By Oana Dolea, GDPR Practice Lead, Matthew Williams, Consultant and Akber Datoo, Managing Partner, D2 Legal Technology
At first glance, blockchain and the General Data Protection Regulation (GDPR) may seem like they would be wholly unrelated, complete strangers.
But as applications of blockchain expand into the mainstream– payments, healthcare and security, to name a few areas– there are increasing concerns about the (lack of) compatibility between applications of blockchain technology and requirements under the GDPR. Basically, the seeming strangers are quickly developing into potential foes. But are they really that irreconcilable? And what are the advantages of turning these apparent foes into friends – or at least enabling them to coexist?
The mainstream view of blockchain in relation to personal data regulation may appear bleak. Jan Philip Albrecht, a Member of the European Parliament who played an important role in the development of the GDPR, expressed that “certain technologies will not be compatible with the GDPR” and that “blockchain probably cannot be used for the processing of personal data”. The UK Law Commission expressed similar concerns in their scoping study of smart contracts, and the World Economic Forum published an article suggesting the GDPR, as it is currently written, is incompatible with blockchain technology.
The main concern around processing personal data on the blockchain seems to centre around the fact that information recorded on the blockchain cannot be erased, only amended. By contrast, the GDPR provides that, upon request, anyone holding personal data on an individual must be able to erase it upon request from the data subject in question. This is creating significant questions as to whether applications of blockchain that process personal data could be GDPR-compliant. However, there seems to have been little, if any, official legal analysis by relevant data protection authorities and legislators on how the requirements of the GDPR may be potentially interpreted to permit legal applications of blockchain technology to the processing of personal data, without compromising the desired protection of data subjects.
Engagement with blockchain solutions already lags behind its true potential. The 2018 Gartner CIO Survey reveals that only 1% of CIOs interviewed indicated that their organisation has adopted any kind of project involving blockchain. In part due to reported difficulties in finding qualified engineers to develop the solutions, a perceived need for a change in the culture of IT departments, as well as in the way organisations traditionally operate in order to accommodate blockchain, only 8% of CIOs were actively experimenting with or planning to explore blockchain applications within their organisation and for 77% of surveyed CIOs, their organisation reported no interest in blockchain and no action planned to explore its potential uses.
If the perceived incompatibility between blockchain and the GDPR is not addressed, it is likely to only further discourage an increase in the technology’s adoption. Legal industry, government and private sector stakeholders can help unlock the great potential of blockchain technologies if they can work more closely to identify and agree on blockchain use cases and technical work-arounds that still allow data subjects to be protected in ways functionally equivalent to the requirements under the GDPR.
For example, can the right to erasure requirement be satisfied if a technical work-around can be implemented to ensure that personal data on a blockchain that is subject to a request to be forgotten, while not erased from the blockchain in the traditional sense, is somehow made inaccessible to any and all members of the blockchain, or of the public, in any context and at any time? Even more straightforwardly, a readily available work-around is maximising the use of private chains, as well as utilising off-chain solutions – using a hash to serve as a referenceto personal data stored in a database outside the blockchain. Such solutions ensure that no personal data is kept on the blockchain, avoiding any questions of compliance with the GDPR.
Blockchain and the GDPR need not remain irreconcilable foes if lawyers, technologists and legislators can work to agree on the way the requirements of the GDPR may be interpreted to confirm how blockchain can function within the GDPR regime. The pay-off may be no less than making blockchain more accessible and approachable, by encouraging a closer analysis of its technical, functional and legal underpinnings and therefore a better understanding of its true potential.
Mayer, D. (2018) Blockchain technology is on a collision course with EU privacy law, IAPP, 27th February 2018
Law Commission (2018) Annual Report 2017-18, Law Com No 379, HC 1308
Toth, A. (2018) Will GDPR block blockchain, World Economic Forum, 24th May 2018