EU’s General Data Protection Regulation (GDPR) law creates some questions regarding the growing usage of blockchain technology. To help decipher what GDPR means for DLT, the European Parliament has published a report entitled “Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?” Authored by Dr. Michèle Finck, the report addresses the “tensions” between blockchain and GDPR.
The big picture
Blockchain is a much-discussed instrument that, according to some, promises to inaugurate a new era of data storage and code-execution, which could, in turn, stimulate new business models and markets. The precise impact of the technology is, of course, hard to anticipate with certainty, in particular as many remain skeptical of blockchain’s potential impact. In recent times, there has been much discussion in policy circles, academia and the private sector regarding the tension between blockchain and the European Union’s General Data Protection Regulation (GDPR). This isn’t the first time we’re focusing on this topic as back in November 2018 we’ve published another article on Modex blog about blockchain and GDPR.
Indeed, many of the points of tension between blockchain and the GDPR are due to two overarching factors. First, the GDPR is based on an underlying assumption that in relation to each personal data point there is at least one natural or legal person – the data controller – whom data subjects can address to enforce their rights under EU data protection law. These data controllers must comply with the GDPR’s obligations. Blockchains, however, are distributed databases that often seek to achieve decentralization by replacing a unitary actor with many different players. The lack of consensus as to how (joint-) controllership ought to be defined hampers the allocation of responsibility and accountability.
Second, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements, such as Articles 16 and 17 GDPR. Blockchains, however, render the unilateral modification of data purposefully onerous in order to ensure data integrity and to increase trust in the network. Furthermore, blockchains underline the challenges of adhering to the requirements of data minimisation and purpose limitation in the current form of the data economy.
Brief overview: blockchain technology and GDPR
In recent years, there has been ample discussion of blockchain technologies (or distributed ledger technology – DLT) and their potential for the European Union’s digital single market. A recurring argument has been that this class of technologies may, by its very nature, be unable to comply with European data protection law, which in turn risks stifling its own development to the detriment of the European digital single market project. The present study, which can be read entirely here, analyses the relationship between blockchain and the GDPR, so as to highlight existing tensions and advance possible solutions.
A blockchain is a shared and synchronized digital database that is maintained by a consensus algorithm and stored on multiple nodes (computers that store a local version of the database). Blockchains are designed to achieve resilience through replication, meaning that there are often many parties involved in the maintenance of these databases. Each node stores an integral copy of the database and can independently update the database. In such systems, data is collected, stored and processed in a decentralized manner. Furthermore, blockchains are append-only ledgers to which data can be added but removed only in extraordinary circumstances.
The European Union’s General Data Protection Regulation (GDPR) became binding in May 2018. It is based on the 1995 Data Protection Directive. The GDPR’s objective is essentially two-fold. On the one hand, it seeks to facilitate the free movement of personal data between the EU’s various Member States. On the other hand, it establishes a framework of fundamental rights protection, based on the right to data protection in Article 8 of the Charter of Fundamental Rights. The legal framework creates a number of obligations resting on data controllers, which are the entities determining the means and purposes of data processing. It also allocates a number of rights to data subjects – the natural persons to whom personal data relates – that can be enforced via-a-vis data controllers.
Tensions between blockchain and GDPR
In recent years, multiple points of tension between blockchain technologies and the GDPR have been identified. Broadly, it can be argued that these tensions are due to two overarching factors. First, the GDPR is based on the underlying assumption that in relation to each personal data point there is at least one natural or legal person – the data controller – whom data subjects can address to enforce their rights under EU data protection law. Blockchains, however, often seek to achieve decentralization in replacing a unitary actor with many different players. This makes the allocation of responsibility and accountability burdensome, particularly in light of the uncertain contours of the notion of (joint)-controllership under the regulation. A further complicating factor in this respect is that in the light of recent case law developments, defining which entities qualify as (joint-) controllers can be fraught with a lack of legal certainty.
Secondly, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements such as Articles 16 and 17 GDPR. Blockchains, however, render such modifications of data purposefully onerous in order to ensure data integrity and to increase trust in the network. Again, the uncertainties pertaining to this area of data protection law are increased by the existing uncertainty in EU data protection law. For instance, it is presently unclear how the notion of ‘erasure’ in Article 17 GDPR ought to be interpreted.
It will be seen that these tensions play out in many domains. For example, there is an ongoing debate surrounding whether data typically stored on a distributed ledger, such as public keys and transactional data qualify as personal data for the purposes of the GDPR. Specifically, the question is whether personal data that has been encrypted or hashed still qualifies as personal data. Whereas it is often assumed that this is not the case, such data likely does qualify as personal data for GDPR purposes, meaning that European data protection law applies where such data is processed. More broadly, this analysis also highlights the difficulty in determining whether data that was once personal data can be sufficiently ‘anonymized’ to meet the GDPR threshold of anonymization.
Data minimisation and purpose limitation
Another example of the tension between blockchain and the GDPR relates to the overarching principles of data minimization and purpose limitation. Whereas the GDPR requires that personal data that is processed be kept to a minimum and only processed for purposes that have been specified in advance, these principles can be hard to apply to blockchain technologies. Distributed ledgers are append-only databases that continuously grow as new data is added. In addition, such data is replicated on many different computers. Both aspects are problematic from the perspective of the data minimization principle. It is moreover unclear how the ‘purpose’ of personal data processing ought to be applied in the blockchain context, specifically whether this only includes the initial transaction or whether it also encompasses the continued processing of personal data (such as its storage and its usage for consensus) once it has been put on-chain.
Blockchain and the right to be forgotten
It is the tension between the right to erasure (‘right to be forgotten’) and blockchains that have probably been discussed most in recent years. Indeed, blockchains are usually deliberately designed to render the (unilateral) modification of data difficult or impossible. This, of course, is hard to reconcile with the GDPR’s requirements that personal data must be amended (under Article 16 GDPR) and erased (under Article 17 GDPR) in specific circumstances.
European Parliament’s report leads to two conclusions. First, the very technical specificities and governance design of blockchain use cases can be hard to reconcile with the GDPR. Therefore, blockchain architects need to be aware of this from the outset and make sure that they design their respective use cases in a manner that allows compliance with European data protection law. Second, it will however also be stressed that the current lack of legal certainty as to how blockchains can be designed in a manner that is compliant with the regulation is not just due to the specific features of this technology. Rather, examining this technology through the lens of the GDPR also highlights significant conceptual uncertainties in relation to the regulations that are of relevance that significantly exceeds the specific blockchain context.
Blockchain as a means to achieve GDPR objectives
It has been argued that blockchain technologies might be a suitable tool to achieve some of the GDPR’s underlying objectives. Indeed, blockchain technologies are a data governance tool that could support alternative forms of data management and distribution and provide benefits compared with other contemporary solutions. Blockchains can be designed to enable data-sharing without the need for a central trusted intermediary, they offer transparency as to who has accessed data, and blockchain-based smart contracts can moreover automate the sharing of data, hence also reducing transaction costs. Furthermore, blockchains’ crypto-economic incentive structures might have the potential to influence the current economics behind data-sharing.
These features may benefit the contemporary data economy more widely, such as where they serve to support data marketplaces by facilitating the inter-institutional sharing of data, which may, in turn, support the development of artificial intelligence in the European Union. These same features may, however, also be relied upon to support some of the GDPR’s objectives, such as to provide data subjects with more control over the personal data that directly or indirectly relates to them. This rationale can also be observed on the basis of data subject rights, such as the right of access (Article 15 GDPR) or the right to data portability (Article 20 GDPR), that provide data subjects with control over what others do with their personal data and what they can do with that personal data themselves. Furthermore, DLT could support control over personal data in allowing subjects to monitor respect for the purpose limitation principle. In the same spirit, the technology could be used to help with the detection of data breaches and fraud.
Permissioned blockchain and GDPR
European Parliament’s study asserts that permissioned blockchain is far easier to reconcile within GDPR. But even then, it must be addressed on a case by case basis. It is possible to create a blockchain which provides the benefits of a data-driven economy while empowering an individual to control their information, according to the author. On this basis the paper provides three recommendations: “First, it was suggested that regulatory guidance on the interpretation of certain elements of the GDPR when applied to blockchains should be provided to generate more legal certainty in this area. Second, it was recommended that codes of conduct and certification mechanisms should be encouraged and supported. Third, it was recommended that funding be made available for interdisciplinary research exploring how blockchains’ technical design and governance solutions could be adapted to the GDPR’s requirements, and whether protocols that are compliant by design may be possible.”
The key takeaway from this study should be that it is impossible to state that blockchains are, as a whole, either completely compliant or incompliant with the GDPR. Rather, while numerous important points of tension have been highlighted and ultimately each concrete use case needs to be examined on the basis of a detailed case-by-case analysis. The second key element highlighted in this study is that whereas there certainly is a certain tension between many key features of blockchain technologies setup and some elements of European data protection law, many of the related uncertainties should not only be traced back to the specific features of DLT. Rather, examining this technology through the lens of the GDPR also highlights significant conceptual uncertainties in relation to the regulations that are of relevance which significantly exceeds the specific blockchain context.
Indeed, the analysis has highlighted that the lack of legal certainty pertaining to numerous concepts of the GDPR makes it hard to determine how the latter should apply to this technology, but also others. This is, for instance, the case regarding the concept of anonymous data, the definition of the data controller, and the meaning of ‘erasure’ under Article 17 GDPR. A further clarification of these concepts would be important to create more legal certainty for those wishing to use DLT, but also beyond and thus also to strengthen the European data economy through increased legal certainty
The study has also highlighted that blockchains can offer benefits from a data protection perspective. Importantly, this is by no means automatically the case. Rather, blockchains need to be purposefully designed in order for this to realize. Where this is the case, they may offer new forms of data management that provides benefits to the data-driven economy and enable data subjects to have more control over personal data that relates to them
Last, but not least, the European Parliament’s report has formulated three broad policy recommendations. First, it was suggested that regulatory guidance on the interpretation of certain elements of the GDPR when applied to blockchains should be provided to generate more legal certainty in this area. Second, it was recommended that codes of conduct and certification mechanisms should be encouraged and supported. Third, it was recommended that funding be made available for interdisciplinary research exploring how blockchains’ technical design and governance solutions could be adapted to the GDPR’s requirements, and whether protocols that are compliant by design may be possible.