Blockchain and GDPR: is a clash really inevitable?
Blockchain, considered to be the greatest technological innovation since the internet, is currently also one of the most debated technologies. From a legal perspective, the technology raises many questions, in particular as diverse aspects of the blockchain are clashing with the EU data protection framework. Can these problems be overcome?
What is the “blockchain”?
Blockchain, or more generally distributed ledger technology (“DLT”), has caused tremendous innovation in the fintech sector. A large part of the interest is due to the successful – and controversial – digital coins such as Bitcoin and Ethereum, some of the few large-scale implementations of blockchain to date.
The terms Blockchain, Bitcoin and DLT are often, incorrectly, used as synonyms. ‘DLT’ is the umbrella term for any kind of transaction ledger that is decentralised and distributed among parties. ‘Blockchain’ is a particular type of DLT that uses blocks and chains to store transaction records. ‘Bitcoin’ is a specific cryptocurrency application of blockchain. By this logic, we can say that Bitcoin is only one type of blockchain and blockchain is only one type of DLT.
There is no single model for blockchain systems. The technology can be drafted in an almost infinite range of configurations. At this moment, there are three general types of blockchain: public permissionless blockchain (e.g. Bitcoin and Ethereum), public permissioned blockchain (open to the public, but managed by permission-settings) and private permissioned blockchain (only for a limited group of persons and privately managed, e.g. within a company or closed organisation).
Applicability of the GDPR
Many blockchain-based applications will be subject to the GDPR for two reasons. Firstly, data stored in a blockchain will often relate to identified or identifiable persons and therefore be considered “personal data”. Even where data is encrypted or hashed, it qualifies as personal data according to the Article 29 Working Party (“WP29”). The WP29 has made it clear that hashing constitutes a technique of pseudonymisation, not anonymisation, as it is still possible (even if this is difficult) to link the dataset to an identifiable data subject. Also public keys, when associated with an individual, will likely qualify as personal data. The second reason is the cross-border nature of blockchain and the GDPR’s broad territorial scope. Blockchains usually run on nodes located in various parts of the world (including the EU), thereby triggering the GDPR to apply.
Privacy issues of the blockchain
Blockchains – in particular those of a public and permissionless nature – are in their current state deemed to be irreconcilable with the GDPR. The most important issues can be summarised as follows:
- Who is the data controller? Blockchains enable multiple parties to jointly manage a set of personal data, which makes it difficult to determine the privacy role of each of the parties involved. For private blockchains, it might still be possible to identify a central administrator that can qualify as the data controller. For many other blockchain networks, the system is operated by all its users in a peer-to-peer network. This may mean that either no node qualifies as a data controller, or, more likely, every node qualifies as a data controller.
- How can data subjects exercise their rights? In a blockchain environment, amendment or erasure of data is technically impossible because the system is designed to prevent it. Once data is added to a blockchain, it cannot be amended or erased. To amend data, a new block with the amended data should be added to the chain. However, the initial data will always remain in the chain. It is questionable whether this so-called ‘immutability’ feature can be reconciled with the data subjects’ rights to rectification and erasure.
- How to reconcile with the principles of lawful data processing? Once added to a blockchain, personal data will in principle remain part of the chain. Perpetual storage of data on the blockchain is difficult to reconcile with the storage limitation principle, while making all data visible to every node is likely to be considered excessive in light of the data minimisation principle.
Same objective, other means
While blockchain and GDPR could be seen as profoundly incompatible with one another, both systems in fact also share a common objective: giving individuals more control over their data and securing the exchange of their data.
Only time will reveal how regulators and judges will approach the tension between GDPR and blockchain. In any case, we believe that it should indeed be attempted to reconcile both, in order to create the best of both worlds. For the time being, the safest advice for blockchain developers is to work with a permissioned (private) system where possible and to store personal data in a secured off-chain database.