Blockchain technologies development bumps into GDPR’s privacy hurdles.

The interplay between GDPR and the concept of blockchain -serving as a decentralized, immutable digital ledger- have been leading to a various compliance issues in the data protection field. Notwithstanding that, and assuming that the data contained in the blockchain constitutes personal data -which will be discussed in an upcoming paper- this article will focus on the “right to be forgotten” granted on Art. 17(1) of the regulation.

The EU General Data Protection Regulation (‘GDPR’), has been compelling companies to comply with new data privacy standards if they want to do business in the European Union. Compliance with GDPR regulations then, is not optional for them.

And since a Blockchain, on the other hand, is an immovable object that never forgets the amount of information it collects -where once a piece?of data?is recorded on the ledger, it is unalterable- this has led to the assumption that GDPR will impede?its development, counting on that recording?transactions without the ability to delete them or change them clearly violates GDPR core data subject’s “right to be forgotten.”

Article 17(1) of GDPR ensures data subjects their “right to be forgotten/to erasure” by demanding to the controller the erasure of personal data concerning him/her without undue delay upon the withdrawal of consent, or upon his/her objections to the processing. However, Article 17 also ?recognises that this data subject’s right can be overridden by the controller’s legal or legitimate grounds to process the personal data, or for compliance with a legal obligation, respectively.

Since this serious tension, and because Blockchain technology is becoming integral to a growing number of businesses, companies want to know with certainty how blockchain and the EU’s General Data Protection Regulation can coexist.

In such manner, a concept that could help us fill this ‘legal gap’ could be the difference between a public and private blockchain, which lies precisely in that while in a public blockchain there is no central authority and anyone can view the information contained in the ledgers (no privacy restrictions at all); in a private blockchain, a central authority oversees who can access and how the data is distributed/stored (‘less’ privacy intrusive). Therefore, creation?or adoption?of private blockchains will allow companies to account for, and get closer to full compliance with, GDPR.

For public blockchains, which are by definition open for anyone to join, it can be impossible to identify a central data controller responsible for compliance, facing serious difficulties to point out a liable person when something comes up.

Despite this uncertainty, the ‘CNIL’ (France’s Commission Nationale de l’Informatique et des Libertés) published a guidance in 2018, stating that storage of personal data on a blockchain should be restricted to “commitments” or “hashes”, which link to off-chain data. The French Data Protection Authority also said 'permissioned' blockchains, a distributed ledger that is not publicly accessible and set up by a limited number of known users, were preferable to public blockchains.

The CNIL also observes that it is technically impossible to grant the request for erasure made by a data subject when data is registered on a blockchain:

“It is therefore strongly recommended not to register personal data in cleartext on a blockchain. However, when the data recorded on the blockchain is a commitment, a hash generated by a keyed- hash function or a ciphertext obtained through ‘state of the art’ algorithms and keys, the data controller can make the data practically inaccessible, and therefore move closer to the effects of data erasure.”

Excluding the specific case of some commitment schemes, these solutions do not, strictly speaking, result in an erasure of the data, insofar as the data would still exist in the blockchain. However, the CNIL observes that it does allow data subjects to get closer to an effective exercise of their right of erasure.

The European Data Protection Board is still working on blockchain guidance, but in the meantime ‘blockchain’ still cannot be reputed as legal or illegal in itself. It is the way that it is used and the objectives pursued through it that may turn it to one side or the other.

?For the time being, this legal uncertainty becomes an incentive for many companies not to use blockchain, at least until they can start seeing the light at the end of the tunnel.