Blockchain is predominantly a decentralised public ledger based on an open source software where transactions are processed, recorded and confirmed anonymously. Originally used by Bitcoin, it’s a record of events that is shared between many parties. More importantly, once information is entered, it cannot be altered.
The decentralised blockchain is not located on just one terminal or location but is actually managed by distributed nodes. These nodes all have a copy of the entire blockchain. They continuously come and go, synchronising their own copies of the chain with those of other users. By distributing copies and access, the chain cannot simply “go down,” or disappear.
Blockchain is frequently considered as one of the most disruptive technologies since the advent of the Internet, and has the potential to revolutionise the industry as we know it today. Fast forward a couple of years, we could soon see a new ecosystem with a blockchain backbone where every natural or legal person will have a digital ascertained identity from national EID registers. Each EID will be coupled with an ascertained digital advanced electronic signature. In addition, assets being tangible or intangible, movable or immovable and virtual currencies will be morphed and pegged as digital assets in national public electronic registers or private sub-ledgers of banks or credit institutions or similar entities certified by public bodies. These assets will in turn all have monetary value which can be traded easily between digital identities on a blockchain given a unique ID. The trading will in turn be executed by virtue of smart contracts (code) in a totally decentralised fashion, but still remain subject to the laws of the day, be it sale, exchange, loan etc. with any legal requirement executed in an automated fashion as part of the derivative elements in the smart contract. The latter covers the whole transaction ecosystem (ex ante, during the deal and ex post) including settlement of all fiscal issues and all regulatory requirements.
The purpose of this article is to briefly try and capture possible GDPR conditions and obligations which have to be part of any successful blockchain deployment. Thus, a GDPR loop is embedded in a blockchain and at the heart of any future blockchain ecosystem. In all probability, the majority, if not all the elements mentioned hereunder, will need to be catered for at the design stage of the blockchain. Here privacy by design principles, accountability principles as well as security principles and parameters need to be in place as mandated by the GDPR.
Let’s focus on some specific issues; personal data will be processed (collected, stored, relayed, shared, accessed, encrypted etc) (vide Article 4(1) as well as Recital 26 of the GDPR) according to Article 5 of the GDPR. This has to be processed in all instances and regardless of the medium, ‘lawfully, fairly and in a transparent manner in relation to the data subject’. If special categories of data will be processed, blockchain will also need to cater for this scenario. This obligation, along with the rights available to the data subjects and the mechanisms for compliance, will need to be assessed on a case-by-case basis. If different data processing activities are involved, each processing activity with a specified, explicit and legitimate purpose will need to be established, catering for a data minimisation principle which will also need to be fair and transparent to any data subject and legitimised for the actual processing. Inherently all these criteria will also need to extend to any derivative (ex smart contract) which is embedded in the blockchain. A privacy impact assessment (PIA) would also need to be carried out where automated processes and decisions are involved. Specifically on PIA, blockchain will also need to cater for the identification of controllers, co-controllers and data processors and the function and role of a DPO, in particular where he/she might be required to map the data that is being processed, do an impact assessment or carry out a data protection audit.
The blockchain must also cater for the rights of the data subjects, particulary the right to request access to all their data being processed, to have their personal data updated or corrected, and to the right to object to certain processing. Data subjects also have the right not to be subject to a decision based on automated processing and to object to such decision, to stop or erase all or part of their personal data as well as the right to port their data. Some of these rights will be very challenging for the blockchain; for example the right of erasure, which inherently goes against the basic concept of immutability of data on a chain.
The blockchain also needs to address privacy risks and to empower the Controllers (vide Article 25) at the time of determining the means for processing and the processing itself, to implement appropriate technical and organisational measures in line with data protection principles (eg data minimisation, tokenisation, pseudonimisation). Blockchain will also need to include processes to alert data controllers and processors where there are risks of security breaches and in certain cases also enable the required notifications as established under the GDPR.
Given the decentralised nature of blockchain and the requirement for security and accountability obligations under the GDPR, it is envisaged that blockchain design will need to factor and cater for instances where cloud computing is used. In all likelihood, blockchain will also have embedded in it pre-set data protection and privacy ISO standards which will be obligatory for all users of the blockchain. As an offshoot of this, blockchain will also need to cater for the legitimate transferring and restriction of processing of personal data to third countries in line with the GDPR requirement.
The GDPR will inherently need to be an intrinsic loop in blockchain use and deployment and at the heart of any future blockchain ecosystem. Certain principles are, per se, all unchartered territory for Data Protection Authorities as well as blockchain developers and users. However, privacy by design and GDPR compliance should be a top priority in order to mitigate regulatory and security risks, uncertainty, as well as to foster a more certain environment for blockchain deployment.
For more information or if you have any questions, please feel free to contact Dr Ian Gauci on igauci@gtgadvocates.com
Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.