On the 16th of October 2018, the European Union Blockchain Observatory and Forum published its first thematic report which explores the provisions of the General Data Protection Regulation in light of the rise of one of the world's most disruptive new technologies, the Blockchain.
The Report outlines the main concerns relating to the co-existence of the provisions of the GDPR and blockchain technology, which have to date not been conclusively settled by the data protection authorities, the European Data Protection Board (EDPB) or in court. It is important not to assume that using blockchain technology automatically makes an application more secure, or compliant with data protection or privacy legislation.
The concerns which arise from a GDPR perspective when addressing blockchain technology revolve around three main issues: (i) the identification and obligations of data controllers and processors; (ii) the anonymisation of personal data; and (iii) the exercise of some data subject rights. A greater part of the blockchain networks currently available are public, permissionless blockchain networks (that is, systems such as open internet) where data is publicly made available. These blockchain networks represent challenges in terms of GDPR-compliance.
The GDPR provides strict conditions on the protection of personal data, and burdens data controllers and processors with more responsibility with respect to the collection and processing of such data. However, notwithstanding the tremendous advancements brought about by blockchain technology, it is far more challenging and at times impossible to identify the role of the data controller and the data processor on a blockchain network. This raises accountability challenges, particularly in the event of a data breach.
The GDPR does not apply to anonymized data. Therefore, data must be anonymized in such a manner making it impossible to identify a natural person by any possible means, and that such anonymisation process must be irreversible rendering it impossible for the original data to be retrieved. If this standard of anonymization is not reached, then the data will be considered to be pseudonymous which is subject to the GDPR.
Furthermore, a widely perceived concern associated between blockchain and the GDPR, regardless of whether it is a public or private, permissioned or permissionless blockchain network, relates to the exercise (or otherwise) of some of the data subject rights, such as the inability to modify or erase data. Under the GDPR, data subjects are given the right to rectify and erase their data. However, blockchains are generally designed not to be altered once a particular block has been approved. The GDPR does not specifically define what constitutes erasure. However, CNIL has acknowledged that encryption techniques and key destructions may potentially be considered as erasure techniques even if erasure is not applied in its strictest sense.
Therefore, this decentralized technology raises questions particularly as to how the GDPR applies to ecosystems where there is no single, centralized, third-party data storage platform. Private, permissioned blockchain networks (that is, systems similar to Intranet) are considered to be more GDPR-compliant than public permissionless networks. Through private, permissioned blockchain networks, strict data processing rules may be imposed by ensuring that all participants on the network commit to a set of terms and conditions. However, being restricted by such contractual terms does not necessarily mean that those individuals have legitimate reasons to access the data available on the network.
In its Report, the European Union Blockchain Observatory and Forum proposed four principles which if followed, particularly when designing blockchain-based applications, would diminish the risk of breaching the GPDR provisions:
Principle 1. Start with the big picture: how is user value created, how is data used, and do you really need blockchain;
Principle 2. Avoid storing personal data on a blockchain. Make full use of data obfuscation, encryption and aggregation techniques in order to anonymise data.
Principle 3. Collect personal data off-chain or, if the blockchain cannot be avoided, on private, permissioned blockchain networks. Consider personal data carefully when connecting private blockchains with public ones.
Principle 4. Continue to innovate, and be as clear and transparent as possible with users.
Notwithstanding the above, the GDPR and blockchain technology should not be considered as incompatible. Neither does the GDPR mean the end of the blockchain innovation. Far from it! What is more fundamental to consider is how blockchain technology is being used, and not the technology itself. The GDPR cannot and does not exist in a regulatory vacuum. On the contrary, it forms part of a universe of other regulations, which balance the right to the protection of personal data against other fundamental rights. The Forum concludes its Report with the following remark - "there is no such thing as a GDPR-compliant blockchain, just as there is no such thing as GDPR-compliant internet or artificial intelligence. There are only GDPR-compliant use cases and applications".