At first glance, the features which make up Blockchain technology may be difficult to reconcile with certain data protection aspects and, in particular, with the framework established under the forthcoming General Data Protection Regulation (“GDPR”).
Typical Blockchain and Distributed Ledger Technologies (“DLTs”), whether permissioned or public, tend to have the same three characteristics; namely the fact that the system is decentralised, immutable and more transparent than current centralised legacy systems. On the surface, these aspects may appear to be incompatible with data protection considerations, particularly seeing as data protection law focuses on the importance of allowing personal data to be removed or edited by identifiable entities. However, DLTs could also be employed to comply with the GDPR’s objectives. One of the considerations is that the characteristics of the technology may facilitate the protection of personal data; DLTs are embedded with characteristics which inherently increase the protection of data, such as encryption, pseudonymisation and low risk of cyberattack.
This article explores the various ways in which Blockchain and DLTs could be implemented in order to successfully carry out the objectives of the GDPR, while noting the obstacles that this type of technology may present in achieving this purpose.
What is personal data?
Article 4 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”, whether that information could identify the person directly or indirectly. The concept of what constitutes personal data is undoubtedly very broad.
Using a DLT database, parties are able to access the database by means of a digital key. Access is allowed whether the Blockchain is permissioned (in which case the digital key is private), or public (where the key is a public key whereby anyone could obtain access). Both keys operate through the pseudonymisation of data so that a party to a transaction could be traced but not identified directly. Several regulatory issues and legal implications arise when contemplating whether these keys could be treated as personal data, and if they are considered as such, these keys are subject to the provisions of the GDPR.
The GDPR provides, amongst other provisions, that whenever personal data is processed, the specific purposes for which the data is processed must be specific specified and legitimate. The data itself should also be adequate, relevant and limited to what is necessary in relation to those specific purposes. Such principles of purpose limitation and data minimisation may be difficult to achieve in a public Blockchain where data are held by various nodes distributed across the network and this is accessible to the public, regardless of the data’s original purpose for collection or processing.
Identification of Data Processors & Data Controllers
Current data protection legislation (including the GDPR) focuses on centralised systems where identifiable entities are responsible for processing personal data. In the context of the Blockchain’s decentralised environment, the way in which Blockchain participants are classified from a data protection perspective is debatable. The accurate classification of participants as Data Controllers or otherwise under the GDPR, is crucial as different implications arise depending on the said classification. In principle, it is also unclear who assumes the role of a controller (the entity that determines the purposes and means of the processing) within the Blockchain system.
As blockchain databases are located in a distributed manner and no centralised entity is responsible for the network, one questions how data controllers can be identified, both in terms of the processing of personal data and any liabilities that may arise under the GDPR. In order to overcome this lacuna, it has been suggested that miners involved in the processing and verification of transactions could be viewed as the data controllers. Several issues arise in this scenario, particularly in terms of large public Blockchains as the identification of multiple miners, most probably located all over the world, would not be feasible.
The Right to be Forgotten vs. Immutability
Under the GDPR, data subjects are also granted a number of rights which appear to be in tension with Blockchain’s immutable characteristics; most notably the right to be forgotten. In broad terms, this right enables an individual to request the deletion or removal of personal data and which must be entertained unless there is a justifiable reason for its continued processing. One of the fundamental principles underpinning Blockchain technology is the tamper-proof linking system, whereby once a new block is added to the Blockchain, it cannot be altered or removed without disrupting the rest of the chain. This feature of the technology is purported to increase transparency and trust in transacting systems which utilise Blockchain technology.
It is possible to develop DLTs which are decentralised yet permit the editing or removal of certain blocks. However, these editable DLTs would need to overcome a major obstacle; the ensuing possibility to edit data, while maintaining the data’s authenticity, which would require the nomination of trustworthy administrators to make the changes. Imposing a centralised body that would be capable of controlling and altering data may be unfeasible as it strays too far away from the core Blockchain model, resulting in editable technologies which cannot be considered as traditional Blockchain or DLT systems anymore.
Traceability & Pseudonymisation
Blockchain systems enable data to be transferred in a pseudonymous manner between parties. The distinction between pseudonymisation and anonymity is crucial as under the former data transferred between parties can be traced back to its original contributor. The GDPR does indicate that pseudonymisation could be used as an appropriate tool in protecting personal data, so long as the contributor cannot be singled out and identified through that pseudonymisation. In a utopian Blockchain environment, participants in a Blockchain would have their data totally disguised or even anonymised in order to ensure that the system is truly trustworthy. In practice, however, this is not always feasible. That being said, under data protection laws, if a transaction cannot be traced back to the involved parties their fundamental right to self-determination is not affected and the transaction would fall beyond the scope of data protection.
Data Protection by Design & Default
The GDPR introduces the notion of data protection by design and by default. This concept evolved as an extension of the principles of integrity and data minimisation. This concept requires that there is adequate security in place throughout the entire lifecycle of the data and that the strictest privacy settings are applied. The encryption and pseudonymisation characteristics of the technology champion data protection by design considerations. However, data protection by default requires that the technology automatically ensures personal data protection by allowing the processing of personal data in line with the law. This may be difficult to achieve as already discussed.