Can Blockchain Prosper Under GDPR Stipulations?
Simone Domenico Casadei Bernardi
100+ FinTechs say that I'm the one able to mix compliance with business growth and innovation. | ?? Compliance Manager
With the immutable nature of blockchain directly conflicting GDPR’s requirement to delete personal data, is there a way to reconcile inconsistencies between the two?
The General Data Protection Regulation (GDPR) was first approved and adopted by the European Union (EU) Parliament in April 2016 and became effective on 25th May 2018.
This comprehensive ruling towards handling data applies to not only EU-based companies but also global firms who collect and manage data of EU citizens and legal entities.
Before GDPR implementation, the legislation was being developed over the past 25 years to coincide with the expansion of technology.
However, the evolution of technology has happened rapidly, leaving the European Legislators struggling to keep up. Unsurprisingly, blockchain falls under this remit.
The incredible development of blockchain is on the verge of revolutionising the financial industry and the way the market operates. But with its immutable nature clashing with GDPR’s push towards data transparency and safeguarding, blockchain technology has left people perplexed on if and how they can work cohesively.
Let’s explore.
Why GDPR isn’t black and white
Despite many people deeming it impossible to store any kind of personal data on a blockchain while adhering to GDPR stipulations, it ultimately boils down to specific circumstances of your firm.
Interestingly, the ‘right to be forgotten’ is one of the pillars of GDPR, yet it leaves a loophole in which blockchain technology can exploit.
According to Article 17, the ‘right to be forgotten’ can be used under the following circumstances:
- If personal data is no longer needed for the purpose.
- If it was processed under consent and the consent has been withdrawn.
- If it was processed under legitimate interest, however, this has been challenged and no overriding interests prevail.
- If the processing of the data was unlawful in the first place.
Although, the ‘right to be forgotten’ doesn’t apply if the processing is still relevant for the performance of a contract, for scientific or historical reasons to support public interest, to comply with a legal obligation or if the legitimate interest continues to overrule the interest of the data subject.
So, if a controller makes personal data public, they must inform others who are processing the data that it needs to be deleted.
It’s also worth pointing out that blockchain technology isn’t always immutable. In the very first paper on the blockchain, “Bitcoin: A Peer-to-Peer Electronic Cash System” (here's the PDF, just in case), it mentions the idea of pruning:
Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space.
This means that there’s a technical method to delete certain data from the chain without breaking the system – if desired.
Later-generation protocols, such as EOSIO, provides a more advanced solution on the matter. This involves having block producers in place, based on a constitution, to remove data or mutually agree to block access to particular people on the outside.
Granted, this will reduce the blockchain’s transparency and partially centralise the system, this is certainly a viable resolution to fulfil GDPR legislation and benefit from blockchain technology.
The final reason why GDPR isn’t a foregone conclusion is the casing point that the definition of personal data isn’t 100% clear.
Within the blockchain realm, readably personal data shouldn’t be used, especially when it comes to public permissionless blockchains, as there’s no reason to do so.
You see, a majority of projects store hashes of information or transactions on-chain to prove certain things off-chain. Depending on the situation, some hashes might be regarded as pseudonymous or anonymous.
Pseudonymous data is within the scope of the GDPR and should be followed, while anonymous data is out of scope.
Although distinguishing between the two was previously explained, it hasn’t been officially adopted by the European Data Protection Board. As a result, this makes it a lot harder to establish if the data should follow GDPR or not.
How can your firm use blockchain technology legitimately?
The uncertain and absolute solution between GDPR and blockchain can make it challenging for your firm to map out a clear strategy.
However, there are particular ways of working and factors to take under consideration which can help promote blockchain GDPR compliance.
- Territorial and material scope – unless the ‘purely personal or household activity’ exemption applies, the processing of personal data by blockchains is subject to GDPR.
- Principles – your firm should carefully choose the type of blockchain that matches your design to the data protection processing principles under GDPR and look to minimise the amount of personal data stored in the chain. It’s also worth noting that no existing technical solutions will necessarily be compliant with the principle of storage limitation. Your best move is to store personal data outside of the blockchain if possible.
- Roles – those who can make entries to the blockchain should be deemed as data controllers, miners who validate the transaction act as processors and for those who act as both (if the ‘purely personal or household activity’ doesn’t apply) are the accessors. Under GDPR, anyone who decides to carry out processing operations on a blockchain will be considered joint controllers. To avoid the complexities, it’s recommended that any participants create a legal person to be the data controller or designate a participant to make all of the decisions on behalf of the group.
The person who processes personal data on behalf of the participant is known as the smart contract developer. As the data controller, they can act as a processor.
- Laws – any blockchain participants must identify the lawful basis for processing and adhere to data subject rights.
- Data subject rights – the rights of information, accessibility and portability shouldn’t cause any obvious issues. Although the blockchain technology implementing the right to erase, object and rectify does come with its own set of challenges. Luckily, there are technical solutions for the exercise of those rights that can move closer towards compliance with the GDPR.
- Cross-border transfers – keeping GDPR in mind, your firm should favour permissioned blockchains as they give you better control over personal data governance – especially with transfers outside of the EU.
- Security – to ensure your blockchain technology solution is robust and secure, you need to design it to minimise any potential security issues.
Conclusion
The fact that GDPR and blockchain share a similar goal to provide a transparent service means that the relationship between the two can work.
It’s a case of how your firm goes about complying and how the GDPR is interpreted. Following the guidelines above is certainly a start. However, don’t be surprised if the European Parliament ends up introducing a more conclusive ruling on the handling of GDPR and blockchain in the next couple of years. In the meanwhile, you must ensure that your company complies with the General Data Protection Regulation: breaches of it might result in severe fines, not to mention the reputational damage they can cause.
This article should not be construed as a recommendation, endorsement, opinion or approval of any kind. It has been produced for information only and should not be relied on for legal purposes. Professional advice should always be sought before taking action based on the information provided.