Blockchain and GDPR: is a clash really inevitable?
10/08/2018

Blockchain, considered to be the greatest technological innovation since the internet, is currently also one of the most debated technologies. From a legal perspective, the technology raises many questions, in particular as diverse aspects of the blockchain are clashing with the EU data protection framework. Can these problems be overcome?

What is the “blockchain”?

Blockchain, or more generally distributed ledger technology (“DLT”), has caused tremendous innovation in the fintech sector. A large part of the interest is due to the successful – and controversial – digital coins such as Bitcoin and Ethereum, some of the few large-scale implementations of blockchain to date. 

The terms Blockchain, Bitcoin and DLT are often, incorrectly, used as synonyms. ‘DLT’ is the umbrella term for any kind of transaction ledger that is decentralised and distributed among parties. ‘Blockchain’ is a particular type of DLT that uses blocks and chains to store transaction records. ‘Bitcoin’ is a specific cryptocurrency application of blockchain. By this logic, we can say that Bitcoin is only one type of blockchain and blockchain is only one type of DLT. 

There is no single model for blockchain systems. The technology can be drafted in an almost infinite range of configurations. At this moment, there are three general types of blockchain: public permissionless blockchain (e.g. Bitcoin and Ethereum), public permissioned blockchain (open to the public, but managed by permission-settings) and private permissioned blockchain (only for a limited group of persons and privately managed, e.g. within a company or closed organisation).

Applicability of the GDPR

Many blockchain-based applications will be subject to the GDPR for two reasons. Firstly, data stored in a blockchain will often relate to identified or identifiable persons and therefore be considered “personal data”. Even where data is encrypted or hashed, it qualifies as personal data according to the Article 29 Working Party (“WP29”). The WP29 has made it clear that hashing constitutes a technique of pseudonymisation, not anonymisation, as it is still possible (even if this is difficult) to link the dataset to an identifiable data subject. Also public keys, when associated with an individual, will likely qualify as personal data. The second reason is the cross-border nature of blockchain and the GDPR’s broad territorial scope. Blockchains usually run on nodes located in various parts of the world (including the EU), thereby triggering the GDPR to apply.

Privacy issues of the blockchain

Blockchains – in particular those of a public and permissionless nature – are in their current state deemed to be irreconcilable with the GDPR. The most important issues can be summarised as follows:

Who is the data controller? Blockchains enable multiple parties to jointly manage a set of personal data, which makes it difficult to determine the privacy role of each of the parties involved. For private blockchains, it might still be possible to identify a central administrator that can qualify as the data controller. For many other blockchain networks, the system is operated by all its users in a peer-to-peer network. This may mean that either no node qualifies as a data controller, or, more likely, every node qualifies as a data controller.
How can data subjects exercise their rights? In a blockchain environment, amendment or erasure of data is technically impossible because the system is designed to prevent it. Once data is added to a blockchain, it cannot be amended or erased. To amend data, a new block with the amended data should be added to the chain. However, the initial data will always remain in the chain. It is questionable whether this so-called ‘immutability’ feature can be reconciled with the data subjects’ rights to rectification and erasure.
How to reconcile with the principles of lawful data processing? Once added to a blockchain, personal data will in principle remain part of the chain. Perpetual storage of data on the blockchain is difficult to reconcile with the storage limitation principle, while making all data visible to every node is likely to be considered excessive in light of the data minimisation principle.

Same objective, other means

While blockchain and GDPR could be seen as profoundly incompatible with one another, both systems in fact also share a common objective: giving individuals more control over their data and securing the exchange of their data. 

Only time will reveal how regulators and judges will approach the tension between GDPR and blockchain. In any case, we believe that it should indeed be attempted to reconcile both, in order to create the best of both worlds. For the time being, the safest advice for blockchain developers is to work with a permissioned (private) system where possible and to store personal data in a secured off-chain database.

Related : Loyens & Loeff CVBA ( Mr. Yves Van Couter ,  Ms. Stéphanie De Smedt ,  Ms. Valérie Verstraeten )

[+ http://www.loyensloeff.com]

Mr. Yves Van Couter Mr. Yves Van Couter
Partner
yves.van.couter@loyensloeff.com
Ms. Stéphanie De Smedt Ms. Stéphanie De Smedt
Associate
stephanie.de.smedt@loyensloeff.com
Ms. Valérie Verstraeten Ms. Valérie Verstraeten
Junior Associate
valerie.verstraeten@loyensloeff.com

Click here to see the ad(s)

Lastest articles by Mr. Yves Van Couter

Two Belgian Acts implementing / supplementing the GDPR adopted
03/09/2018

The process for the implementation of the General Data Protection Regulation (“GDPR”) is occurring in two phas...

Read more

EU-US Privacy Shield on the chopping block?
27/08/2018

The EU – US Privacy Shield was adopted in July 2016 as a replacement of the Safe Harbor regime, which was struck dow...

Read more

Belgian rules on use of surveillance cameras revised
16/08/2018

On 21 March 2018, the Belgian Parliament adopted a law amending the Belgian Camera Act of 2007. The primary goal was to cr...

Read more

EU and Japan agree on free flows of personal data – Will South Korea be next in line?
02/08/2018

On 17 July 2018, the European Union and Japan successfully concluded negotiations on the reciprocal finding of an adequate...

Read more

Lastest articles by Ms. Stéphanie De Smedt

Two Belgian Acts implementing / supplementing the GDPR adopted
03/09/2018

The process for the implementation of the General Data Protection Regulation (“GDPR”) is occurring in two phas...

Read more

EU-US Privacy Shield on the chopping block?
27/08/2018

The EU – US Privacy Shield was adopted in July 2016 as a replacement of the Safe Harbor regime, which was struck dow...

Read more

EU and Japan agree on free flows of personal data – Will South Korea be next in line?
02/08/2018

On 17 July 2018, the European Union and Japan successfully concluded negotiations on the reciprocal finding of an adequate...

Read more

GDPR compliance in the Benelux: let the controls begin!
25/07/2018

The Dutch Data protection authority (Autoriteit persoonsgegevens –“AP”) recently informed the public tha...

Read more

Lastest articles by Ms. Valérie Verstraeten

Two Belgian Acts implementing / supplementing the GDPR adopted
03/09/2018

The process for the implementation of the General Data Protection Regulation (“GDPR”) is occurring in two phas...

Read more

EU-US Privacy Shield on the chopping block?
27/08/2018

The EU – US Privacy Shield was adopted in July 2016 as a replacement of the Safe Harbor regime, which was struck dow...

Read more

Out with the old, in with the new: Belgian Privacy Commission becomes “Belgian Data Protection Au...
28/12/2017

Reform of the Belgian Privacy Commission The General Data Protection Regulation (EU) 2016/679 creates a new privacy reg...

Read more

Data Protection Alert: This Valentine’s Day, treat your personal data like a ‘loved one’
14/02/2017

At the occasion of this special day, the members of the Loyens & Loeff Privacy & Data Protection Team would like t...

Read more

LexGO Network