Either It Is or It Isn’t: A Look at Blockchain and GDPR Compliance

A brief Introduction

Blockchain technology is proven to have a high potential for development that covers a range of situations. Blockchains can transfer assets (think of Bitcoins or property deeds) or used as a ledger ensuring authentication and traceability (think of secure health records stored or verifying diploma certifications). Lastly, blockchains can execute smart contracts between two or more parties in the form of an algorithm where no amendments can be made once complete.

While this is a great feature set for blockchain, if we look at processing of personal data, it does raise legal compliance questions. Aligning the immutability of blockchain with principle of storage limitation, for example, can be challenging.

GDPR is an evolution

We understand that Blockchain is a revolution as noted above. GDPR on the other hand, is an evolution in the field of EU data protection law. The layer of complexity affecting blockchain and GDPR is that the decentralized data government model used by blockchain technology results in three players involved with data processing.

Given that GDPR stretched across country boundaries; with respect to blockchain, participants in a blockchain established in the EU or that services of the blockchain are offered to or affects EU residents, the whole blockchain must be in compliance. This article’s primary focus concerns personal data.

Blockchains and the three processing players

Accessors: those who have a right to read and hold a copy of the chain
Participants: those who have the right to make entries (to make a transaction that needs a validation request)
Miners: those who validate a transaction, thereby creating blockchain rules for acceptance by the community.

Within this blockchain, there are two categories of personal data.

Participants’ and miners’ identifiers: Each of the participant/miners has a public key. This ensures identification of the issuer and receiver of the transaction.
Additional data (also known as payload): Any additional data contained within a transaction (remember that diploma or property deed). If this data concerns natural persons, even those other than the participants, who may be directly of indirectly identified will be considered as personal data.

Blockchains and the Seven Principles

EU data protection law has seven governing data processing principles that form the framework of the regulatory mandate.

  1. Lawfulness, fairness and transparency
  2. purpose limitation
  3. data minimization
  4. accuracy
  5. storage limitation
  6. integrity and confidentiality
  7. accountability

Of all seven, the one that arguably conflicts with blockchain technology is the principle of storage limitation.

The storage limitation as a principle, states that personal data cannot be stored indefinitely. A data retention period must then be defined according to the purpose of data processing. The characteristics of blockchain for instance is that once data is registered on a blockchain, it cannot be altered or deleted. Once all participants accept a block in which this transaction has been recorded, that transaction can no longer be altered in practice.

Technical solutions designed to mitigate storage limitation

If you recall the two categories of personal data mentioned above (participants/miners and additional data): while technical solutions have been examined, their ability to ensure compliance fully within GDPR is marginal to questionable at best.

Some data controllers will still be obligated legally to publicize some information and make it accessible, regardless of the retention period. If this were the case, a data protection impact assessment (DIPA) could prove that the residual risks to the data are acceptable and the personal information would remain in the blockchain stored similar to a traditional fingerprint (i.e. without a specific key identifier) or even as cleartext.

Final thoughts

While blockchain offer unparalleled levels of secure transactions through its distributed ledger technology, cross-border transactions completed outside of the EU will continue to raise questions regarding compliance and obligations to GDPR.

While appropriate safeguards for transactions outside of the EU may be used in the given blockchain (for example contractual clauses, binding corporate rules or even certification mechanisms), these safeguards are much harder to implement in a public blockchain ecosystem especially where the data controller has not real control of the location of miners.