How is blockchain technology affected by the General Data Protection Regulation (“GDPR”)?
The EU Blockchain Observatory and Forum (the “Observatory”), launched by the European Commission in February 2018, has set out to reconcile tensions inherent between the regulation of personal data and one of the world’s most disruptive new technologies. However, given the novelty and complexity of blockchain in its implementation and the almost endless use cases, grey areas remain. With an intended audience of entrepreneurs, developers, lawyers, lawmakers and regulators, the first thematic report from the Observatory, “Blockchain and the GDPR” (the “Report”) proposes to resolve these tensions and reassure innovators that the GDPR can comfortably regulate some applications of blockchain technology.
A GDPR Refresher
Readers will recall that the GDPR affects all companies that offer goods or services to EU citizens or monitor the behaviour of individuals in the EU. The Report dedicates a section to explaining the principles, rights and obligations under the regime and emphasises the importance of the “data controller” in satisfying these. The data controller is the person or body that has the purposes and means of processing personal data. Naturally, this is difficult with distributed technologies, like blockchain because determining who a data controller is, in certain contexts, can be impossible or unclear.
The Revolution of Blockchain
Most helpfully, the Report distinguishes between two key types of blockchain; those that are public and those that are permissioned. In public, permissionless networks, anyone is allowed to participate and unless data is encrypted, anyone can view it. There are also permissioned networks where some actors must be preapproved to participate in certain roles on the network.
Bitcoin is the most famous type of a public, permissionless blockchain and a large portion (but not all) of the Report’s analysis is dedicated to considering this application. Permissioned networks, conversely, subsist on something akin to a private intranet between or within organisations with all of the attendant levels of control. With this distinction in mind, the Report acknowledges that there is no such thing as a GDPR-compliant blockchain technology, only GDPR-compliant use cases and applications. Permissioned networks and the organisations that use them will find it easier to comply with the GDPR because actors and information can be appropriately defined and strict data processing rules can be applied. Public, permissionless networks on the other hand will face challenges because of their distributed nature.
Tensions – Control, Anonymity, and Individual Rights
Three main tensions arise that the Report later goes on to resolve with recommendations. First, control, specifically how are data controllers and processors identified within blockchain networks. Generally, each blockchain has unique characteristics and some may have no single controller or processors, especially in the context of public permissionless networks. So, determining these issues can be difficult.
Second is that of anonymity, how is the anonymization of personal data conducted and is it sufficient or vulnerable to reconstruction such that the data can be identified. Blockchain networks, through tools like obfuscation and encryption attempt to anonymize data, but the techniques employed on some blockchains remains untested for vulnerabilities.
The last tension is how data subjects may exercise their individual rights, including but not limited to, the rights to erasure, rectification and access. Included are obligations requiring that personal data only be transferred to “adequate” third countries, all of which proves difficult given the distributed ledger nature of blockchain.
Resolving the tensions
The Report proposes four rule-of-thumb principles for entrepreneurs and innovators to consider. It suggests that these groups start with a big picture analysis and query whether blockchain is really a necessary part of driving user value. Second, there is the simple suggestion that entrepreneurs and innovators simply avoid storing personal data on blockchain and that full use be made of data obfuscation, encryption and aggregation techniques in order to anonymise data. Third, the same is suggested for the collection of personal data, which should occur off-chain or on permissioned networks. Fourth and lastly, they are encouraged to innovate transparently by applying common sense and working collaboratively.
It’s important to recognise that the Report is not a binding document and that the issues are identified as having not been settled by the relevant authorities or a court. In that sense, the Report reflects at the very least a signal that the European Commission is aware of how its regulations may impact innovation. That being said, this ethics-first approach to regulating technology may pose problems to innovating blockchains by hampering developers of nascent technologies with regulatory oversight. However, with the proper planning and attention to regulatory compliance requirements, blockchain companies can ensure that they adhere to the GDPR without risking their innovative vision.