In recent years, multiple points of tension between blockchain technologies and the GDPR have been identified. These are examined in a new study written by Dr Michèle Finck at the request of the Panel for the Future of Science and Technology (STOA) and managed by the Scientific Foresight Unit, within the Directorate-General for Parliamentary Research Services (EPRS) of the Secretariat of the European Parliament.
Broadly, it can be argued that these tensions are due to two overarching factors.
First, the GDPR is based on the underlying assumption that in relation to each personal data point there is at least one natural or legal person – the data controller – whom data subjects can address to enforce their rights under EU data protection law. Blockchains, however, often seek to achieve decentralisation in replacing a unitary actor with many different players. This makes the allocation of responsibility and accountability burdensome, particularly in light of the uncertain contours of the notion of (joint)-controllership under the regulation. A further complicating factor in this respect is that in the light of recent case law developments, defining which entities qualify as (joint-) controllers can be fraught with a lack of legal certainty.
Second, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements such as Articles 16 and 17 GDPR. Blockchains, however, render such modifications of data purposefully onerous in order to ensure data integrity and to increase trust in the network. Again, the uncertainties pertaining to this area of data protection law are increased by the existing uncertainty in EU data protection law. For instance, it is presently unclear how the notion of ‘erasure’ in Article 17 GDPR ought to be interpreted.
It will be seen that these tensions play out in many domains. For example, there is an ongoing debate surrounding whether data typically stored on a distributed ledger, such as public keys and transactional data qualify as personal data for the purposes of the GDPR. Specifically, the question is whether personal data that has been encrypted or hashed still qualifies as personal data. Whereas it is often assumed that this is not the case, such data likely does qualify as personal data for GDPR purposes, meaning that European data protection law applies where such data is processed. More broadly, this analysis also highlights the difficulty in determining whether data that was once personal data can be sufficiently ‘anonymised’ to meet the GDPR threshold of anonymisation.
Another example of the tension between blockchain and the GDPR relates to the overarching principles of data minimisation and purpose limitation. Whereas the GDPR requires that personal data that is processed be kept to a minimum and only processed for purposes that have been specified in advance, these principles can be hard to apply to blockchain technologies. Distributed ledgers are append-only databases that continuously grow as new data is added. In addition, such data is replicated on many different computers. Both aspects are problematic from the perspective of the data minimisation principle. It is moreover unclear how the ‘purpose’ of personal data processing ought to be applied in the blockchain context, specifically whether this only includes the initial transaction or whether it also encompasses the continued processing of personal data (such as its storage and its usage for consensus) once it has been put on-chain.
It is the tension between the right to erasure (the ‘right to be forgotten’) and blockchains that has probably been discussed most in recent years. Indeed, blockchains are usually deliberately designed to render the (unilateral) modification of data difficult or impossible. This, of course, is hard to reconcile with the GDPR’s requirements that personal data must be amended (under Article 16 GDPR) and erased (under Article 17 GDPR) in specific circumstances.
These and additional points of tension between the GDPR and blockchain are examined in detail below. This analysis leads to two overarching conclusions.
First, that the very technical specificities and governance design of blockchain use cases can be hard to reconcile with the GDPR. Therefore, blockchain architects need to be aware of this from the outset and make sure that they design their respective use cases in a manner that allows compliance with European data protection law.
Second, it will however also be stressed that the current lack of legal certainty as to how blockchains can be designed in a manner that is compliant with the regulation is not just due to the specific features of Blockchain and the General Data Protection Regulation III this technology. Rather, examining this technology through the lens of the GDPR also highlights significant conceptual uncertainties in relation to the regulation that are of a relevance that significantly exceeds the specific blockchain context. Indeed, the analysis below will show that the lack of legal certainty pertaining to numerous concepts of the GDPR makes it hard to determine how the latter should apply both to this technology and to others.
In order to reach this conclusion, this report evaluates those aspects of European data protection law that have to date proven to be the most relevant in relation to blockchain. This includes the regulation’s territorial and material scope, the definition of responsibility though a determination of which actors may qualify as data controllers, the application of the core principles of personal data processing to blockchains, the implementation of data subject rights in such networks, international data transfers and the possible need for data protection impact assessments.
Whereas much of the debate has focused on the tensions between blockchains and European data protection law, the former may also provide means to comply with the objectives of the latter.
„For more than a week now, ScoreRise enrolls daily hundreds of users through an innovative facial recognition interface. Enrollment takes less than a minute and it does not require presence of a human operator or video recording. And, of course, it stays fully GDPR compliant with help from Reff & Associates and Deloitte Romania.”