In the last two years, there has been a steady increase in the number of discussions around two important topics. Namely, the new EU law called the General Data Protection Regulation (GDPR) and the technological developments in the field of the blockchain. While data protection authorities clarified many aspects of the GDPR and financial authorities explained in detail the laws applying to blockchain technologies, no legal guidance was provided regarding the intersection between the GDPR and blockchain. Below, we discuss the blockchain aspects that may cause GDPR-related issues (Section 2) and provide recommendations on how the EU can facilitate the development of blockchain technologies without compromising the privacy of data subjects (Section 3). At the end of the article, we provide concluding remarks (Section 4).
2. The blockchain aspects that may cause GDPR-related issues
One of the main characteristics of blockchain technologies is that such technologies permanently record all transactions in a way that it is difficult to modify or delete them. The modification or deletion of blockchain data usually requires 50% of the computers on the network to agree to the changes. Blockchain proponents argue that the permanent record provides transaction visibilities to all users of the blockchain network.
Considering the observations mentioned above, it is not clear how blockchain technologies will comply with Article 5(1)(d) and Article 17(1) of the GDPR. Article 5(1)(d) states that the data controller must erase or rectify personal data if such data is not accurate and/or up to date. Article 17(1) points out that the data controller must, upon a request of the data subject, erase the personal data of the data subject where one or more specified grounds apply.
While it is difficult to ascertain the entities that act as data controllers of public blockchains as they are completely decentralized peer-to-peer networks consisting of thousands of nodes, private blockchains may have rules authorizing administrators and other third parties to determinate the purposes and means of the processing of personal data. Such administrators and third parties may be regarded as data controllers under the GDPR. Regarding public blockchains, some experts argue that any participant entering personal data in a blockchain can be regarded as a data controller and all such participants will be regarded as joint controllers. However, since the users of public blockchains are usually anonymous, it will be virtually impossible for the privacy authorities to enforce such an interpretation of the GDPR.
Once the EU data protection authorities find out the data controller of a blockchain, they are likely to check whether the data controller enables the erasure of personal data as required by the GDPR. Even if a data controller adds the data in the blockchain in an encrypted form, the data controller will not satisfy the requirements of the GDPR as they require erasure, not encryption.
The requirements of the GDPR force organizers of blockchain-related activities to choose between less decentralized blockchains which will allow the organizers to delete the personal data as required by the GDPR or more decentralized blockchains which may breach the GDPR. Both options are not desirable as the decentralization is one of the most attractive features of blockchain technologies and the sanctions imposed by the GDPR are significant (up to EUR 20 million or 4% of the annual global turnover of the non-compliant organization).
Since the GDPR may hamper the development of blockchain technologies which promise to revolutionize various industries ranging from the provision of financial services to information security services and voting, there is a pressing social need for finding the balance between enabling the future development of blockchain technologies and the protection of the privacy of the users of such technologies.
3. Facilitating the development of blockchain without compromising privacy rights
The EU legislators can find the balance between blockchain and privacy by adding a separate clause which applies particularly to blockchain technologies. The nature of such technologies requires a different privacy approach to blockchain. It is worth mentioning that, almost mostly technology-neutral, EU law often addresses specific technologies. To illustrate, the EU ePrivacy directive imposes specific requirements regarding cookies (small pieces of data that websites ask users’ browsers to store on their computers). The requirements include, without limitation, obtaining users’ consent to install cookies on their computers and providing users with information about cookies.
Ethical Hacking Training – Resources (InfoSec)s
The new clause in the GDPR needs to state that, if data subjects expressly agree that their personal data will be permanently recorded in a blockchain network, data controllers should not be obliged to erase and modify the recorded data. Such an exemption will ensure that data subjects are aware that their data will be permanently recorded and make sure that blockchain networks containing personal data of EU residents will operate on the right side of EU law.
Critics of the idea mentioned in the preceding paragraph may argue that such a clause will limit the freedoms of data subjects because, once they provide their explicit consent, they will not have the freedom to revoke it. However, we can see various other fields of law in which individuals provide irrevocable consents, and those consents are not generally considered unfair. For example, many websites publishing user-generated content ask their users to provide them with an irrevocable consent to use and publish users’ user-generated content. Once a user agrees to grant such a license, he/she is not entitled to delete his/her content on the website. Such irrevocable licenses are legal both under US and EU law. Another example can be found in the field of trademark law where a trademark applicant is usually not entitled to remove his trademark application from the trademark register, irrespective of whether the trademark was abandoned, deregistered, or withdrawn. By submitting a trademark application, the trademark applicant usually agrees that the trademark application will be permanently recorded in the relevant governmental trademark database.
4. Concluding remarks
By adopting the GDPR, the EU aimed at enhancing the trust of consumers in digital businesses, thus hoping to foster the EU digital single market. However, if the EU does not take urgent measures to revise the GDPR as to enable to development of blockchain technologies, the GDPR may become the “global enemy” of these fast-developing and innovative technologies.
1. Clarke, A., ‘GDPR compliance and Blockchain’, Techradar. Available at https://www.techradar.com/news/gdpr-compliance-and-blockchain .
2. Finck, M., ‘Blockchains and the GDPR’, Business Law Blog of Oxford University, 13th of February 2018. Available at https://www.law.ox.ac.uk/business-law-blog/blog/2018/02/blockchains-and-gdpr .
3. Jayachandran, P., IBM, 31st of May 2017. Available at https://www.ibm.com/blogs/blockchain/2017/05/the-difference-between-public-and-private-blockchain/ .
4. Mathis, T., ‘Blockchain: A Guide To Blockchain, The Technology Behind Bitcoin, Ethereum And Other Cryptocurrency’, Level Up Lifestyle Limited.
5. Middleton, C., ‘Banking: Is blockchain GDPR compliant – yes or no?’, Internet of Business, 6th of June 2018. Available at https://internetofbusiness.com/banks-is-blockchain-gdpr-compliant-yes-or-no/ .
6. Murison, M., ‘Blockchain threatened by “irreconcilable” differences with GDPR’, Internet of Business, 25th of May 2018. Available at https://internetofbusiness.com/blockchain-threatened-irreconcilable-gdpr/ .
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.