Blockchain and the GDPR: Clash of the Titans
According to published research of the Panel for the Future of Science and Technology of the European Parliamentary Research Service, it has been argued that blockchain technology might be a suitable tool to achieve some of the GDPR‘s underlying objectives, such as promoting the free flow of data and information and ensuring its safety. Indeed, as the published research further suggests, blockchain technologies are a data governance tool that could support alternative forms of data management and distribution and provide benefits compared with other contemporary solutions. Distributed ledger technologies can be designed to enable data-sharing without the need for a central trusted intermediary, they offer transparency to the person who has accessed data, and blockchain-based smart contracts can moreover automate the sharing of data, hence also reducing transaction costs. Furthermore, blockchains‘ crypto-economic incentive structures might have the potential to influence the current economics behind data-sharing.
On the other hand, as much as the abovementioned benefits may be gained by the co-existence of the two “titans” there are also suggestions to the contrary in some aspects, including but not limited to, the following:
1) Difficult to identify the data controller and processor in a blockchain context: The GDPR defines the data controller as the natural person or legal person who decides the purpose and method of personal data processing, while the data processor is the natural person or legal person who processes personal data for the data controller. However, in a distributed ledger technology system, those involved in data processing generally include nodes and users. Users (data subjects) upload their personal data to the blockchain system, while nodes are responsible for jointly processing the data uploaded by users. Due to the lack of a central controller, personal data entered in the blockchain is processed by all nodes together, so identifying the data controller may prove difficult. From a macro perspective, nodes process data to maintain the operation of the blockchain system and are the controllers of the data.
2) Difficult for data subjects to exercise their rights: According to the provisions of the GDPR, the data subject enjoys many rights, including the right to rectification, the right to erasure (the right to be forgotten), the right of access, the right to data portability, etc. However, in a distributed ledger technology system, the exercise of data subject rights may encounter obstacles, such as the the right to erasure.
3) Difficult for data controllers to fulfill their obligations: a) The GDPR requires that when data controllers transmit personal data to a third country or international organization (Articles 44-50), they must conform to a series of strict conditions, but the design of a blockchain system is not bound by national boundaries, any individual around the world has the freedom to access and handle all data blocks in the chain. Thus it is difficult to abide by the GDPR cross-border data transmission requirements within a blockchain system. b) The GDPR defines the principle of privacy by design (Article 25(1)), requiring the data controller to take appropriate steps to ensure compliance with the obligations set under the GDPR both at the time of the determination of the means for processing and at the time of the processing itself. However, many features of blockchain technology are not compatible with the GDPR, so there are difficulties in how to make a blockchain system conform to the principle of privacy by design.
Preventing the “clash” - Legal and Technical Proposals
1) Personal data off-chain processing
When a data subject exercises their right to be forgotten, the service provider can remove the "linkability" of the blockchain hash pointer to the data located in the server outside the distributed chain, thus achieving the purpose of removing personal data, in compliance with the GDPR.
2) Encryption of storage on the blockchain personal data
Personal data is stored on the chain of a blockchain, encrypted with key protection. If the data subject exercises their right to be forgotten as per the GDPR, the corresponding key may be deleted, making the personal data on the chain unavailable, in line with the right to be forgotten provided in the GDPR
3) Establishment of codes of conduct and certification mechanisms
Codes of conduct and certification mechanisms could be very useful also in the context of blockchain technologies. This could, for instance, include the design of binding network rules regarding international data transfers.
4) Establish Regulatory Guidance
- Expanded and specialized regulatory guidance could offer legal certainty compared to the current status quo.
- Redefinition of the terms “Data Controller” and “Data Processor” and expanding the scope of the concept of personal data.
- Introduction of addtiional concepts to include application developers, technology protocols and data application within the distributer ledger technology infrastructure.
Considering all the aforementioned topics as well as many more not currently covered, there is undoubtedly a lot of ground to be covered and much needed cooperation between regulators and technology experts and architects. The way forward in a manner that a clash of the two “titans” is avoided is achievable provided that pro-active steps are taken, intensive legal audits are performed and research is conducted as well as funding being made available towards achieving this goal.
Article provided by: Constantinos Andronicou (Tassos Papadopoulos & Associates, Cyprus)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database