Disruptive technologies like blockchain, artificial intelligence, and digital identity systems are revolutionising finance, governance, and data security. They offer transparency, efficiency, and decentralisation but challenge existing laws—particularly regarding data protection and cybersecurity.
The EU’s Data Protection Regulation and the NIS2 Directive set strict rules for managing digital data, but keeping up with rapidly evolving technologies remains complex. This tension is at the heart of ongoing legal discussions: can innovative technologies and strict data laws work together, or are they fundamentally at odds?
In his latest research, published in the Oxford University Press’s Journal of Cybersecurity Law, Postgraduate Researcher Ammar Zafar explores how blockchain technology can align with privacy laws while maintaining its core advantages. This debate is more than theoretical—it has real-world consequences for industries such as banking, healthcare, and government services.
The big conflict: Blockchain vs GDPR
Imagine a bank using blockchain to secure transactions and prevent fraud. Suppose a customer requests to delete their data under GDPR’s "right to be forgotten" (Article 17). In a traditional database, deletion is simple. However, removing data becomes nearly impossible in blockchain, where records are permanent and cannot be altered.
This is not just a hypothetical issue. Consider Worldcoin, a blockchain-based identity project that scans users' irises for verification. While it offers secure financial transactions, it also collects sensitive biometric data. Under GDPR, users have the right to erase their personal data—but if that data is permanently stored on a blockchain, how can this right be enforced?
This legal puzzle raises a critical question: how do we balance blockchain’s immutability with the legal requirement for data control and erasure?
Bridging the gap: Can blockchain be GDPR-compliant?
Rather than treating blockchain and GDPR as incompatible, my research explores potential solutions that could make them work together.
• Redactable blockchain technology – New cryptographic tools like chameleon hashes allow specific data to be modified or erased without disrupting the entire blockchain. This could help financial institutions use blockchain while complying with GDPR.
• Hybrid Governance Models – Some companies, including IBM and Mastercard, use permissioned blockchains, where authorised administrators manage access and modifications. This model aligns more closely with GDPR while still leveraging blockchain’s benefits.
These innovations are already shaping blockchain regulation. The UK Land Registry is exploring blockchain for property transactions, ensuring transparency while addressing legal concerns over data retention and modification. Meanwhile, EU regulators are assessing self-sovereign identity (SSI) systems, where users fully control their digital identities in a GDPR-compliant way.
Why this matters: The future of blockchain regulation
The debate over blockchain regulation is not just a legal issue—it affects businesses, consumers, and governments worldwide. Without clear legal guidance, financial institutions, healthcare providers, and digital identity platforms face uncertainty about how to comply with data laws using blockchain technology.
Governments and regulators must strike a balance—ensuring blockchain can thrive without undermining privacy rights. Instead of forcing blockchain to fit into traditional legal frameworks, we must explore new regulatory models that evolve with technological advancements.
While blockchain and GDPR may seem opposed, they do not have to be. We can ensure blockchain serves innovation and data protection by adopting flexible legal frameworks, privacy-enhancing cryptographic solutions, and responsible governance models.
The complete research is available in the Oxford University Press’s Journal of Cybersecurity for a detailed legal analysis.