Blockchain and the General Data Protection Regulation

The debate

Blockchain promises innovative solutions across various use-cases thanks to a number of well-known features: peer-to-peer architecture that reduces the need for central authorities or intermediaries; tamper-resistance (if not immutability); and transparency. Regardless of whether these claims are to be taken at face value, they have caused skepticism amongst policymakers, regulators and industry experts about blockchain's compatibility with the GDPR. Many have even reached the point to claim that blockchain is conceptually incompatible with this regime. Others, being more cautious, say that the problem warrants in-depth reflection. At the same time, there are stakeholders who take an entirely different approach and praise blockchain as a means of materializing the goals of the GDPR.

Core aspects of the GDPR

The GDPR is the new European framework for the protection of personal data.1 Despite the hype that came along when introduced in 2016 and around its effective date (25 May 2018), it did not depart from the rationale of the previous regime, i.e. Directive 95/46/EC (the Data Protection Directive).2 This includes a broad definition of personal data which encompasses virtually any piece of information relating to individuals, in any form whatsoever, including encrypted or otherwise pseudonymized data. The protection afforded to personal data hinges on the existence of two actors: the controller, i.e. the person or entity who decides why and how personal data is processed; and the data subject, i.e. the individual concerned who is entitled to have their data protected and can exercise a number of statutory rights. Further roles are foreseen in the GDPR, such as the processor and third parties, however protection of personal data without both controllership and data subjects is inconceivable in the system of the GDPR.3

The GDPR is technology-agnostic and applies universally to any kind of personal data processing, no matter what the specific sector or context is, with only few exceptions.4 Its scope includes data processing operations undertaken by controllers (or processors) established in the EU, regardless of the location of the processing operation or the residence of the data subjects. It even captures (under certain conditions) data processing operations carried out by controllers (or processors) established outside the EU, as long as they relate to data subjects who are in the EU. Its high standards of protection can therefore affect businesses around the globe. It applies to every processing operation, i.e. every use of personal data, such as collection, recording, organisation, storage, consultation, etc. It is therefore always relevant and businesses have to consider its requirements, even if in some cases it may be possible to escape its application by anonymizing data. It has been aptly called by scholars “the law of everything”.

Compliance requirements under the GDPR

Moving on to what the GDPR protection entails, it is important to consider two aspects. First of all, any data processing must observe a number of principles: lawfulness, fairness, transparency, purpose limitation, data minimization, storage limitation, confidentiality, integrity, security, etc. It is mainly the controller who is to be held responsible and accountable for this. Second, the data subject may enforce against the controller a number of rights, such as the right of access, the rights to rectification and erasure (“right to be forgotten”). Failure to satisfy data subject requests and non-compliance with the GDPR requirements may trigger fines imposed on the controller (or the processor) up to EUR 20,000,000 or 4% of total worldwide annual turnover (whichever is higher).

The "clash" between the GDPR and blockchain

Against this background, it has been strongly argued that the GDPR stands in the way of the blockchain ecosystem and innovation. It is alleged that the append-only, tamper-resistant or immutable nature of blockchain does not comply with the data minimization and storage limitation principles under the GDPR, which require the controller to do away with personal data that are no longer necessary for the processing operations originally envisaged; or with the obligation of the controller to rectify or erase data if requested by the data subject. Most importantly, commentators claim that controllership, an essential concept of the GDPR, is incompatible with the peer-to-peer, decentralized structure of blockchain. Some policymakers have even argued that a revision of the GDPR would be necessary in order to accommodate the features of blockchain. Commentators on the other side of the debate claim that blockchain’s features, such as transparency, auditability and security help to give control of data back to data subjects and thereby serve the GDPR objectives.

Our approach

The debate about blockchain’s (in)compatibility with the GDPR is misleading. Blockchain is just a technology and therefore cannot be assessed against the GDPR or any other regulatory framework. Rather than investigating blockchain’s compliance with the GDPR, we should ask this question: would it be compatible with the GDPR to use a blockchain-enabled application in a particular situation involving the processing of personal data? The answer will depend on the context of the specific processing operation concerned.

For example, suppose that the blockchain application involves an online marketplace, similar to Airbnb, where people with flats can rent them out. If the addresses and the names of the people involved in transactions are recorded on the blockchain, then its immutable character would clash with the right of erasure, as described in the GDPR. However, a different implementation would require each user to generate a public key, which links to their transactions. Ownership of the public key is proven through a private key. At the same time, the link between the public key and the users’ identity and address could be stored in a private, off-chain database. A user can then request deletion of his relevant data, which can be implemented by deleting the link between the public key and the record of his identity in the private database.

Although the link is deleted, the public key and its relation to the user’s transactions is not. However, what if a user claims that a transaction should not link to his public key, because it was entered in error, or it is disputed that it ever took place? This is also possible, in at least two ways. First, a transaction can be reversed, by appending new transactions in the blockchain. Second, a blockchain can be forked, so that a new branch is formed. If consensus on that branch is reached, then whatever was recorded in the old branch becomes irrelevant, and therefore the disputed information is erased.

It is therefore not the technology, but the specific use of technology in a particular situation that needs to be aligned with the data protection legislation. As has been demonstrated in a series of judgments by the Court of Justice of the EU, both the GDPR and its predecessor the Data Protection Directive, are sufficiently flexible to apply to use cases of modern technologies, such as Internet-based applications, social media and search engines.

Indeed, a blockchain-enabled application, even in the extreme case of public, permissionless systems, is not devoid of controllership in the sense of the GDPR. Entry points and agents in the blockchain environment, such as cryptocurrency exchanges, digital wallets, user interfaces, or even the Internet service providers enabling the functioning of blockchain, will be allocated the respective roles under the GDPR and held responsible for compliance with its principles. In the same vein, data subject requests may very well be addressed to and enforced against those stakeholders, which replace the traditional middlemen or central authorities. Even the right to erasure does not necessarily mean deletion of a record, but rather prevention of access as described in the previous example above. It is to be noted that neither the GDPR nor the data subject rights constitute absolute rights. They are always to be balanced against other rights and obligations that come into play in each specific situation. The same is true in any kind of database, whether centralized or decentralized. For instance, a data subject request to delete one’s identity from municipal records or one’s details from a land registry office cannot be satisfied, since the interest in keeping those records proves higher in order to secure legal certainty in transactions with that person.

Our main point

Like any other technology, blockchain is neither compatible nor incompatible with the data protection rules. It is its application in a particular context which has to be assessed against those rules, and in that regard achieving compliance does not pose greater difficulties than use cases of other modern technologies. Thus, it is indeed possible to ensure compliance of a blockchain-enabled application with the GDPR. In some cases, the blockchain technology may even be more efficient at safeguarding the data subjects’ rights, as compared to private databases. For example, a data subject has the right to request access to the information that the ledger holds on them. If the ledger is a private database controlled by a single entity, the data subject can never be sure that all relevant information has been erased, because they cannot access the entirety of the database directly. Within a public and permissionless blockchain, however, the data subject can directly access and read all transactions related to their public key, therefore having direct control on the underlying information that is related to them.

Final remarks

Let us recall in that respect that the “challenges” posed by blockchain as a new technology are not novel. About 20 or 30 years ago a revolutionary technology at the time tested the applicability of traditional regulations as well: the Internet. Despite voices describing the Internet as a parallel world where amongst others the laws of contracts, consumer protection, and data protection would flounder on jurisdictional bottlenecks or otherwise, these frameworks made their way to the novel ecosystem of connected computers.

Last, but not least, what is important to bear in mind is the following: whenever implementing a blockchain-enabled application, it is crucial to agree in advance on a number of governance arrangements that would allocate responsibilities to the different stakeholders from a GDPR perspective. Although such arrangements are not binding towards the supervisors (or ultimately the Courts), they are the first step in order to secure compliance with the data protection legislation.

 

Footnotes

1 For more information on GDPR, see: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679

2 For more information on the Data Protection Directive, see: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A31995L0046

3 Since blockchain is a relatively new technology, there is no consensus as to who the data controller(s) should be, particularly in a public and permissionless environment. Those who could conceivably (though not necessarily) be data controllers are, among others, the following: the protocol developers, who develop the algorithms and the software on which the blockchain operates, unless they act on behalf of third parties; the validating nodes, who store a copy of the database and update it whenever new transactions are added; the users, who generate the transactions but can also download the whole database in order to read it; other entry points and agents in the blockchain environment, as discussed in the main text. Please note in that respect that it is impossible to determine the controller’s identity in a generalised fashion, be it in blockchain applications or elsewhere. The controller, under the GDPR, constitutes an autonomous and functional principle that relies on factual analysis. In multilayer ecosystems, such as blockchain or the Internet, several actors, and therefore controllers, may be present at the same time.

4 It is important to note that the GDPR does not apply to anonymised data, which are impossible to link with specific data subjects (individuals). However, the data in a blockchain are typically pseudonymised, not anonymised. This means that they can be linked to specific data subjects, but only with the use of additional information or specific processes. Pseudonymised data are personal data and are thus within the scope of the GDPR.

Disclaimer

The material provided in this article is being provided for general informational purposes. Aaro Capital Limited does not provide, and does not hold itself out as providing, investment advice and the information provided in this article should not be relied upon or form the basis of any investment decision nor for the potential suitability of any particular investment. The figures shown in this article refer to the past or are provided as examples only. Past performance is not reliable indicator of future results.

This article may contain information about cryptoassets. Cryptoassets are at a developmental stage and anyone thinking about investing into these types of assets should be cautious and take appropriate advice in relation to the risks associated with these assets including (without limitation) volatility, total capital loss, and lack of regulation over certain market participants. While the directors of Aaro Capital Limited have used their reasonable endeavours to ensure the accuracy of the information contained in this article, neither Aaro Capital Limited nor its directors give any warranty or guarantee as to the accuracy and completeness of such information.

Please be sure to consult your own appropriately qualified financial advisor when making decisions regarding your own investments.