On October 3, 2018, the European Parliament passed its long awaited resolution on distributed ledger technologies and blockchains (the “Blockchain Resolution”). The Blockchain Resolution was adopted to protect and empower EU citizens and businesses with respect to the specific issues that arise in relation to the blockchain or “distributed ledger” technology, one of which being the tension with data protection rights and the GDPR in general.
Blockchain technology can best be described as a decentralized database containing transaction logs linked together on a network, with the most widespread example being Bitcoin. A transaction can only proceed if the link is validated in the network. A bitcoin transaction, for instance, involves logging account numbers, the sender and recipient’s (pseudonymized) identity and bitcoin amount in a block. This block is then shared with the network, which validates the block. Only after validation (which in bitcoin’s case requires a specific “signature”) the block is included in the chain and the transaction is executed. Note that each member in a network – which can be public or private – is in principle able to validate the information in the blocks. This is the exact strength and core functioning of blockchain. Interrelated peer-to-peer validation mechanisms make blockchain technology considered to be highly secure and accessible. Blockchain excludes the need for intermediaries (such as banks), and facilitates secure transactions by the public.
The EU Parliament’s Blockchain Resolution recognizes the importance of blockchain technology’s compliance with the GDPR, and emphasizes specific risks related to privacy and data protection. It stresses that the data logged in blocks is pseudonymized, and not anonymized, data. Although direct identification of individual members in a network is not possible, indirect identification is possible (through identifiers linked to the data). Pseudonymized data is in scope of the GDPR. Accordingly, blockchain needs to take GDPR principles into account.
Although the GDPR is meant to be “technologically neutral”, and the GDPR’s principles are meant to be applied to data processing independent of the processing techniques used, the application of the GDPR’s principles to blockchain proves highly challenging. The GDPR’s “right to be forgotten”, for instance, appears difficult to reconcile with blockchain objectives. Specifically, the success of blockchain relies on the logging and storing of data chains. Deletion of data would disrupt the chain and undermine blockchain rationale.
Earlier this year, the European Commission launched the EU Blockchain Observatory and Forum, with the purpose of mapping key initiatives and monitoring developments in the industry. On October 16, 2018, the Forum issued a report on Blockchain and the GDPR (the “Report”) which identifies additional areas of concern. The controller/processor distinction and identification – essential for allocating responsibility under the GDPR – proves difficult to translate into a blockchain context. Actors “submitting” a transaction to a network may be considered data controllers for the personal data they submit through the transaction when they do this in a business context, but will likely benefit from the household exemption when they submit data for their own personal use (for instance, to purchase bitcoins for their private bitcoin wallet). Actors “validating” a transaction in a network, are also unlikely to qualify as controllers, as they only run software and process the transaction to ensure validation. The uncertainty around data controllership in blockchain applications makes it difficult to assess parties’ responsibilities under the GDPR, and further regulatory guidance in this respect is urgently needed. The Report also stresses the importance of the data minimization principle of the GDPR, and recommends analyzing to what extent blockchain effectively requires storage and processing of personal data, and if so, whether private networks could be created for blockchains that contain personal data (for instance, when using blockchain in a highly regulated sector such as the financial sector).
A resolution from the European Parliament does not have legally binding effect. A resolution merely sets out the Parliament’s political position, with a view to prompt other European Union institutions to take legislative action. With this Resolution however, the European Parliament clearly expresses its position to support blockchain. Its call for “open-minded, progressive and innovation-friendly regulation” could pave the way for further EU policy and legislative development in this area of cutting-edge technology.