Blockchain Technology vis-à-vis the GDPR

Many of you might heard about the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) and Blockchain Tech­nol­o­gy, but how can they relate to one anoth­er?

Blockchain tech­nol­o­gy is a promi­nent tech­nol­o­gy which can be defined as a sequen­tial record of data dis­trib­uted and man­aged via com­put­ers. Blockchain tech­nol­o­gy is not just used for cryp­tocur­ren­cies, but also in sev­er­al oth­er indus­tries depend­ing on the use case.

When it comes to deter­min­ing the con­troller of blockchain there is no cen­tral author­i­ty which con­trols this dis­trib­uted tech­nol­o­gy.

In fact, 3 of the main pil­lars of the tech­nol­o­gy are:

  • Decen­tral­i­sa­tion
  • Trans­paren­cy
  • Immutabil­i­ty

The con­cern with blockchain tech­nol­o­gy is that if you had to look at it from a GDPR per­spec­tive you would be able to fore­see sev­er­al incom­pat­i­bil­i­ties between the two, main­ly Inno­va­tion and the Pro­tec­tion of Data

The GDPR came into force to ulti­mate­ly offer har­monised pro­tec­tion of per­son­al data across the Mem­ber States. How­ev­er, the ques­tion remains whether you can be GDPR com­pli­ant whilst using blockchain tech­nol­o­gy? The use of blockchain tech­nol­o­gy shall also com­ply with the require­ments set out in the GDPR.

GDPR Requirements - Infographic

As high­light­ed in the Euro­pean Union blockchain obser­va­to­ry & forum Report:

GDPR com­pli­ance is not about the tech­nol­o­gy, it is about how the tech­nol­o­gy is used.”

Protection of Data via Blockchain Technology

The idea of the tech­nol­o­gy start­ed with the impulse of hav­ing a blockchain-based sys­tem that serves as a Dis­trib­uted Ledger Tech­nol­o­gy which records trans­ac­tions of a cryp­tocur­ren­cy. Today, we have shift­ed from just hav­ing a sys­tem for cryp­tocur­ren­cies to dif­fer­ent use-cas­es in var­i­ous indus­tries.

Blockchain is a form of Dis­trib­uted Ledger Tech­nol­o­gy which encom­pass­es the improve­ment of sev­er­al indus­tries. The aim of such tech­nol­o­gy was to abol­ish the inter­fer­ing with infor­ma­tion and data by pro­vid­ing a dis­trib­uted ledger as the solu­tion.

In a tra­di­tion­al sys­tem an indi­vid­ual is required to share data with oth­er indi­vid­u­als. When there is no trust between the indi­vid­u­als, then the shar­ing of data may become chaot­ic. In this regard, Blockchain offers a plat­form where­by an indi­vid­ual can con­trol his data by shar­ing it on a secured plat­form. Whether this is an advan­tage or not in terms of the GDPR is debat­able.

Opt­ing for a Blockchain based sys­tem can be seen as an alter­na­tive to the sys­tems we are used to; such as cloud or serv­er-based sys­tems.

When using blockchain tech­nol­o­gy per­son­al data is encrypt­ed and it’s high­ly unlike­ly for it to be mod­i­fied, let alone removed. To ver­i­fy that the data was not mod­i­fied, a user of Blockchain tech­nol­o­gy can cross check all the ledgers on the nodes in the net­work. Pret­ty Inno­v­a­tive right?

Fur­ther­more, giv­en that Blockchain tech­nol­o­gy is decen­tralised, there is no cen­tral point from which it can be con­trolled.

Blockchain Tech­nol­o­gy uses a chain of blocks which record trans­ac­tions and thus makes it dif­fi­cult for hack­ers to hack the tech­nol­o­gy as it can­not be changed from a sin­gle loca­tion.

Hav­ing a pub­lic dis­trib­uted tech­nol­o­gy which is com­plete­ly decen­tralised gives the pow­er of con­trol of data back to the users as there are no inter­me­di­aries.

The incompatibility between the GDPR and Blockchain

While the pow­er of con­trol of data belongs to the data sub­ject (the indi­vid­ual to whom the data relates), under the GDPR it is impor­tant to estab­lish who is the con­troller and who is the proces­sor. When a user uses Blockchain Tech­nol­o­gy — when the user places his data on the blockchain and thus would be trans­act­ing on the Blockchain — it becomes dif­fi­cult to iden­ti­fy the con­troller as per the GDPR require­ments.

Once per­son­al data forms part of the Blockchain net­work, it can­not be removed or changed. Albeit this may be viewed as a secure mech­a­nism pro­vid­ed by the net­work, in real­i­ty from a GDPR per­spec­tive this goes against data sub­ject rights; in par­tic­u­lar the Right of Rec­ti­fi­ca­tion and the Right to Era­sure.

The Euro­pean Par­lia­men­tary Research Ser­vice (EPRS) pro­posed the fol­low­ing in their study:

1. Guid­ance

It is still uncer­tain how EU Pri­va­cy Reg­u­la­tions can apply to emer­gent tech­nolo­gies such as Blockchain. For this rea­son, the EPRS does not pro­pose the revi­sion of the Reg­u­la­tion but the con­sid­er­a­tion of the GDPR as being unbi­ased towards tech­nolo­gies. They sug­gest that the use of Blockchain Tech­nol­o­gy should be viewed from a legal per­spec­tive in order to be able to take a case-by-case approach. The Study puts for­ward guide­lines to the Author­i­ties to work on com­pil­ing sec­tor spe­cif­ic guid­ance.

2. Codes of Con­duct and Cer­ti­fi­ca­tion

Since the GDPR is unbi­ased towards tech­nolo­gies, when tasked to con­sid­er data pro­tec­tion, codes of con­duct and mech­a­nisms of cer­ti­fi­ca­tion should be cre­at­ed and applied.

3. Back­ing

Research should be backed up and fund­ed for researchers to car­ry out exten­sive stud­ies on how a tech­no­log­i­cal design could be adapt­ed to the GDPR in order to have har­monised solu­tions.

Generalising?

When speak­ing about Blockchain Tech­nol­o­gy, we can­not gen­er­alise as there are many use cas­es which uses the tech­nol­o­gy. How­ev­er, in order to be GDPR Com­pli­ant one needs to keep in mind that ulti­mate­ly per­son­al data needs to be secured and data sub­jects need to feel pro­tect­ed.

Blockchain Tech­nol­o­gy is high­ly inno­v­a­tive, how­ev­er rel­a­tive­ly new to today’s Dig­i­tal Age. By time, Blockchain Tech­nol­o­gy will be able to address the Reg­u­la­tion and sup­port it.

Ulti­mate­ly what is impor­tant is that per­son­al data remains secure and pro­tect­ed. If you had to com­pare the evo­lu­tion of the inter­net with the evo­lu­tion of Blockchain, today the inter­net can­not be ful­ly com­pli­ant with GDPR, but its use cas­es can, and the same applies to Blockchain Tech­nol­o­gy.

Dis­claimer: The above-men­tioned arti­cle is sim­ply based on inde­pen­dent research car­ried out by Dr. Wern­er and Part­ner and can­not con­sti­tute any form of legal advice. If you would like to meet up with any of our rep­re­sen­ta­tives to seek fur­ther infor­ma­tion, please con­tact us for an appoint­ment.

About Dr. Rebecca Mifsud

Dr Rebec­ca Mif­sud, born 6th May 1994, attend­ed the Uni­ver­si­ty of Mal­ta and is an LLB Hon­ours grad­u­ate. She also grad­u­at­ed in the Mas­ters in Advo­ca­cy and will be sit­ting for her Mal­ta War­rant Exam in 2019. She suc­cess­ful­ly defend­ed her dis­ser­ta­tion enti­tled: ‘Imput­ing respon­si­bil­i­ty for foot­ball injuries inflict­ed by minors in the Mal­tese sce­nario,’ in 2017.

View All Posts

Leave a Reply

Your email address will not be published.