strongest personal data protection regulations in the world that will complement the EU’s existing code of online rights. This reform is, at least in part, the response to a survey where nine out of ten Europeans expressed concern about mobile apps collecting their data without their consent, and seven out of ten indicated that they worry about the potential uses that companies may make of the information disclosed to them. 

 On April 27, 2016, the EU adopted, as part of the data protection reform package, the General Data Protection Regulation (GDPR) with the intent to give citizens control over their personal data and to simplify the regulatory environment for international business through uniform regulations. The GDPR takes effect on May 25, 2018 and replaces the current Data Protection Directive (DPD). A regulation is more forceful than a directive, as it does not need to be adopted separately by each member nation.  Instead, on its effective date, a regulation is immediately applicable and enforceable as law in all member states simultaneously.

The GDPR is more inclusive than the DPD. For example, under Article 4  of the GDPR “personal data” is defined as, “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This goes well beyond the  DPD definition (“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”).  

The GDPR will give individuals substantial control over their data by providing them with 1) more information as to how their data is processed, which must be presented in a clear and understandable way); 2) the right to know when their data has been hacked; 3) data protection safeguards and privacy-friendly default settings; and 4) strong enforcement of GDPR violations. Further, the GDPR contains a “right to be forgotten” provision in Article 17. This will help people better manage data protection risks online and allow individuals to delete their data if there are no legitimate grounds for the information to remain public.

The danger of third-party control over individuals’ personal data is evidenced by recent regulatory crackdowns within the EU.   For example, Germany’s Federal Cartel Office (the Bundeskartellamt) is investigating whether Facebook abuses its dominance as a social network to harvest personal information of its users. Facebook, the largest online social-network in the world, has collected 300 petabytes (a petabyte is a million gigabytes) of personal data since its inception – this is 100 times the amount of data the Library of Congress has collected in over 200 years. Facebook maintains its dominance by swallowing up smaller competitors in the market. This practice leaves users with less social media platform options and allows Facebook to amass data from its users, while expressing indifference to privacy laws.  Earlier this year, a German court ruled that Facebook had failed to comply with a court order to drop a clause that grants the company a license for content posted by users. Prior to this ruling, Germany’s Federal Court of Justice ruled that Facebook’s find-a-friend function was illegal, calling it an intrusive form of advertising.

In France the Commission Nationale de l'Informatique et des Libertés (CNIL), a regulatory body that ensures data privacy law is applied to the collection, storage, and use of personal data, is putting pressure on Google to apply the “right to be forgotten” to every version of Google Search worldwide. The CNIL demanded that Google “de-list” certain links to content worldwide and fined Google €100,000. However, Google rejected the demand and has appealed the ruling stating that, “the ruling could lead to abuse by less open and democratic countries.” Google doesn’t feel that the CNIL is justified in ordering that the “right to be forgotten” should apply not just in France, but in every country in the world. Kent Walker, Senior Vice President and General Counsel to Google, stated in an open letter that:

As a matter of both law and principle, we disagree with this demand. We comply with the laws of the countries in which we operate. But if French law applies globally, how long will it be until other countries - perhaps less open and democratic - start demanding that their laws regulating information likewise have global reach?  This order could lead to a global race to the bottom, harming access to information that is perfectly lawful to view in one’s own country.  

Google de-listed the links in France, but not worldwide, and its appeal is still pending.

Blockchain technology can better address the privacy concerns to which the GDPR and EU regulators are responding. For example, in the paper Decentralizing Privacy: Using Blockchain to Protect Personal Data, the authors call into question the current centralized model of protecting personal data through trusted third parties and describe a more secure, unhackable decentralized peer-to-peer personal data management system using a blockchain. The authors’ proposed system focuses on mobile platforms and ensures that individuals own and control their personal data.  Individuals decide with whom they share their personal data through delegated permissions.

In addition, consumers can take action to protect their personal data by adopting applications that use blockchain services when that is practical. For example, La’Zooz is a decentralized ride-sharing platform that may one day take on Uber.  La’Zooz does not maintain user data on its server, but instead, that data is encrypted on the Bitcoin blockchain.  Although not as available as Uber, La’Zooz currently has 4,201 community members and is continuing to grow. Uber was recently fined by the New York Attorney General (NYAG) after a 14 month investigation into Uber’s privacy policy regarding geo-location where Uber reserved the right to collect and use geo-location information from riders, even when the Uber app is not open in the foreground of their devices. Further, Uber notified the NYAG of a massive data breach into its cloud storage in May 2014, when an Uber engineer posted an access ID to the company’s third-party cloud service on a website, not realizing that the access ID would be publicly available. Decentralized applications, such as La’Zooz, avoid these issues.

Through laws and regulatory actions, the EU has taken the lead in making sure that large companies that have access to personal data do not abuse that privilege.  In the future, the widespread adoption of blockchain technology can remove the need for large companies to maintain this data and provide individuals with complete control over their personal data.