Two years on since the implementation of the GDPR, the EU’s data protection law, some significant fines have been handed out to the likes of Google, British Airways, and Marriott. Despite this, the regulation has only begun to scratch the surface of its broader goals of improving data protections for all.
Last year was the “worst year on record” for the number of breaches worldwide, with 7.9 billion records exposed and tens of thousands of reported leaks in the EU alone. What’s more, 2020 is already on track to set a new record, with 5 billion records leaked this year in the USA alone.
Emerging technologies seem to have been neglected too. Blockchain, which stores data in a transparent and unalterable way, has had an unclear standing with the GDPR since the regulation was implemented. Now regulators in Europe have caught up with addressing their early concerns with the technology, including how to regulate initial coin offerings (ICOs) and tax cryptocurrencies, attention has slowly begun to turn to privacy and data protection.
Last summer, the European Parliament published a study asking whether blockchain can be squared with the GDPR, pointing out that there were “multiple points of tension” between the two. As regulators buckle down on privacy and data protection across the continent, could blockchain be next on the chopping block?
The core conflicts between the GDPR and blockchain
The first core conflict is to do with blockchain’s central purpose – unchangeable records. One of the principles of the GDPR is “storage limitation,” which means data should not be kept for longer than is necessary for the purposes for which the personal data is processed. Another is the “right to erase,” which means users have the right to have their personal data erased within one month of a request. The problem is for most blockchain systems, data is permanently written onto a ledger and cannot be removed.
The second core conflict is to do with how blockchains are governed, which could mean that everyone participating in a blockchain’s consensus can be considered a data “controller.” However, most decentralised blockchain systems are governed by participants far removed from the blockchain’s original developers. It is the “controllers” and “processors” of personal data who have the liability to uphold the GDPR, so when responsibility is distributed among hundreds or thousands of individuals across the world, who is responsible for data breaches?
CNIL, the French data regulator, already has an answer to this question. In a report published in 2018, CNIL concluded that in many cases, all participants can be considered “controllers.” In the report’s action plan were proposals to work with European counterparts to establish a foundation for inter-regulation of blockchain. Still, almost two years later, CNIL remains the only European regulator to have published guidance on blockchain.
Solutions in the face of regulatory uncertainty
Although complete erasure of personal data may not be possible, sufficient deletion could meet the demands of regulators. For example, deleting the key to decrypt personal data makes it inaccessible without actually removing it – a simple solution to a problem some thought could not be reconciled. Storing personal data in an off-chain database is another solution.
Another consideration is that GDPR is principles-based regulation, designed to be “technologically neutral” and future-proofed. There is no such thing as GDPR-compliant blockchain technology; only GDPR-compliant use cases and applications.
With this in mind, technology developers should not be left to their own devices; they should instead work closely with privacy and legal teams to develop systems with legroom to adjust to future clarity from regulators. If they do not, they could risk “poisoning” their blockchain with irreversible issues.
GDPR and blockchain going forward
There is much more left to be uncovered on the subject of the GDPR and blockchain technology. In addition to the two core conflicts mentioned above, the European Parliament study mentioned earlier laid out 18 crucial unanswered questions, among them including:
- Is anonymisation an effective means of provoking the “erasure” of data for the purposes of Article 17?
- Should the anonymisation of data be evaluated from the controller’s perspective, or also from the perspective of other parties?
- What is the scope of a data controller’s responsibility under the GDPR? Is responsibility limited to the (joint-) controller’s responsibilities, powers, and capacities?
- How is the purpose of personal data processing to be evaluated in relation to blockchains in light of the purpose limitation principle? Does this only encompass the initial purpose (the transaction) or does it also encompass the continued storage of the data and its further processing, such as to achieve consensus?
- Can a data subject be a data controller in relation to personal data that relates to themselves?
- Is the off-chain storage of transactional data a means of complying with the data minimisation principle?
On the whole, the report agrees that “it is impossible to state that blockchains are, as a whole, either completely compliant or incompliant with the GDPR.” But with many more questions than answers, to many, it may seem absurd that despite blockchain preexisting the GDPR, the regulation was written without blockchain in mind. Going forward, the European Data Protection Board should coordinate with national regulators to work on blockchain guidelines. As long as they do not, innovation and investment in blockchain will be curtailed by uncertainty.
Embracing blockchain could also provide opportunities for helping to achieve some of the GDPR’s objectives, as the European Parliament study acknowledged. Blockchain can be designed to enable data-sharing without the need for a central intermediary and offer transparency as to who has accessed data.
Moreover, blockchain-based smart contracts can automate the sharing of data, reducing transaction costs, and be used to register consent and detect breaches. Protocols such as Civic, Sovrin, and Ontology, have also shown that blockchain can effectively give users control of their own digital identities.
It is unclear when blockchain will be back on the agenda for regulators. Blockchain was listed as a “possible topic” on the European Data Protection Board’s (EDPB) 2019/2020 work program. However, looking at the agenda for each of the plenary sessions in the first half of this year, blockchain has not been mentioned once. Instead, we see more expected topics, such as contact tracing apps and the reopening of borders amid a pandemic.
In May, TikTok also drew attention in Europe after the Dutch data regulator launched an investigation into the hugely popular social media platform. Meanwhile, Ireland’s data regulator, which is handling some of the EU’s most significant cases, is severely backlogged. It seems the blockchain industry will have to wait in line to receive what Dr Michèle Finck of the European Parliament study stresses is needed: a clear regulatory framework. Only then can Europe start to benefit from the potential of blockchain technology.
You can read more on the subject in the EU Blockchain Observatory and Forum’s report on blockchain and the GDPR: https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf.