One of the design features of blockchain architecture is that transaction records cannot be changed or deleted after-the-fact.
A subsequent transaction can always annul the first transaction, but the first transaction will remain in the chain.
The GDPR recognises a right to erasure.
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
When does the right to erasure apply?
The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Does erasure mean erasure?
What constitutes “erasure” is still open to debate.
Some data protection authorities have found that irreversible encryption constitutes erasure.
In a blockchain environment, erasure is technically impossible because the system is designed to prevent it.
However, smart contracts will contain mechanisms governing access rights.
Therefore the smart contract can be used to revoke all access rights, thereby making the content invisible to others, albeit not erased.
Receive free news and analysis – written by Hogan Lovells' world-leading legal teams and tailored to your preferences – by registering on Engage. You can also access our cutting-edge interactive Lawtech tools, designed to help you make better decisions and save time and money.