As the world of blockchain technology is expanding and the usage of this technology is increasing, there is a need to harmonize the laws regarding the functioning of this technology and protecting rights of its users. Blockchain is a shared and synchronized digital database which works on the basis of a consensus algorithm where information is stored as local version on different nodes (computer). To simplify it further, blockchain could be said a chain of blocks. With the hashing process, information stored on a single block gets added in the existing chain of blocks. Hashing is a process that issues unique fingerprint to the data stored; in essence it is a cryptographic function which is irreversible. Blockchain technology has the potential to disrupt how the current online circulation of value works. It is anticipated that tax reporting, voting schemes, e-identity and other things may work on blockchain or other distributed ledger system by 2035.1 Considering this, it becomes essential to make sure that data of the users are protected and the users have rights as enshrined under the EU General Data Protection Regulation which came into effect on 25 May 2018.
EU General Data Protection Regulation protects fundamental rights and freedom of natural persons and in particular their right to the protection of personal data. This regulation is only applicable to 'personal data' which relates directly or indirectly to a living natural person. European Union has specifically incorporated principle of data protection in Charter of Fundamental Rights under Article 8.2
In this article, the authors have discussed the key contentions with respect to blockchain technology and GDPR and whether GDPR would be applicable to Blockchain technology and what rights data subjects have while operating on this technology.
Whether GDPR is applicable to Blockchain technology?
First, it becomes essential to understand whether the data used in blockchain technology would qualify as personal data as per the criteria specified in the GDPR. Through the process of hashing, the personal data in blockchain technology is encrypted so as the identity of user is not revealed. The question is whether after hashing, the data remains 'personal' for the purposes of GDPR.
GDPR adopts a binary approach between personal data and non-personal data, further Recital 263 of GDPR says that the said regulation is not applicable to anonymous data. We will look into as to what is the difference between Anonymised data and psuedonymised data and on which category does blockchain technology falls.
An effective anonymization technique would restrain all data subjects from singling out a single user from the data stored, from relating two records or analysing data so as to make a deduction about the individual data.4 Therefore, anonymization is a process by which Personal identifiable information (PII) is irreversibly altered in such a way that a PII principal can no longer be identified directly or indirectly, either by the PII controller alone or in collaboration with any other party.5 The European Court of Justice (CJEU) defined personal data as any information due to its content, purpose or effect can be linked to a particular individual.6
Article 4(5) of GDPR describe Pseudonymisation as processing of data in a way that it can be identified to a data subject with the help of supplementary information. This means that Pseudonymisation data is personal data. Pseudonymisation is not a method of anonymization, it only minimizes the linkability of the data with real identity of data subjects. In public blockchain, every transaction done by a user will be attached to a public key that will represent the user. This public key is so encrypted that anyone who access the blockchain would not be able to identify the user. The purpose of public key is to single out the user who performs the particular transaction, therefore public key when linked to a user would characterise as personal data. With public key visible to other users they can through the manner and frequency of transaction find out about the behaviour of the user.
Article 29 Working Party guideline on anonymization sets out criteria to define whether the encrypted data could be so decrypted that the user can be identified. First criteria is of singling out, it means that if there is a probability to isolate some transaction from all transaction so to link it to an individual. Second criteria is of Linkability where two data sets corresponds to same user and can be attributed to someone. Third is the Inference, that even when data is not linkable or singled out, it could be inferred from the value of that data to identify the data subject. For example, if the data refers to Female German Chancellor from early 90s then it can be inferred and attributed to Angela Merkel.
In the blockchain technology, public key works as an 'identifier' as per the Recital 30 of GDPR.7 Every user has this public key and private key, public key is similar to account number that is shared with other users to perform transactions. Private key on the other hand is like a password which can be used by user to decrypt the data that has been encrypted through public key. A public key therefore is data that 'can no longer be attributed to specific data subject' but it can be attributed if provided with additional information and thus pseudonymous data according to Article 4(5) GDPR.8 . Therefore, under the blockchain technology encrypted data would be classified as personal data for the purposes of GDPR.
Determination of controller in blockchain technology
To make blockchain technology GDPR compliant, we need to identify the controller who is responsible to implement measures required both in terms of technical and organisational level. Article 4(7) of GDPR defines data controller as body which determines purposes and means of data processing. It can be seen that in blockchain there are many database that converge from which the purpose and means of data processing is determined. Article 26 GDPR incorporates the possibility of joint controller; it could be applied to private and permission less blockchain where means are determined by entity such as company. In this case different controller should form an agreement setting their respective responsibilities. Whereas in public and permissionless blockchain, controller is decide on the infrastructure basis. There is no single blockchain system, it has a lots of variants and therefore to determine controllership each system should be looked on case by case basis.
Generally in blockchain, users who submit their data usually can be considered controller as they decide the purpose of that data. Whereas nodes and miners who only process the data on behalf of data subjects at the infrastructural level can be said to be data processor at most.
Rights of the data subjects
GDPR under Article 12 to 23 provides certain rights to data subject with respect to their data. We will analyse some of the rights, their enforcement in case of blockchain technology and challenges in ensuring these rights to data subjects.
Right to access – Article 15 of GDPR9
Right to access personal data could be classified as foundational basis for the all other data subjects rights enshrined in GDPR. Accessing data to data subjects enables user to understand what data is being processed, the manner it is being processed. Whenever any demand for the exercise of this right is made to the data controller, controller is required to search all the information to extract and give access to data subjects. Generally, it can be seen that article 15 can be implemented in blockchain technology. But that presupposes sufficient governance mechanism, in Blockchain there are joint controllers and they might not be able to access the data as a result controller would be unable to decide whether information contained in ledger is personal data so to give data subject access to it. Therefore, controller deciding blockchain technology make sure that appropriate government measure are taken.
Right to be forgotten – Article 17 of GDPR10
Right to erasure (Right to be forgotten) is an essential right in the hands of data subject that provides control of personal data to the subjects. Data subjects can ask for their personal data to be removed or erased if it qualifies or comes under any conditions mentioned in the article. The difficulty that arises in case of blockchain technology is that it is deliberately developed in a way so to make unilateral modification of data tough, which is made to create a robust data integrity network. The scope and definition of the word erasure is not straightforward, according to Oxford English dictionary it means 'removal of all traces or obliteration' so it could be said that erasure means destruction of the data. Article 17 GDPR was interpreted by Google Spain11 case CJEU and held that erasure could also mean taking down the data so that it does not appear in search result, it does not leads to destruction of the data in that given fact scenario where Google had no control over the source of the data and it only could have taken the data down from the search results. Therefore applying this rationale of Google Spain it could be said that erasure is not destruction of the data but an obligation of the controller to do what they can in furtherance of the destruction of the data, which implies that the standard for erasure of the personal data is subjective. Blockchain technology can be so governed or a mechanism could be made so that this right to be forgotten can be achieved as far as possible.
In conclusion, many believe blockchain to be fundamentally incompatible with GDPR, while there is some middle way that exists where blockchain could be made GDPR complaint. It is pertinent to look at blockchain technology on a case to case basis and provide a subjective approach to each system so that GDPR could be applied and rights of the data subjects are secured as far as possible.
1 European Parliament (November 2018) 'Global Trends to 2035 – Economy and Society' PE 627.126
2 Article 8, Charter of Fundamental Rights of the European Union, (2000/C 364/01).
3 Recital 26, General Data Protection Regulation, 2018.
4 Article 29 Working Party, Opinion 05/2014 on Anonymization Techniques (WP 216) 0829/14/EN, 3.
5 ISO/IEC 29100:2011 Information technology, Security techniques, Privacy framework
6 Peter Nowak v Data Protection Commissioner Case, C-434/16 Nowak 2017 EU: C: 2017:994, para 35.
7 Recital 30, General Data Protection Regulation, 2018
8 Article 4(5) GDPR, "pseudonymisation' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person"
9 Article 15, General Data Protection Regulation, 2018.
10 Article 17, General Data Protection Regulation, 2018.
11 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos es, Mario Costeja González, C-131/12.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.