The European Union’s General Data Protection Regulation (GDPR) was implemented on May 25, 2018. The regulation establishes one set of data protection rules for all companies operating in the EU, attempting to give people more control over their personal data.
GDPR was first proposed in 2012 and adopted in April of 2016, occurring at a time when the development of blockchains all over the world was gaining initial traction - creating both potential legal barriers for the implementation of blockchains and opportunities for blockchain projects to help companies navigate through the GDPR regulations.
Applicability of GDPR to Blockchains
GDPR is applicable to blockchains for two reasons. First, blockchains can be used to store “personal data” related to identified or identifiable persons, which is the type of information the GDPR seeks to protect. Although the information stored in blockchains is hashed and encrypted, according to Article 29 Working Party (“WP29”), such information qualifies as personal data since hashing constitutes a technique of pseudonymization, not anonymization, as it is still possible (even if this is difficult) to link the dataset to an identifiable data subject. Also, public keys, when associated with an individual, will likely qualify as personal data. Second, the global reach of blockchain technology can trigger the GDPR to apply if it includes information pertaining to citizens of the European Union, or if nodes of the blockchain are located within the territory of the European Union.
Potential Legal Barriers
The GDPR and blockchains conflict in a few critical areas. First, how a blockchain stores data conflicts with a few GDPR rules. Blockchains utilize encryption and hashing functions to create a chain of information. When information is added to a blockchain, that piece of data is hashed. Hashing is a one-way transformation of information to an unreadable piece of data called a hash value. That piece of information is also encrypted. Encryption can be a two-way transformation of data where it is encrypted with a certain key making the information unreadable but allowing it to be decrypted to its original value with the same key. This process makes the data added to blockchains immutable, which means they cannot be changed or deleted, ever.
The immutability of the blockchain created by hashing and encrypting information directly conflicts with Article 16, “The Right to Rectification”, and Article 17, “The Right to Erasure (Right to be Forgotten).” Article 16 gives the data subject the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Article 17 allows subjects to take a step further by stating that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. Because the information that is added to the blockchain cannot be changed or erased, any system that utilizes blockchain technology to store personal data relating to individuals in the European Union automatically violates Articles 16 and 17. Which is why it is very important that blockchain users control their own data, not a corporation that stores it and holds it. This is similar to how bitcoin can be traded p2p without much legal hassle whereas businesses often require a money services business license, office of foreign asset control screening, etc.
Another area of conflict between the GDPR and blockchains include the implementation of reasonable data protection measures and the identification of a data manager. The GDPR provides organizational guidelines that all data processors will need to adopt. The newly implemented guidelines with the most direct conflict with blockchains are Articles 25 and 32, which state that companies need to implement reasonable data protection measures such as “privacy by design” or specifically design the architecture of the data processor to automatically erase consumer data after using it. Furthermore, the organizational guidelines established in Article 33 that any entity considered to be a “data nexus” will be required to have a Data Protection Officer (DPO) responsible for managing compliance with the GDPR. This DPO will be under the legal obligation to alert the supervisory authority whenever a risk to data subject's privacy arises. However, blockchains enable multiple parties to jointly manage a set of personal data, making it difficult to determine the privacy role of each of the parties involved and enforce the privacy rules and rights set out by the GDPR, including identifying a DPO. Moreover, if there is no identifiable data manager, individuals will not be able to effectively gain control of their information in case they would like to exercise their right to rectification and right to erasure.
Benefits of Blockchains for GDPR enforcement
While blockchain and GDPR seem incompatible with one another, they share a common objective: securing the exchange of data and giving individuals more control over their personal information. Thus, if designed correctly blockchains can be useful tools to help with GDPR implementation and compliance.
For example, in Singapore, banks and other organizations successfully completed a Shared Know Your Customer (KYC) blockchain network, which allows banks and institutions to share KYC information between them. This system allows customers to share their personal data once with their bank, then, when acquiring products or services from another institution, they give consent to the network to provide the KYC evidence (not the actual personal data) to the other institution. The bank still needs to protect the data and the customer needs to trust the bank with their personal information. However, sharing information once and then providing consent to share the evidence, not the actual information, decreases the risks of data being breached and complies with GDPR rules.
The GDPR will set the global standard for personal information privacy. Thus, large corporations and startups need to make data protection and privacy a priority. Especially since a violation of the GDPR will be followed by hefty fines and penalties. Without further clarification of some of the terms of the GDPR, projects implementing blockchains for storing personal information could be in jeopardy. However, the implementation of the GDPR also created opportunities to utilize blockchains for the enforcement of the GDPR and provide better protection of data.
About the author
Liz is a third-year law student at the University of Houston Law Center focusing on the legal implications of disruptive technologies, specifically blockchain and its different applications across many industries. She is also the founder and president of the Blockchain and Cryptocurrency Law Association at the University of Houston, established to educate law students about blockchain technology and the opportunities its implementation will create for attorneys.