Does the steem blockchain comply with the GDPR and European privacy laws?

Steemit inc. has updated their privacy site: https://steemit.com/privacy.html and comply now with the GDPR (General Data Protection Regulation). But what is with the steem blockchain itself?


source

Personal data (Art. 4.1)

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Pseudonymisation (Art. 4.5)

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

So by default, only pseudonymisation data are stored in the blockchain, as public keys and user names. Normally, a person cannot be identified by a username or public key. Only when the person itself publish information about themself, which allow an identification, a connection between a public key an username and a natural person exists.

Right to be forgotten (Art. 17)

Assuming, I wrote a post in which my name is included and I want it to be deleted.

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Means, when it is not too costly and complicated, the data should be deleted otherwise not. Steemit Inc. should ask Google and other search engines to exclude the post link from their search results.

Furthermore:

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
d) for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

This means for me, that blockchain data are excluded to the right to being forgotten. Deletion of blockchain data means,

  1. deleting of the entire blockchain or
  2. doing a hardfork.

The first one would overlap with a) for exercising the right of freedom of expression and information; and the second point overlap with for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance.

Conclusion

As the steem blockchain is completely public and its data are of public interest, it may protected by Art. 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Thus, for me, the steem blockchain is not illegal after the GDPR is active in the EU.

As long there is no search engine in steemit (it uses google), I don’t see a problem with GDPR.

Disclaimer

I’m not a lawyer and this is not a legal advice.