Blockchains and the GDPR
The imminent entry into force of the EU General Data Protection Regulation (GDPR) coincides with pronounced hype surrounding blockchains as a new method of data storage and management. Blockchains and other forms of Distributed Ledger Technology (DLT) are an emergent technology that remains immature and only time will tell whether they are here to stay.
Blockchains are currently being avidly experimented with in Europe and beyond. These replicated and tamper-proof databases provide new methods of data handling. Their characteristics contrast with those of centralized forms of data management that regulators had in mind when fashioning the GDPR. In a recent paper I examine whether a technology based on the decentralized collection, management and storage of data can be compatible with the GDPR, which was fashioned for data silos. This question is of pivotal importance as, in light of its expansive geographical scope, the GDPR is not only relevant for blockchain projects in Europe but around the world. I conclude that a legal framework designed for a sphere of centralization cannot easily be applied to one of decentralization.
Personal Data on a Blockchain
The GDPR embraces a broad definition of personal data as ‘any information relating to an identified or identifiable natural person’, the ‘data subject’. Where data qualifies as personal data, it can only be processed subject to a number of conditions and data subjects derive specific substantive rights in respect of their data.
Blockchains are essentially an append-only replicated database that is maintained by a consensus algorithm and stored on multiple nodes (computers). Data can be stored on blockchains in plain text or it can be encrypted or hashed to the chain. It is well-established that data that has been encrypted or hashed still qualifies as personal data under EU law as it is merely pseudonymized, not irreversibly anonymised. This means that on a blockchain, public keys qualify as personal data just as data relating to a natural person that is hashed to the chain. As a consequence, the cryptographically modified data stored on a distributed ledger, in addition to public keys, are subject to the GDPR.
This finding has wide-reaching implications as data subjects are in a position to invoke their GDPR rights, including their right to access data and have it amended or deleted (the ‘right to be forgotten’). On a tamper-proof ledger these rights cannot, however, be easily implemented. It is safe to assume that at present most blockchains are not GDPR compliant because they are unable to implement these rights. A number of technological solutions are currently being developed that might facilitate this in the future, but we are not there yet.
It is in addition very difficult to determine which entity will be the addressee of these obligations. The GDPR considers that the ‘data controller’, that is to say the natural or legal person determining the ‘purposes and means of the processing of personal data’ needs to comply with these principles. The question of who determines the purposes and means of processing depends on the precise governance arrangements of the given blockchain. There is a strong argument that nodes will in most cases qualify as data controllers, however we might also envisage that other actors, including data subjects themselves do so in some circumstances. The problem is that unlike centralized controllers, nodes and data subjects cannot comply with GDPR obligations considering their limited influence over the information stored on the ledger.
Promoting Responsible Innovation
Most current blockchain projects are likely incompatible with the GDPR. This signals that even before the legal framework’s entry into force it already seems outdated in respect of the newest developments in data management. While this is true in the blockchain context, the GDPR also cannot be easily applied to big data, machine learning and AI.
At present, innovators wishing to create compliant products cannot find easy answers, which in turn risks asphyxiating the development of an innovative technology with much promise for the Digital Single Market. The current lack of legal certainty is putting pressure on EU regulators to clarify how the GDPR should be applied to blockchains, in particular in respect of the nature of the data controller, whether public keys are personal data, and how substantive rights should be implemented.
The tension between blockchains and the GDPR echoes a clash between two normative objectives of EU law: fundamental rights protection and the promotion of innovation. Regulators must carefully balance these objectives going forward. The difficulty arising in this context is that blockchains can, depending on their precise configuration, be used to drastically undermine or promote data protection. If no specific privacy safeguards are built into the technology, they can reveal any and all personal data stored on-chain. If adequately designed, they can however also contribute considerably to giving individuals more control over their data, which is an underlying objective of the GDPR.
The takeaway is this: blockchains at once risk undermining and promoting the GDPR’s underlying objectives. They are, at this stage, still an emergent and malleable technology that can be used to either threaten or promote data protection. While technology can be neutral, it will never be used in a neutral manner but rather will reflect surrounding norms, objectives and beliefs. The blockchains of tomorrow will be shaped by today’s input. This highlights the momentous importance of dialogue between innovators, regulators and other stakeholders during the early days of an emergent technology. Regulators must incentivize developers to safeguard established fundamental rights protections and provide guidance as to how compliant systems can be built. Innovators, on the other hand, must be given freedom to develop their products while respecting regulatory principles. This does not mean that new secondary legislation is needed – softer incentivizing measures such as agency threats, issuing guidance or regulatory sandboxes are more suitable mechanisms.
The jury is still out on whether blockchains are here to stay, and if so, whether they will have a positive or negative impact on society. The next months and years will significantly shape the direction. The EU must wake up to this reality and engage in dialogue with industry, experts and other stakeholders as to how the technology can be used in a manner that benefits society, also in respect of data protection. Technological development permitting, blockchains will stay with us. Contrary to the last wave of Internet innovation, Europe is lucky to have a vibrant blockchain ecosystem, especially in Berlin. In engaging in dialogue with innovators now, the EU can make sure that the ecosystem continues developing in the Union, and that it does so in a manner compatible with European values, including data protection.
Michèle Finck is a Senior Research Fellow at the Max Planck Institute for Innovation and Competition and a Lecturer in EU Law at Keble College, University of Oxford.