As European policymakers were finalising aspects of the General Data Protection Regulation (GDPR), we have seen rapid developments in blockchain technology. This is a technology with immense potential for practical application, which boasts of a decentralised, immutable and transparent system, essentially providing a safer environment for data that is being transferred and stored indefinitely. However, now that the GDPR is in effect and we have started to comprehend its practical implications, one immediately notes the apparent conflict there is between some of the most prominent rules established by the GDPR and blockchain technology.
Main Tensions
The Role of the Data Controller
The data controller has a crucial role under the GDPR as the architect and main point of accountability for data processing. All the rules and principles established by the GDPR revolve around the identification of a data controller which determines the purposes and means for data processing. Conversely, one of the main advantages provided by blockchain technology is its decentralised nature, which eliminates the need of having a single entity with ultimate control over the network. Therefore in such a decentralised system, the identification of the data controller becomes somewhat problematic.
In a private permissioned blockchain it is certainly easier to identify a data controller, as the administrator of the blockchain would essentially control the network. However, in a public permissionless blockchain there is no such administrator managing the network. This situation has stimulated an interesting academic debate as to which party is the data controller.
General Principles for Data Processing
Article 6 of the GDPR deals with the lawfulness of data processing. In addition to the previously mentioned issue of identifying a data controller who should be responsible for ensuring a valid legal basis, there are other challenges with the application of a specific legal basis in a blockchain context. For example, in case the appropriate legal basis to be used is 'consent of the data subject', it seems unlikely that the strict requirements for a valid consent can be achieved in a blockchain setting. One may argue that by initiating a transaction on the blockchain, the user is entering into a contract and therefore the applicable legal basis for processing may be its 'necessity for the performance of such contract'. However, in a public permissionless blockchain there is no actual contract and no actual named counterparty, which renders such a contract unlikely to be enforced.
The general principles of 'purpose limitation', 'data minimisation', 'accuracy' and 'storage limitation', seem to clash with the way blockchain technology mainly functions and stores data. Reason being that such technology was developed in a manner which makes it extremely difficult to tamper with data stored on any particular block within the network.
Data Subject Rights
The fulfilment of the right of access as established by article 15 of the GDPR effectively requires the presence of an entity that is collecting and storing personal data in a centralised manner. Due to the decentralised nature of blockchain technology, it seems that none of the parties which may qualify as data controllers may be able to satisfy this right. Furthermore, in a public permissionless blockchain, the network users themselves may obtain a copy of all data, including their own. However, it is unclear whether authorities and courts of law will consider this as a satisfactory solution under the GDPR.
The GDPR also provides data subjects with a right to request the rectification or erasure of their personal data. In addition to the issues of identifying and contacting the data controller/s, the rectification or erasure of data presents further difficulties due to blockchain's immutability.
The application of the rights to restrict processing, data portability, and objection to the processing of personal data is also problematic primarily due to the difficulty in identifying a centralised data controller that is storing data as well as determining the purposes and means of processing. Without a clear definition of the roles and respective responsibilities established by the GDPR, it seems unlikely that a data subject would ever be able to achieve the level of control over his or her personal data which the GDPR seeks to provide through these data subject rights.
Territoriality
Data controllers are also subject to obligations relating to the location of their processing activities. The parties to a transfer of personal data outside the European Economic Area might be required to implement certain appropriate safeguards, such as entering into the standard data protection clauses adopted by the European Commission. Naturally, the implementation of these safeguards requires a clear understanding of the data flow, as well as the identification and specific location of the parties sending and receiving personal data.
Compliance with these rules is particularly challenging in the context of a public permissionless blockchain as the nodes and participants may be located all over the world, which in turn may result in a considerable amount of continuous transfers of personal data outside the European Union. This might cause the entry into standard contractual clauses to be a rather impractical and unattainable approach.
Conclusion
Due to these tensions, the application of the GDPR to a public permissionless blockchain is a difficult task. The roots of these tensions may trace back to the nature of the technology itself. Since it is designed in a decentralised and distributed structure, blockchain conflicts with the foundations of the GDPR which is based on a centralised model of data processing. Accordingly, the conflict between blockchain technology and the GDPR is quite extensive, resulting in a deep level of legal uncertainty in this area. Nevertheless, there is currently an ongoing discussion about potential solutions which may be adopted to resolve these tensions both from a legal as well as from a technical perspective. Please follow this space for insight into these potential legal and technical solutions.
Originally published 30 June, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
