Is blockchain technology GDPR compliant?

In recent years we are facing with two new issues – blockchain technology and General Data Protection Regulation (hereinafter – GDPR). The blockchain network has no central authority. Since it is a shared and immutable ledger, the information in it is open for everyone to see. At the same time, GDPR establishes a framework of fundamental rights protection, based on the right to data protection in Article 8 of the Charter of Fundamental Rights. The discussion whether blockchain is GDPR compliant becomes more and more noticeable. Due to such attention, a big study was prepared at the request of the Panel for the Future of Science and Technology and managed by the Scientific Foresight Unit, within the Directorate-General for Parliamentary Research Services of the Secretariat of the European Parliament (hereinafter – the Study).

Taking into consideration the Study, the biggest tension between blockchain and GDPR may appear in few aspects:

  1. GDPR set forth the rule that data subjects can address to data controller (it may be natural or legal person) their rights under EU data protection law. On the contrary, the blockchains usually seek to achieve decentralization in replacing a unitary actor with many different players. This situation gives the lack of legal certainty, because the above-mentioned factors create that requirements of responsibility and accountability under the GDPR become much more difficult to implement.
  2. GDPR assumes that personal data can be modified or erased where necessary to comply with legal requirements. On the contrary of blockchains, which render such modifications of data purposefully onerous in order to ensure data integrity and to increase trust in the network.
  3. Data typically stored on a distributed ledger, such as public keys and transactional data qualify as personal data for the purposes of the GDPR. Whereas it is often assumed that this is not the case, such data likely does qualify as personal data for GDPR purposes, meaning that European data protection law applies where such data is processed.
  4. GDPR relates to the overarching principles of data minimisation and purpose limitation. GDPR requires that personal data that is processed be kept to a minimum and only processed for purposes that have been specified in advance, however, there could be difficulties to apply these to blockchain technologies. Distributed ledgers are append-only databases that continuously grow as new data is added. In addition, such data is replicated on many different computers. Both aspects are problematic from the perspective of the data minimisation principle. Moreover, it is unclear how the ‘purpose’ of personal data processing ought to be applied in the blockchain context, specifically whether this only includes the initial transaction or whether it also encompasses the continued processing of personal data (such as its storage and its usage for consensus) once it has been put on-chain.

It shall be note that the Study highlighted key issues that have already been discussed and explored by many academics and practitioners as well as some recommendations were provided. The Study recognizes GDPR as “technology neutral” and considers that one of the options should be explored to align the existing principles under the GDPR with these new technologies such as blockchain.  Taking into consideration the conclusion that GDPR is “technology neutral”, the following options may be:

  1. Guidance issued by competent authority such as the European Data Protection Board as well updating existing Article 29 Working Party guidance that already addresses areas of uncertainty, such as anonymization methodologies. Moreover, the Study provides a list of specific questions that the regulatory guidance should look to address, such as questions on anonymization, allocating GDPR responsibilities to the blockchain participants, and whether the use of blockchain technology triggers the need for a data protection impact assessment, among others;
  2. Codes of conduct and certification mechanisms should be encouraged and supported. Codes of conduct and certification mechanisms, agreed between regulators and the private sector, is one means to ensure that a technology is GDPR “complaint-by-design”, as example is indicated the EU Cloud Code of Conduct;
  3. Research funding. The Study recommends funding for interdisciplinary research that explores how blockchains’ technical design and governance solutions could be adapted to the GDPR’s requirements, and whether protocols that are compliant by design may be possible.

To sum up the information indicated in the Study the compliance with the GDPR will depend on the particular blockchain use case, and as such it requires a “case-by-case assessment”. What is more, the Study noticed that despite the fact that there are the tensions between blockchain and GDPR, blockchain technologies may offer new forms of data management that provides benefits to the data-driven economy and enable data subjects to have more control over personal data that relates to them.

Please note that all the information provided in this article is based on the study Scientific Foresight Unit, within the Directorate-General for Parliamentary Research Services of the Secretariat of the European Parliament, which could be found at website of European Parliament.

If you would like to get more information about the blockchains technologies, requirements of GDPR and their implementation, please feel free to contact our law firm.

Get in touch