Blockchain technology and the GDPR
Compliance with data privacy laws
27 March 2018
Blockchain technology is currently a hotly debated topic. Although mostly associated with Bitcoin and other cryptocurrencies, the scope of blockchain is much broader. Blockchain can be used in various fields, including banking & finance, healthcare, real estate, and energy management. It is a promising technology capable of bringing many benefits to entrepreneurs and society. However, it also carries certain risks, in particular when it comes to compliance with data protection laws.
Blockchain is one of the key technological inventions of recent times. Its importance has even been recognised by the European Commission, which recently launched the EU Blockchain Observatory and Forum to explore blockchain’s potential. However, like other technologies, blockchain does not only open up new possibilities for business, but also gives rise to several legal issues. In this article, we briefly describe why the General Data Protection Regulation (the "GDPR") may be applicable to blockchain technology and suggest what major risks may arise from using blockchain to process personal data.
Blockchain is a distributed ledger technology that records all digital transactions that have taken place across a peer-to-peer network. Each block in a blockchain consists of a list of records of executed transactions. The blocks are chained to each other sequentially using cryptographic pointers, which help maintain the security of records. Once a record has been entered on a block, it cannot be altered without leaving a trace. Thus, in principle, transaction data on the blockchain are immutable. The Data is shared across the network and reconciled, with all participants in the network (nodes) having a copy of the chain. The decentralized and distributed nature of the blockchain thus removes the need for a centralised administrator. Blockchain is further characterized by the transparency of all executed transactions, which is ensured by records being made visible to other participants in the network. Finally, it should be noted that there are several kinds of blockchains, all of which have different features or architectures.
Personal data in blockchain
The GDPR only applies to the processing of personal data and defines personal data as all information relating to an identified or identifiable natural person, such as a name or national identification number.
On a blockchain, a participant initiates a transaction by signing it with his/her private key and broadcasting the transaction to all other network participants. The other participants only see the public key representing the participant making the transaction, which they are unable to read without having the private key. However, if the participant uses the same public key for several transactions, the participant can become identifiable. Therefore, the public key is regarded as personal data.
In addition, it is conceivable that the transactions on a blockchain will include personal data such as an ID number. The hashing used by blockchain assigns data with a code known as a hash. In a nutshell, the hash function takes input data, which may include personal data, and converts it into output data of a fixed length. A cryptographic hash function only works one way, meaning that the output cannot be reversed later on. The Article 29 Working Party, an EU advisory body, considers such personal data to be pseudonymised in this way rather than anonymised. Accordingly, this type of data should remain subject to the GDPR.
As a cyberspace phenomenon, blockchain does not recognize national borders. Network participants, their computers, and persons whose data are being processed can be located anywhere in the world. Thus, it is highly probable that data processing will be subject to the regulations of various jurisdictions. This is particularly the case for public blockchains, where the applicable data protection law should be determined on a transaction-by-transaction basis. With private blockchains, the probability of a conflict of laws is somewhat lower, as it is more likely that participants will be located in one territory only. However, unlike in contractual law, parties cannot choose the data protection law that will apply to them and thus it cannot be ruled out that other data protection laws may apply.
Considering the broad territorial scope of the GDPR, which covers (i) data processing carried out by non-EU data controllers and processors processing the personal data of data subjects from the EU where the offering of goods or services is concerned, and (ii) how these non-EU data controllers and processors monitor the behaviour of EU data subjects, blockchain is likely to have an EU-related element that will trigger the application of the GDPR.
Identification of data controllers and data processors
To comply with the GDPR, it is crucial for the data controller and data processor in each blockchain to be correctly identified. In general, the data controller is the person that determines the purposes and means of processing personal data, whereas the data processor processes the personal data on behalf of the controller.
Given the decentralized nature of blockchain, where all network participants share their resources on a peer-to-peer basis and can add information to the ledger without requiring any authorization from a central administrator, identifying these persons can be a very challenging task. In general, any participant entering personal data in blocks of the chain can qualify as a data controller of the data it has provided. At the same time, any participant can be regarded as a data processor in respect of the personal data of which it has a copy.
Consequently, under the GDPR, if there are two or more controllers that jointly determine the purposes and means of processing personal data, they, as joint controllers, must conclude governance arrangements on their respective responsibilities. However, it is questionable how feasible this actually is, particularly in relation to public blockchains with thousands of nodes. The situation appears to be more straightforward with private and permissioned blockchains, as these networks are not accessible to everyone and only certain participants have permission to add information to the blocks.
Although the fact that only network participants are subject to GDPR obligations may appear to let companies providing blockchain solutions off the hook, the reality is somewhat different, in particular for blockchains that involve an administrator. Each blockchain must therefore be assessed separately to enable the roles of each party and their obligations to be identified.
Possible conflicts between blockchain technology and GDPR
We are of the opinion that the greatest challenges for blockchain in respect of the GDPR (besides determining the applicable law and correctly identifying the roles in a network) are compliance with the right to be forgotten and the principle of storage limitation.
Since being recognised by the CJEU in the Google Spain case, the right to be forgotten has been explicitly inserted into the GDPR. Essentially, this right allows data subjects to request the erasure of their personal data and obliges data controllers to do so and to notify other controllers of any such request where there are grounds for their erasure. Grounds for erasure include personal data no longer being necessary for the purposes for which they were collected or processed, and personal data being unlawfully processed.
According to the principle of storage limitation, data must be kept in such a way that enables data subjects to be identified for no longer than is necessary for the purposes for which their data are being processed.
Immutability, one of the key features of blockchain technology, seems to conflict with both the principle of storage limitation and the right to be forgotten. As mentioned above, the immutable nature of blockchain means that data added to blocks cannot generally be removed. Thus, the data controller may not be able to erase data even where grounds for their erasure exist. The deletion of data requires the cooperation of at least 51% of nodes. Not only is this threshold difficult to reach, but it may also trigger the Streisand effect, where the data subject’s attempts to have his or her personal data forgotten could conversely attract more attention.
Where the motive for erasure concerns data no longer being necessary for the original purpose, it could be argued that this data must be perpetually retained on the blockchain, the purpose of which is to achieve transparency by evidencing all transactions made at any time in the past and preventing them from being altered. Nonetheless, this argument remains to be assessed by data protection authorities. It is important to note that this would only resolve the issue surrounding one motive for erasure, rather than providing a comprehensive solution.
Although the Hungarian Data Protection Authority examined the blockchain technology in the context of data protection regulation in its opinion from 17 July 2017, it did not touch upon this issue. The opinion however provides guidance on basic data protection issues such as how to determine a data controller or legal basis for the processing of personal data in a blockchain under data protection laws effective until 25 May 2018. We have to wait for a reaction of other data protection authorities to the processing of personal data by blockchains. In any case, it seems that some authorities try to keep pace with new technologies and thus one cannot rely on being off the hook due to a lack of technological expertise.
As demonstrated above, processing personal data using blockchain technology can prove problematic. However, this does not mean that blockchain technology cannot be compliant with the GDPR. Indeed, there are already blockchains that, for instance, store personal data off chain in order to make information editable and thus enable compliance with data protection laws. Nevertheless, before launching any blockchain technology that may process personal data, it is worth considering the legal implications in order to avoid placing oneself at risk of facing fines under the GDPR, which might amount up to 20 million euros or 4% of a company's total worldwide annual turnover.
Daniela Bencová, Clifford Chance, Prague also contributed to this article.