Last December we published a white paper titled “Blockchain and GDPR. How businesses can make them work harmoniously”. While its contents are still mostly relevant, the growing number of applications of Blockchain leads to continuously analyse the compatibility between this set of technologies and the GDPR requirements.
One of the ambitions around GDPR was that it would be technology-neutral, but it has been written when Blockchain wasn’t mainstream. That is why MEP Jan Philip Albrecht, who played a critical role in the development of the regulation, said that “certain technologies will not be compatible with the GDPR”, and “Blockchain probably cannot be used for the processing of personal data”. The lack of compatibility between Blockchain applications and GDPR is perceived by the World Economic Forum as well.
In February 2018, the International Association of Privacy Professionals posted an article (not entirely convincing, actually) titled Blockchain technology is on a collision course with EU privacy law. It is not surprising that, one year after, the European Review of Private Law published a piece by Lokke Moerel, under the title Blockchain & Data Protection … and Why They Are Not on a Collision Course.
Blockchain and the right to be forgotten
One of the main concerns around processing Personal data on the Blockchain refers to the fact that information recorded on (a typical) blockchain can’t be erased. This appears to be incompatible with the GDPR, as we saw above.
The debate is, then, as to Blockchain applications that process Personal data are GDPR-compliant. So far, there are little, if any, official legal analyses by data protection authorities, governments and lawmakers on how the right to erasure can meet the GDPR requirements. But if this matter isn’t addressed correctly, it might lead to discouraging an increase in the adoption of the Blockchain.
The question appears to be, can the right to be forgotten to be met if a workaround is put in place to ensure that, in any context and at any time, Personal data on the Blockchain is made inaccessible to each and all members of the network or of the public?
In other words, the use of private chains and off-chain solutions, using a hash to serve as a reference to Personal data stored in a database outside the Blockchain could help in meeting the GDPR requirements? Lawyers, technologists and legislators must work to agree on how the GDPR can be interpreted to enable the Blockchain to function within its provisions.
Blockchain and Data controllers
The concept of Data controller is ill-fitting when applied within the Blockchain space. It can be said that, in a blockchain, the Data controller is essentially a network of thousands of people, who change constantly. It’s very hard, even impossible to identify who they are and where they are.
The French data protection authority (Commission Nationale de l’Informatique et des Libertés, CNIL) issued guidance on the Data controller and Data processor roles within the Blockchain. CNIL determined that all the participants in a blockchain must be considered Data controllers and that one of them at least must have a fraction of decision-making power. In other words, CNIL says: “You have to agree on who would be the primary contact for all of you”. So far, the rule CNIL set is not enforceable, and applicable only to (relatively small) private permissioned blockchains.
The topic should be addressed more carefully.
Blockchain and Personal data
Another interesting topic is how to define what constitutes Personal data within the Blockchain. A piece of information falls within the category of Personal data if it reasonably allows the identification of a person. If it’s just a hash or a set of numbers, it can be said that it doesn’t allow the identification of a person; therefore, it’s not Personal data.
Once again, only lawmakers and national data protection authorities can provide the Blockchain market with adequate guidelines about this topic.