NAIH, Hungary’s Authority for Data Protection and Freedom of Information, issued a guidance on blockchain data protection. The guidance answers the questions of a private individual in a specific case, and NAIH published it because of public interest and the newness of the technology.
The guidance provides a short description of blockchain technology. NAIH then defines personal data, the legal basis of data processing, and how to identify the data controller and data processor in the blockhain.
According to NAIH, blockhain as a decentralised network where no central entity controls system functions and transactions executed with the data. Each user is engaged in data processing, and each person who adds blocks and personal data to blocks in the system is a data controller. Subsequent users may later add personal data to the system and obtain an exclusive right to dispose of their data stored in blocks. In this case, they can execute a transaction using the data. As a result of a transaction, if the right to dispose of personal data stored in the block is transferred to another user, (i.e. the recipient of data who will have the exclusive right of disposal), NAIH considers this user a data controller.
While it provides practical guidance on how to identify the data controllers and data processors in the blockchain, NAIH does not address how fintech companies can follow this approach in the case of a large blockhain, and in particular compliance with “data protection by design” obligations. NAIH does not go into detail about technical solutions – e.g. data access management platforms – to address the complex obligations of fintech companies to demonstrate that they are compliant when processing data in the blockchain.
In regard to data protection law, NAIH accepts that blockhain users may carry out data processing under various jurisdictions. In these cases, it proposes that companies should identify the country where the data is being processed. In the case of blockchain, this would be the country where the data controller is carrying out the actual data processing operations. (i.e. where he or she places a transfer order, accesses and adds data to the blockchain, mines Bitcoin, or issues orders to carry out operations. NAIH confirms that the physical location of the data in the blockchain is irrelevant, but states that the CJEU approach in the Google Spain case would also apply. While the examples provided by NAIH are a good starting point for fintech companies to determine what laws are applicable to their operations, the GDPR will also have a major impact on the industry. NAIH will provide guidance until 25 May 2018 on how the GDPR will affect the application of Hungarian data protection laws in the fintech industry.
Regarding the question whether the long-term use of blockchains makes users and their patterns of behaviour vulnerable to monitoring and profiling, NAIH states this this risk depends on the characteristics of a specific system, the data processed in it, and its auxiliary data processing operations.
In conclusion, NAIH guidance is highly important since Hungary has a dynamic privacy-sensitive fintech scene. NAIH touches key points of the data protection obligations of companies, but it is clear that market players and users expect more detailed sector-specific guidance in the following areas: data protection by design, subject access rights, data retention, data reversibility, data security, and transparency obligations.