By: Gauci-Maistre Xynou (Legal | Assurance)
The General Data Protection Regulation (GDPR) as well as blockchain technology may both be lauded for having reached evolutionary milestones in their respective fields of data privacy and innovative technologies.
Combining these fields is however giving rise to unprecedented concerns. Although GDPR and blockchain technology protect data, ironically data protection compliance is turning out to be significantly challenging for government agencies and private companies alike when seeking to make use of hashing technology. It is pertinent to observe that the GDPR was drafted prior to blockchain’s insurgent impact in the digital world hence any tensions between the two had not as yet been envisaged.
The GDPR is concerned with the protection of personal data; this being “any information relating to an identified or identifiable natural person (‘data subject’)”. A vast array of information could be deemed as constituting personal data, as can be evidenced from the broad interpretation of ‘personal data’ adopted by the European Court of Justice (“CJEU”) in Case C-582/14 – Patrick Breyer v Bundesrepublik Deutschland. The CJEU held that dynamic IP addresses may in certain circumstances qualify as personal data.
The use of blockchain with respect to any data which does not fall within the definition of personal data automatically falls outside the scope of GDPR. In addition, anonymised data (whether personal or otherwise) also falls outside the realm of GDPR. Nevertheless, it has been observed that the threshold for characterising data as being anonymous has been set rather high[1]. In this respect, the encryption of personal data may not necessarily be sufficient for the said data to constitute anonymous data. In fact, even hashing technology is only deemed to render data pseudonymous.[2]
Key challenges being faced by hashing technology in light of mandatory GDPR compliance (across all industries) include the:
- Identification of and distinction between the data controller and the data processor for accountability purposes;
- Consequent cumbersome issue of enforcing judgments and enforcement actions;
- Reconciliation of the immutable nature of a blockchain with a data subject’s right of erasure.
Such issues are by and large amplified with respect to public, permissionless blockchains in contrast to private, permissioned blockchains. As a result, data controllers might need to consider carrying out a data protection impact assessment prior to resorting to the use of blockchains.
Given the decentralised characteristic of blockchain and the eradication of the so-called ‘middle man’, the determination of the data controller immediately becomes problematic, if not impossible. This is particularly true of public blockchains in light of GDPR defining the data controller as the person, authority, agency or other body “determin[ing] the purposes and means of the processing of personal data”, whereas the data processor, “processes personal data on behalf of the controller”. Countless participants on a public blockchain could very easily be classified as being data controllers, rendering them responsible for GDPR compliance.
On the other hand, in private blockchains, agreements could cater for defining each participant’s responsibility, hence clearly identifying the data controller. In fact, the French National Data Protection Commission (CNIL) recommends the a priori identification of the data controller, which may be done through the creation of a legal person.[3] However, any a priori identification of a data processor is only a mere start in a long road towards GDPR compliance. Data processing by a processor must be regulated by a contract or other legal act under EU or Member State law; a GDPR requirement which may not be easily achieved in the near future considering the public blockchain networks which are already in operation. Meanwhile, proponents of blockchain technology would undoubtedly argue any pre-identification largely demerits the decentralisation aspect and the much welcomed trustless systems.
Another issue in relation to blockchains concerns the transfer of public data. In terms of the GDPR a transfer of personal data to a third country or an international organisation is legally possible provided that the country or organisation in question ensures an adequate level of protection. Such a far-reaching obligation becomes near to impossible given the fact that blockchains, public blockchains in particular, know no jurisdictional boundaries. In fact, numerous nodes may be located worldwide each having a copy of the distributed ledger containing personal data. Indeed, jurisdiction and enforcement issues are bound to arise and may be best addressed on a transaction-by-transaction basis.
As pointed out above, another challenging matter stems from the immutable characteristic of blockchains. Immutability serves to ensure that data is not tampered with or deleted. While this feature has been prominently welcomed in most sectors, most notably in the financial services sector for securing and rubber-stamping financial transactions, the immutability characteristic does not secure a subject person’s ‘right to be forgotten’. In certain circumstances as provided for in the GDPR, a data subject is entitled to obtain the erasure of personal data from the controller without undue delay.
In this respect, mechanisms in smart contracts may be used to revoke or limit access rights.[4] Furthermore, developers worldwide are striving to come up with innovative solutions; with zero-knowledge proofs (ZKP) considered as fairly promising in this regard.[5] However, the GDPR does not define what constitutes ‘erasure’ and it is therefore still to be determined whether such innovative measures will suffice.
All in all, reconciliations are being tentatively envisaged yet the issues outlined above, and countless others, remain grey areas in dire need of clarification. While the reduced costs associated with blockchain networks are remarkable, preventive measures must be taken to ensure that any economic benefits are not outweighed by hefty fines incurred for non-compliance with GDPR.
For further information and/or clarification contact GAUCI-MAISTRE XYNOU Legal| Assurance or visit our website.
[1] Hogan Lovells, ‘A guide to blockchain and data protection’[ 2017]
[2] Ibid.
[3] CNIL, ‘Blockchain – Solutions for a responsible use of the blockchain in the context of personal data’ [2018]
[4] Lovells (n 1)
[5] European Commission, ‘Blockchain and the GDPR’ – a thematic report prepared by the European Union Blockchain Observatory and Forum’ (1st edn, 2018)