Tommi A. Vuorenmaa, PhD

Data may be the hottest commodity in town. Data burns in the hands of their owners: Yahoo was recently ruled to face potential sues from 1B data breach victims between 2013 and 2016 on the grounds of risk of identity theft and loss of value of Personally Identifiable Information (PII). Since PII and money are digital and easy to traffic, hackers love data as much as mathematicians love π.

Lawyers and regulators love data, too – especially PII. The European Union (EU) is just increasing the number of weird acronyms: In addition to regulations like MiFIR and MiFID2 (which we gladly pass by here), General Data Protection Regulation (GDPR) is sure to keep lawyers busy for years. The economic ramifications of it are also far reaching, but harder to forecast and control than π.

The main message of GDPR may be shortly summarized like this: People in the EU will have to be asked for their clear consent on recording their PII. Secondly, PII must always be totally erasable. The first point may surely create some awkward user interfaces, but let us put that aside for now; here we are more interested in the rather lucrative option to be able to erase your PII at all times.

It would certainly make a fantastic topic to discuss who is the rightful data owner – who owns π? Here, for PII, the person in question is apparently also its owner, so she should retain the right to erase PII. Yet, that person may have often, knowingly or unknowingly, by accepting the “Terms of Service,” agreed that her PII data may be used in perhaps other contexts. Is that agreement valid?

In one view, by accepting the “ToS,” that person has agreed to “sell” her PII in exchange for certain services. Would it be possible to claim later in the context of a car deal, say, by that same person, to cancel that deal and require the related paperwork to be deleted from the transaction records? Is there anything in particular that makes PII a different kind of commodity in comparison to a car?

Things get even more irrational when trying to define PII. In mathematics, π is the ratio of circle’s circumference to its diameter. Much less accurately, GDPR says that PII data identifies a person. But things can be reverse-engineered – there exist an industry for that sort of thing; artificially intelligent machine learning algorithms, say, can identify a person using relatively high anonymity.

And now we reach the “PII regulatory lapse” in GDPR: If people can erase their user accounts, is it increasing the risk of criminal activity, or decreasing it? I would claim it may well support the idea of creating false accounts and/or erasing potentially harmful information, personally or otherwise – just the opposite what blockchain technology, in particular, is aiming to support: responsibility.

Blockchain data are, in a mathematically ensured and protected way, permanent and immutable. This distributed ledger technology typically records data transparently and openly. It is critical that different levels of anonymity exist, but sometimes anonymity does not lead to socially responsible actions; just consider legitimate peer-to-peer market places where a priori unknown people meet.

GDPR appears to be largely motivated by a few large-scale hacking incidents related to PII, such as those Yahoo cases. Paradoxically, GDPR may end up hurting the smallest businesses (and people) the most. And even more paradoxically, if I should dare to say, companies like Facebook or Yahoo, have most probably, on balance, increased the overall welfare of people rather than decreased it.

While π has to be one of the greatest irrational findings in the history of human kind – an infinite, non-repeating sequence of digits that could not be fully expressed in numerical form – it does not appear likely that the irrationality of PII in the context of GDPR leads to such great results. To quote mathematician Georg Cantor: “I place myself in a certain opposition to views widely held…”

The solutions that Aekraes Kodex designs take into account the best benefits of anonymity, but it has to be reiterated that all users should also assume some responsibility over their own actions. Threat of sanctions based on potential identity thefts will lead to suboptimal economic outcomes. Data is the hottest commodity in town. Blockchain is the technology to nurture it. Use responsibly.