Blockchain technologies are increasingly being promoted as a potential solution to a variety of data processing operations, largely due to blockchain's features of immutability, anonymity and decentralised control. For those still unfamiliar with the concept, we have written about it in the past.
However, for those businesses who are currently or are considering utilising blockchain technologies, consideration may need to be given to the consistency between blockchain and applicable privacy law. In particular, several of the requirements imposed by the GDPR (eg the right to data erasure, the right to correction of incorrect data and the right to restrict processing) appear to be difficult to reconcile with the operation of blockchain networks. While New Zealand privacy law does not go as far as the GDPR, some of the privacy principles enshrined in the Privacy Act 1993, such as Principle 7 (correction of personal information) and Principle 9 (not holding personal information for longer than necessary) are arguably equally problematic for organisations looking to utilise blockchain technology.
Recently, France's data protection authority (the CNIL), has published a report on blockchain and the GDPR. The CNIL report proposes several options to minimise the privacy risks that arise from the use of blockchain technologies, including storing the majority of the relevant data outside of the blockchain (or 'off chain') to mitigate data retention and erasure issues.
This seems to be a common approach which is being explored around the world. However, CNIL acknowledges that the solutions proposed require further consideration and innovation to ensure that they are workable in practice. CNIL also emphasises that blockchain technologies should not be implemented unless businesses are able to establish that blockchain is the most appropriate technology for the processing of personal data.
CNIL considers that the matter needs a harmonised European approach to ensure that there is a robust approach to privacy law and blockchain. The European Parliament has echoed this sentiment in its recent resolution regarding distributed technologies and blockchains, calling on the European Commission and data protection supervisors to provide further guidance on the matter. In the meantime, blockchain continues to promise a technological revolution, but its ability to deliver on that promise in practice remains largely untested.