GDPR and blockchain do not coexist easily. GDPR attempts to ensure that personal data is retained for as short a period as possible, give individuals control over their personal data, and allow easy modification, correction or erasure at any time at the individual's request. Blockchain is intended to serve as an immutable ledger, where transactions cannot be repudiated, and records cannot be changed by anyone. Public or permissionless blockchains are operated under rigid rules that may not be compatible with GDPR. Private or permissioned blockchains, which can establish rules of operation, have more flexibility and may have a better chance of being in line with GDPR.
The GDPR applies worldwide, within and outside the European Economic Area (EEA), to the extent that personal data is processed in connection with the sale of goods or services to individuals located in the EEA. There has not been any guidance on how blockchain can meet GDPR requirements. It is clear that it might be very difficult to accommodate some aspects of the GDPR when personal data is recorded in a blockchain ledger. Given the speed of development of blockchain around the world, guidance is urgently needed.
Blockchain is undoubtedly a vehicle for the processing of "personal data". Under GDPR, the term is defined broadly to apply to any information about an individual who is, or can be, identified. It incorporates a wide variety of data from contact or health information to cookies, IP addresses or devices identifiers. Because of this broad definition, almost anything that is or can be linked to an individual is deemed personal data under GDPR. Personal data that has undergone pseudonymization, and that could be attributed to a natural person through the use of additional information is also deemed "personal data" subject to GDPR.
Blockchain is often used to record events associated with an individual, as opposed to a corporate entity. It is common to do so by using pseudonymized information that has been associated with the public cryptographic key of the participants. The mere use of an identifier instead of the name of a person would not be sufficient to take pseudonymized data outside the scope of the definition of personal data if the person may be re-identified because that identifier is otherwise available. Only personal data that has been rendered anonymous in such a manner that the individual is not, or no longer, identifiable is outside the scope of the GDPR.
Legal Basis for the Processing
The GDPR prohibits the collection or processing of personal data unless there is a "legal basis" for the processing. A blockchain based application must be able to identify one or more of these six "legal basis". The most relevant ones are likely to be that the processing is necessary for: (i) the performance of a contract to which the individual is a party; (ii) compliance with a legal obligation to which the data controller is subject; or (iii) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the individuals. In some cases, legal basis is provided only by obtaining the consent to the processing of the personal data.
Blockchain projects are usually associated with the performance of a contract or a transaction, where the parties wish the transaction to be recorded. In most cases, the project is likely to meet one or more of the requirements above. Blockchain users should make sure that this information is recorded and shared with the affected individuals.
The GDPR wants the interaction with personal data to last only while the data is needed. Blockchain is intended to create an immutable record. One of its key features is the ability to retain data indefinitely, to enable the parties to prove that a transaction occurred. Blockchain users will have to be prepared to argue why the transaction recorded in the blockchain must remain accessible indefinitely. For example, if the event is the sale of ephemeral or perishable goods (e.g. food or flowers), while there is no doubt that the record of the sale from person A to person B should be kept for a certain time in order to retain evidence, it would be much more difficult to argue that it should be kept indefinitely, past the statute of limitation for claims under the sales contract. In a permissioned blockchain environment, these concerns might be addressed through the rules of operation of that blockchain, for example by allowing for the deletion or archival of the data after a specified period of time.
Security, Integrity and Confidentiality
The GDPR requires both data controllers and data processors to adopt a written information security program to reduce the risk of security breach, intrusion, modification of the data, or ransomware attack. The program is expected to include appropriate technical, physical and administrative measures. Who is responsible for maintaining proper security when the network can be accessed through multiple nodes? To date, blockchain technology has suffered spectacular security breaches, in particular targeting cryptocurrencies. Keep in mind that any chain or network is only as strong as its weakest link.
Data Protection by Default
The GDPR requires that companies follow "data protection by default" principles. "Data Protection by Default" requires that, by default, the data should not be accessible to an indefinite number of natural persons without the data subject's intervention. In the blockchain ecosystem, the content of the ledger must be accessible to others. Until the meaning of "data protection by default" is clarified, there is a problem. Should the blockchain application ensure that no personal data of a participant is recorded, until the participant has confirmed that their personal data can be made public?
Cross Border Data Transfers
The GDPR restricts the transfer of personal data to countries that do not provide adequate protection. Aside from a small number of countries outside the EEA (for example, Canada, Israel, Switzerland or Uruguay), the remainder of the world does meet the GDPR standards. A permissionless blockchain ignores borders. It is intended to be accessible from any geography through multiple nodes. In that case, all nodes might be required to execute proper data processing agreements that incorporate appropriate EU Commission Standard Contractual Clauses to guarantee proper protection of the personal data of EEA residents. Further, any entity that accesses data stored on the blockchain may also have to provide appropriate guarantees that it will meet the GDPR standards.
A permissioned blockchain might be better able to address crossborder data transfer restrictions. It could make it a condition for participation that the applicant execute all documents necessary as part of the admission process, and these documents could include EU Standard Contractual Clauses or a Code of Conduct that meets the GDPR requirements.
Right of Correction
The GDPR grants numerous rights to data subjects, some of which appear to be incompatible with the blockchain. The GDPR grants the right to have incorrect personal data rectified and to have incomplete personal data supplemented. The structure of the blockchain does not allow for any such changes. Any attempt to modify the information recorded about a prior transaction could break the chain, and the transactions that were conducted in reliance on the preexisting data could not be erased or superseded. In a permissioned blockchains, there might be more flexibility, through the addition of special rules. However, it should be kept in mind that individuals cannot give up their right to have incorrect personal data rectified. This is a fundamental right in the European Union, under Article 8 of the EU Charter of Fundamental Rights.
Right of Erasure
The blockchain may be able to resist the "right of erasure" under the GDPR. The "right of erasure" exists only in limited specific circumstances, including:
- The data is no longer necessary for the purpose for which it was collected.
- The data subject withdraws consent to the use of the data
- The data subject objects to the processing of the data and there are no other legal grounds for the processing
- The data subject objects to use of the data for marketing purposes
- The data has been unlawfully collected
There are numerous exceptions; two of them appear the most viable in the blockchain environment. The right of erasure does not apply if the data is necessary "for archiving purposes in the public interest" in so far as the erasure likely would "render impossible or seriously impair the achievement of the objectives of that processing." It also does not apply if the processing is necessary for the establishment, exercise or defense of legal claims. Since the primary purpose of the blockchain is to provide the ability to prove that a transaction has occurred, it seems that either or both of these exceptions would stop attempts at erasing existing records.
Some of the essential features of blockchain tend to conflict with GDPR. Blockchain promotes immutability and data sharing, among others. With GDPR, personal data must be able to be changed so that it remains accurate, and data sharing is prohibited without permission. Companies that wish to take advantage of blockchain should carefully evaluate the potential obstacles created by the GDPR when structuring their application. When privacy is a concern, a permissioned blockchain might be a more viable option than a permissionless one because it allows the creation of supplemental rules of operation that might have a better chance of meeting the numerous, stringent GDPR requirements.