Blockchain and the GDPR – Irreconcilable Foes or A Partnership with Great Potential?

Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

By Oana Dolea, GDPR Practice Lead, Matthew Williams, Consultant and Akber Datoo, Managing Partner, D2 Legal Technology

At first glance, blockchain and the General Data Protection Regulation (GDPR) may seem like they would be wholly unrelated, complete strangers.

But as applications of blockchain expand into the mainstream– payments, healthcare and security, to name a few areas– there are increasing concerns about the (lack of) compatibility between applications of blockchain technology and requirements under the GDPR. Basically, the seeming strangers are quickly developing into potential foes.  But are they really that irreconcilable? And what are the advantages of turning these apparent foes into friends – or at least enabling them to coexist?

The mainstream view of blockchain in relation to personal data regulation may appear bleak.  Jan Philip Albrecht, a Member of the European Parliament who played an important role in the development of the GDPR, expressed that “certain technologies will not be compatible with the GDPR” and that “blockchain probably cannot be used for the processing of personal data”[1]. The UK Law Commission expressed similar concerns in their scoping study of smart contracts,[2] and the World Economic Forum published an article suggesting the GDPR, as it is currently written, is incompatible with blockchain technology.[3]

The main concern around processing personal data on the blockchain seems to centre around the fact that information recorded on the blockchain cannot be erased, only amended.  By contrast, the GDPR provides that, upon request, anyone holding personal data on an individual must be able to erase it upon request from the data subject in question. This is creating significant questions as to whether applications of blockchain that process personal data could be GDPR-compliant.  However, there seems to have been little, if any, official legal analysis by relevant data protection authorities and legislators on how the requirements of the GDPR may be potentially interpreted to permit legal applications of blockchain technology to the processing of personal data, without compromising the desired protection of data subjects.

Engagement with blockchain solutions already lags behind its true potential.  The 2018 Gartner CIO Survey reveals that only 1% of CIOs interviewed indicated that their organisation has adopted any kind of project involving blockchain.  In part due to reported difficulties in finding qualified engineers to develop the solutions, a perceived need for a change in the culture of IT departments, as well as in the way organisations traditionally operate in order to accommodate blockchain, only 8% of CIOs were actively experimenting with or planning to explore blockchain applications within their organisation and for 77% of surveyed CIOs, their organisation reported no interest in blockchain and no action planned to explore its potential uses.[4]

If the perceived incompatibility between blockchain and the GDPR is not addressed, it is likely to only further discourage an increase in the technology’s adoption. Legal industry, government and private sector stakeholders can help unlock the great potential of blockchain technologies if they can work more closely to identify and agree on blockchain use cases and technical work-arounds that still allow data subjects to be protected in ways functionally equivalent to the requirements under the GDPR.

For example, can the right to erasure requirement be satisfied if a technical work-around can be implemented to ensure that personal data on a blockchain that is subject to a request to be forgotten, while not erased from the blockchain in the traditional sense, is somehow made inaccessible to any and all members of the blockchain, or of the public, in any context and at any time?  Even more straightforwardly, a readily available work-around is maximising the use of private chains, as well as utilising off-chain solutions – using a hash to serve as a referenceto personal data stored in a database outside the blockchain. Such solutions ensure that no personal data is kept on the blockchain, avoiding any questions of compliance with the GDPR.

Blockchain and the GDPR need not remain irreconcilable foes if lawyers, technologists and legislators can work to agree on the way the requirements of the GDPR may be interpreted to confirm how blockchain can function within the GDPR regime.  The pay-off may be no less than making blockchain more accessible and approachable, by encouraging a closer analysis of its technical, functional and legal underpinnings and therefore a better understanding of its true potential.

[1]Mayer, D. (2018) Blockchain technology is on a collision course with EU privacy law, IAPP, 27th February 2018

[2]Law Commission (2018) Annual Report 2017-18, Law Com No 379, HC 1308

[3]Toth, A. (2018) Will GDPR block blockchain, World Economic Forum, 24th May 2018

[4] Gartner – Newsroom. Press Release, May 3, 2018. Available at: https://www.gartner.com/newsroom/id/3873790.