A Data-Driven Analysis of Blockchain Systems’ Public Online Communications on GDPR

After the European Union’s new General Data Protection Regulation (GDPR) became applicable in May 2018, concerns about the legal compliance of public blockchain systems with rights guaranteed by GDPR have emerged, e.g., on the "right to be forgotten". In order to better understand how the blockchain sector sees the challenges raised by GDPR and how such their communications could influence their users, this paper reports our data-driven analysis of GDPR-related public online communications of blockchain developers and service providers. Our analysis covers 314 public blockchain systems, and two different online communication channels: legal documents including privacy policies, T&C (Terms and Conditions) documents and other similar legal documents published on systems’ official websites and public tweets of their official Twitter accounts.Our analysis revealed that only a minority (86/314 ≈ 27.5%) of the investigated blockchain systems had covered GDPR at least once using one or both communication channels. Among the 86 systems, only 27 systems (8.6%) had at least one legal document that actually talks about GDPR for the corresponding blockchain system. We noticed a systematic lack of detail about why and how the GDPR compliance issue was addressed, and most systems made questionable statements about GDPR compliance. The results are surprising considering that the GDPR was enacted in 2016 and has been in effect since May 2018.