News

EU study: ‘Blockchain and the General Data Protection Regulation – Can distributed ledgers be squared with European data?’

On the 24th of July, 2019, the EU Parliament published a study that analyses the relationship between blockchain and GDPR with its aim being to identify existing tensions and propose possible solutions. Many academics hold that blockchain technology, by its very nature, is incompatible with the GDPR and that its inability to comply with such regulations will hinder progress to the detriment of the European digital single market project.

The tensions between blockchain and the GDPR

The tensions between blockchain and the GDPR can be said to broadly branch out from two factors.

Firstly, the GDPR is designed on a centralised principle that pinpoints a data controller to each data processing operation. Each data controller is burdened with obligations and responsibilities to ensure that data processing occurs in line with GDPR requirements. On the other hand, blockchains replace unitary actors with many different players. Thus, the element of decentralisation, one of the cornerstones of blockchain technology, makes the allocation of responsibility and accountability problematic.

Secondly, the GDPR assumes that the erasure or modification of a subject’s personal data is always possible where necessary. However, one of the key characteristics of blockchain technology is the immutability of data, which in itself ensures data integrity and increases trust in the network.

An example of such tension relates to the principles of data minimisation and purpose limitation, which can be challenging to apply to DLTs which are inherently designed to replicate data and store it across multiple nodes.

The analysis of the discussed tensions culminated in the determination of the following two conclusions. Firstly, the inherent nature of blockchain does indeed render GDPR compliance to be challenging.Thus, blockchain architects, from the outset, must design blockchain systems that are compliant-by-design.  Secondly, the study found that there are “significant conceptual uncertainties” in relation to the GDPR (such as a clear understanding of the notion of ‘erasure’) that makes it difficult to determine how it should apply to blockchain technology as well as other technologies.

The study goes into a great deal of depth about possible methods of making blockchains GDPR-compliant, including use of encryption, zero knowledge proof, storing data in an off-chain database, multisig and destroying the private key of an encrypted block. However, the author mentions also that anonymizing data too effectively may lead to problems related to anti-money laundering and countering the financing of terrorism. GDPR largely protects people’s data from misuse by private companies and citizens, not from governments.

Case-by-case analysis

The study emphasises the fact that one cannot class all blockchains as being entirely compliant or not compliant with the GDPR. Rather, compliance with the GDPR will depends on the particular blockchain use case, and therefore necessitates a “case-by-case” assessment, with each use case being examined on its own merits. The study reached the conclusion that “it is easier to design private and permissioned blockchains in a manner that is compatible with EU data protection law than public and permissionless networks.” This is due to the fact that such systems are designed in a manner that; enables control over the network, (such as to treat data in a compliant manner), ensures control over which actors have access to the relevant personal data, and consists of participants that are known to one another.

Policy Options

The study holds that the GDPR should not adapt or be revised in order to cater for new and evolving technologies. On the contrary, the GDPR is technology neutral and designed to stand the test of time in a fast-moving data-economy. Thus, the study proposed the following policy options:

1) Regulatory Guidance

Many of the key concepts of the GDPR remain unclear. Additionally, the study found that blockchain technologies challenge core assumptions of EU data protection law such as that of data minimisation and purpose limitation. According to the author of the study, “what is needed to increase legal certainty for those wanting to use blockchain technologies is regulatory guidance regarding how specific concepts ought to be applied where these mechanisms are used.”

Regulatory guidance is recommended in two forms:

  • Specific guidance from the EDPB[1] on the application of GDPR to blockchain technologies
  • The EDPB endorsing and updating the Article 29 Working Party opinions such as those on anonymisation techniques.

2) Support codes of conduct and certification mechanisms

The GDPR itself encourages a co-regulatory spirit whereby regulators and the private sector create mechanisms and codes of conduct designed to help apply the GDPRs overarching principles to concrete contexts where personal data is processed. This aims to promote the creation of technology that is “compliant-by-design”.

3) Research Funding

The study concludes that the aforementioned policy options will not be sufficient. Compliance issues are also raised by technical limitations (such as the problem of deleting on-chain data). The study recommends the allocation of funding for specific interdisciplinary research that finds solutions to such limitations.

Article written by Dr Ian Gauci and Legal Trainee Mr Gigi Gatt.

For more information on Blockchain, Data Protection & Privacy please contact Dr Ian Gauci on igauci@gtgadvocates.com

This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.


[1] European Data Protection Board