Directed Acyclic Graphs: the need for attention from data protection authorities

June 23, 2019

An evolution of distributed ledger technology (DLT) is gaining momentum: directed acyclic graphs (DAG). Owing to its enhanced validation mechanism, high scalability, support for Internet of Things (IoT) and multi-party involvement, DAG may start to overtake blockchain as a more popular form of DLT. The potential of this technology to address some of the failures in traditional blockchain architecture could result in wider spread adoption of DAG. However, companies considering using this technology will need to consider the resources available to support them in complying with their obligations under the General Data Protection Regulation (GDPR)1

What is DAG?

Unlike blockchain, which stores transactions in blocks, DAG stores transactions in nodes (e.g. a device on a blockchain network). With blockchain the sequence of transactions is linked by the pre-hashes between the block. In DAG, however, the transactions themselves maintain the sequential order. Every new transaction that is performed in DAG necessitates the validation of at least two earlier transactions before being recorded onto the blockchain network.2 For the sake of simplicity, if you imagine blockchains as linear blocks, DAGs are a block-lattice3 (see Figure 1 and Figure 2). 

How does DAG solve some of the issues hindering global scale blockchain adoption?

Among other issues, two particular challenges for blockchain are scalability and cost. To illustrate these challenges further, in order for a transaction (for example) to be included in a block, a new block must be created by using a consensus mechanism. Popular consensus mechanisms include Proof of Work (PoW), Proof of Stake (PoS) and sharding, summarised briefly as follows. 


Bitcoin uses PoW. In Bitcoin, nodes (also known as “miners”) compete to solve a difficult math puzzle to include new blocks in the blockchain so that they can potentially receive bitcoins as a reward. The central processing unit power (CPU Power) of a node is proportional to the probability to generate a new block, which means the higher the CPU Power is, the more likely the node would receive a reward for creating blocks. The mining electricity bill for a year of Bitcoin is estimated as being over US$400 million.4 


The first cryptocurrency to implement PoS was Peercoin in 2012.5 The probability of generating a new block is proportional to the stake status rather than the CPU Power. With Peercoin, the more coins a user stakes, the higher the probability of that user creating a new block than a user who has fewer coins. PoS is much more cost effective and eco-friendly compared to PoW as no hash functions are required and therefore less electricity is consumed. 


Sharding divides the transaction load through different nodes on the network6. Each node therefore processes a fraction of incoming transactions in parallel with the remaining nodes. As the network grows and scales horizontally, so does its efficiency and scalability. 

This is where DAG comes in. Unlike the other consensus mechanisms, with DAG there are no dedicated validators which generate and order blocks. Instead, ordering of transactions is done asynchronously by the account owner being in charge of transaction ordering. To use terminology derived from the permissionless distributed ledger IOTA,7 unverified IOTA transactions are called “tips of the tangle” and the connections between them “edges” (see Figure 2). Each new transaction is attached via edges to two tips, and verifies their validity. If a transaction is thrown out for invalidity, the algorithm uses another tip to attach the new transaction. Each new transaction performs a small PoW verification of the two tips. The more activity on the tangle, the faster the transactional speed. At the time of writing, IOTA benchmarks 1,500 transactions per second (tps). This will increase where there are more users and so more activity. In comparison, Bitcoin ranges from 2 to 7 tps and Ethereum ranges from 15 to 20 tps. However, while IOTA is more scalable and cost effective than a public, permissionless blockchain model, IOTA still has a long way to go before it is comparable to the Visa credit/debit card network, for example. While VISA does not operate on a DLT platform, as of August 2017 it benchmarks 65,000 tps.8 This is useful in demonstrating how much more DAG needs to develop if it is to be used worldwide by individuals for digital payments. The limitations on DAG are currently determined by the quality of consumer grade hardware (e.g. CPU Power) and network conditions. 

Challenges under GDPR

The challenges posed by GDPR for blockchain have been widely discussed. In the author’s earlier article ‘GDPR challenges for blockchain technology’,9 it is noted that GDPR analysis of each blockchain platform will vary depending on the characteristics of the platform. For example, it could be:

  • public (the blockchain is accessible to all) or private (the blockchain is only accessible to members of a closed group); 
  • permissionless (anyone can add records or contribute to validating transactions via a pseudonym) or permissioned (there is an external mechanism that allows the identification of the parties that want to add records to the blockchain, and/or participators as validators); 
  • on chain (storing data on the blockchain), off chain (storing data on another system with access control restrictions) or side chain (storing data on an independent parallel blockchain). 

Depending on the design of the blockchain platform, this will have an impact on identifying who are the controllers and processors. It will also impact how data subjects can access their rights such as the right to access (Article 15(1) GDPR); the right to rectification of inaccurate personal data (Article 16 GDPR) and the right to erasure where, for example, ‘the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed’ (Article 17(1)(a)). 

The same will be true for any DAG model. Given the uncertainly around how GDPR applies to various DLT models, some organisations are deciding not to adopt it due to the potential financial consequences of breaching GDPR (i.e. fines of up to the greater of EUR20 million or 4% of annual global turnover (Article 83, GDPR)). In contrast, others have simply viewed their GDPR obligations ‘as irrelevant to their organisation or irreconcilable with their tech’ and are ‘undeterred from using blockchain technologies’.10 As Norval et al. note ‘If an organisation wrongly concludes that these obligations are not applicable, incidents of non-compliance, harms to data subjects, diminished trust, and regulatory repercussions may result’ .11

Possible solutions to ensure GDPR compliance 

Data protection by design and default are two overarching guiding principles of GDPR (Article 25, GDPR). As noted by the CNIL12 and the EU Blockchain Observatory and Forum,13 anyone considering using blockchain should carefully assess beforehand the need to use a blockchain, particularly a private one. The same applies to DAG and any other DLT platforms. This may be done by carrying out a Data Protection Impact Assessment (Article 24, GDPR) to evaluate the impact and risks associated with implementing a DLT platform. Using special cryptographic techniques (e.g. Ring Signatures and Zero Knowledge Protocols) may also help alleviate privacy platforms. However, these will not work on all DLT platforms (including IOTA).  

In the UK, the Information Commissioner’s Office’s (ICO’s) proposed use of regulatory sandboxes would also be helpful for anyone considering implementation of DLT as it allows testing by private firms in a controlled environment under the ICO’s supervision.14 

To assist further with ensuring compliance with data protection obligations, it would be helpful if the European Data Protection Board issued guidance regarding the application of data protection law to various common blockchain models, and it is noted that its Work Program for 2019 to 2020, published in February this year, did identify blockchain as a potential topic for activities.15 In the UK, the Information Commissioner’s Office, as part of its Information Rights Strategic Plan 2017-2021, has also launched a programme to fund research into the privacy implications of various new technologies, including blockchain.16


Blockchain technology and other forms of DLT, like DAG, is developing rapidly. Each platform raises its own issues for compliance with data protection legislation and regulation. With the potential of this technology to be widely adopted, failure to address such issues could have serious implications for the data protection landscape. Data Protection Authorities need to act quickly in providing further guidance and education to enable developers and service providers to more easily comply with their data protection obligations. 


1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2 S. Lee, “Explaining Directed Acylic Graph (DAG), The Real Blockchain 3.0″ Forbes, 24 Jan 2018. Available at (accessed on 9 June 2019). 

3 Bencic, Federico Matteo & Zarko, Ivana Podnar (2018). “Distributed Ledger Technology: Blockchain Compared to Directed Acyclic Graph” IEEE 38th International Conference on Distributed Computing Systems (ICDCS), Vienna, 2018, pp. 1569-1570.

4 Aste, Tomaso, The Fair Cost of Bitcoin Proof of Work (June 27, 2016). Available at SSRN: or (accessed on 10 June 2019). 

5 (accessed 9 June 2019). 

6 ENISA, “Distributed Ledger Technology & Cybersecurity – Improving information security in the financial sector. Available at: (accessed on 9 June 2019). 

7 (accessed 18 June 2019).

8 VISA (2017), ‘Fact Sheet’. Available at: (accessed 10 June 2019). 

9 Rose, Anne (June 2019) ‘GDPR challenges for blockchain technology’ Interactive Entertainment Law Review, Volume 2, Issue 1. 

10 Norval, Chirs; Janssen, Heleen, Cobbe, Jennifer; Singh, Jatinder, “Data protection and tech startups: The need for attention, support and scrutiny” (5 June 2019). 

11 Ibid.  

12 CNIL, ‘Blockchain: Solutions for a responsible use of the blockchain in the context of personal data’, November 2018 (available at Accessed on 10 June 2019.  

13 EU Blockchain Observatory and Forum, ‘Blockchain and the GDPR’ (October 2018). Available at: Accessed on 10 June 2019. 

14ICO (2019) ICO’s call for views on building a sandbox: summary of responses and ICO comment. Available at: (accessed 14 June 2019.

15 EDPB (12.02.19). EDPB Work Program 2019/2020: available at (accessed on 14 June 2019). 

16 ICO. (2018), Grants Programme 2018, available at: [ (accessed on 14 June 2019). 

Anne Rose is an associate and co-lead of the Blockchain Group at Mishcon de Reya LLP

Photo © Mishcon de Reya; Used with permission. All rights reserved.