Many of you might heard about the General Data Protection Regulation (GDPR) and Blockchain Technology, but how can they relate to one another?
Blockchain technology is a prominent technology which can be defined as a sequential record of data distributed and managed via computers. Blockchain technology is not just used for cryptocurrencies, but also in several other industries depending on the use case.
When it comes to determining the controller of blockchain there is no central authority which controls this distributed technology.
In fact, 3 of the main pillars of the technology are:
The concern with blockchain technology is that if you had to look at it from a GDPR perspective you would be able to foresee several incompatibilities between the two, mainly Innovation and the Protection of Data
The GDPR came into force to ultimately offer harmonised protection of personal data across the Member States. However, the question remains whether you can be GDPR compliant whilst using blockchain technology? The use of blockchain technology shall also comply with the requirements set out in the GDPR.
As highlighted in the European Union blockchain observatory & forum Report:
“GDPR compliance is not about the technology, it is about how the technology is used.”
Protection of Data via Blockchain Technology
The idea of the technology started with the impulse of having a blockchain-based system that serves as a Distributed Ledger Technology which records transactions of a cryptocurrency. Today, we have shifted from just having a system for cryptocurrencies to different use-cases in various industries.
Blockchain is a form of Distributed Ledger Technology which encompasses the improvement of several industries. The aim of such technology was to abolish the interfering with information and data by providing a distributed ledger as the solution.
In a traditional system an individual is required to share data with other individuals. When there is no trust between the individuals, then the sharing of data may become chaotic. In this regard, Blockchain offers a platform whereby an individual can control his data by sharing it on a secured platform. Whether this is an advantage or not in terms of the GDPR is debatable.
Opting for a Blockchain based system can be seen as an alternative to the systems we are used to; such as cloud or server-based systems.
When using blockchain technology personal data is encrypted and it’s highly unlikely for it to be modified, let alone removed. To verify that the data was not modified, a user of Blockchain technology can cross check all the ledgers on the nodes in the network. Pretty Innovative right?
Furthermore, given that Blockchain technology is decentralised, there is no central point from which it can be controlled.
Blockchain Technology uses a chain of blocks which record transactions and thus makes it difficult for hackers to hack the technology as it cannot be changed from a single location.
Having a public distributed technology which is completely decentralised gives the power of control of data back to the users as there are no intermediaries.
The incompatibility between the GDPR and Blockchain
While the power of control of data belongs to the data subject (the individual to whom the data relates), under the GDPR it is important to establish who is the controller and who is the processor. When a user uses Blockchain Technology – when the user places his data on the blockchain and thus would be transacting on the Blockchain – it becomes difficult to identify the controller as per the GDPR requirements.
Once personal data forms part of the Blockchain network, it cannot be removed or changed. Albeit this may be viewed as a secure mechanism provided by the network, in reality from a GDPR perspective this goes against data subject rights; in particular the Right of Rectification and the Right to Erasure.
The European Parliamentary Research Service (EPRS) proposed the following in their study:
It is still uncertain how EU Privacy Regulations can apply to emergent technologies such as Blockchain. For this reason, the EPRS does not propose the revision of the Regulation but the consideration of the GDPR as being unbiased towards technologies. They suggest that the use of Blockchain Technology should be viewed from a legal perspective in order to be able to take a case-by-case approach. The Study puts forward guidelines to the Authorities to work on compiling sector specific guidance.
2. Codes of Conduct and Certification
Since the GDPR is unbiased towards technologies, when tasked to consider data protection, codes of conduct and mechanisms of certification should be created and applied.
Research should be backed up and funded for researchers to carry out extensive studies on how a technological design could be adapted to the GDPR in order to have harmonised solutions.
When speaking about Blockchain Technology, we cannot generalise as there are many use cases which uses the technology. However, in order to be GDPR Compliant one needs to keep in mind that ultimately personal data needs to be secured and data subjects need to feel protected.
Blockchain Technology is highly innovative, however relatively new to today’s Digital Age. By time, Blockchain Technology will be able to address the Regulation and support it.
Ultimately what is important is that personal data remains secure and protected. If you had to compare the evolution of the internet with the evolution of Blockchain, today the internet cannot be fully compliant with GDPR, but its use cases can, and the same applies to Blockchain Technology.
Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment.