The EU Blockchain Observatory assumes block-chain technology to be compatible with the GDPR
Blockchain technology is characterized by distributed and immutable (personal) data storage. Therefore, at first sight, it seems that the use of blockchain technology to store personal data appears to be fundamentally incompatible with the General Data Protection Regulation (GDPR). Nevertheless, the EU Blockchain Observatory & Forum lately argued in a report that the use of blockchain technology can go hand in hand with the GDPR.
Die Blockchain-Technologie zeichnet sich durch eine verteilte und unveränderliche (persönliche) Datenspeicherung aus. Daher scheint es auf den ersten Blick so zu sein, dass der Einsatz der Blockchain-Technologie zur Speicherung personenbezogener Daten grundsätzlich unvereinbar mit der Datenschutz-Grundverordnung (DSGVO) ist. Dennoch hat das EU Blockchain Observatory & Forum kürzlich in einem Bericht argumentiert, dass der Einsatz von der Blockchain-Technologie Hand in Hand mit der DSGVO gehen kann.
The EU Blockchain Observatory and Forum (“Observatory”) published a report titled “Blockchain and the GDPR” on 16 October 2018 (“Report”)[i], assessing the compatibility of the use of blockchain technology with the EU General Data Protection Regulation (GDPR)[ii]. In order to harmonize data privacy laws, the GDPR has been applicable in all EU member states since 25 May 2018.
The Observatory was created by the European Commission on 1 Februar 2018 to document and monitor blockchain initiatives in Europe and to provide an effective forum for information and opinion sharing. The creation of the Observatory is meant to inspire common action and to accelerate the development of the blockchain ecosystem within the EU.[iii]
Blockchain technology provides for the reaching of consensus and the permanent recording of information without a central intermediary. The technology enables the decentralisation of data storage and processing. Blockchain technology is recognized as an effective tool to shape a transparent, fair, secure, inclusive and democratic economy.
The GDPR is relevant when personal data is included in a blockchain. Indeed, the use of blockchain technology makes it technically impossible to modify or withdraw the personal data as previously introduced in the chain. The global aspect of a blockchain can also be a challenge regarding the territorial scope of the GDPR. Moreover, as blockchains are decentralised, the identification of the data controller and the establishment of its responsibility under the GDPR are at issue.
In that respect, obvious tensions have arisen between the use of blockchain technology and the requirements of the GDPR. Following the recommendations of the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) in September 2018[iv], the Observatory believes that there are paths for reconciliation. The Report states: “while there are serious tensions, we do not believe that the GDPR means the end of blockchain innovation“[v].
Both reports (see our article on the CNIL recommendations (German only)) underline the points of friction between the use of blockchain technology and the GDPR and suggest solutions to these challenges.
The identification and responsibility of the data controller
Under the GDPR, the data controller is the person determining the purposes and means of processing personal data (Article 4 subpara 7). The data controller plays a key role in the regulation, as he /she receives data subjects’ claims and is ultimately accountable for compliance with the GDPR and liable in case of an infringement. For that reason, it is crucial to identify a data controller as soon as personal data is processed.
However, such provisions of the GDPR are challenging within the framework of blockchain technology. The decentralised functioning of the technology makes it difficult, if not impossible, to identify a data controller. Various actors have already been discussed as potential responsible parties: protocol developers, nodes and individual network users.
The Observatory does not support the identification of the protocol developers and nodes as data controllers. Rather, the Observatory advocates for the recognition of network users (signing and submitting transactions to the blockchain network) as the responsible persons as soon as they store personal data in the blockchain as part of a business activity (as service providers for example). However, when they store their own personal data for their own personal use, they fall under the household exemption (Article 2 para 2 subpara 2) and thus elude the applicability of the regulation.
The exercise of data subjects rights
Even if the controller was to be identified, the question of the exercise of data subjects’ rights would still be a challenge because of the fundamental nature of blockchain technology.
The GDPR grants certain rights to data subjects. Among other things, data subjects are entitled to request the rectification (right to have incorrect data adjusted), the erasure (“right to be forgotten”) and the restriction of processing of their personal data.
However, in principle the information recorded in a blockchain is immutable. It is indeed difficult, if not impossible, to rectify or remove personal data recorded on the blockchain without destroying the chain. According to the Observatory, “the whole point of such a blockchain is to ensure that transactions, including the parties to them, are never forgotten in order to enable decentralised trust.“[vi]
The Report does not really bring new ideas to address the problem. However, it mentions the French CNIL’s suggestion to use encryption coupled with key destruction in order to imitate the effects of erasure.
The anonymization of personal data
The GDPR does not apply to anonymized data, which is no longer considered to be personal data. In order to be valid within the meaning of the GDPR, the anonymization of the data must meet two conditions. First, it must not be possible to assign the data to the associated natural person at a reasonable cost. Second, it must be impossible to reverse the anonymization process and reconstitute the original data. Any techniques that do not fulfil these conditions are considered “pseudonymous” and remain subject to the GDPR.
In any case, personal data should not be stored in a clear way, i.e. unencrypted on the blockchain. Furthermore, reversibly encrypted data remains personal data as long as the key for decryption exists somewhere. Even though the Observatory considers hashing as a possible way to anonymize data, it also points out that not all hashing algorithms can equally protect personal data, and that the most advanced algorithms should always be preferred.
The preference for private blockchains
In order to comply with the GDPR’s requirements, the Observatory encourages the use of private, permissioned blockchain networks instead of public, permissionless networks. In a public permissionless network, anyone can become a node, and all nodes can add and access data without restriction. Risks to breach the GDPR are therefore higher. In that sense, the Observatory considers it “absolutely essential that the data [is] stored and processed in a blockchain that is as tightly controlled as possible.“[vii]
In any case, the Observatory recommends business entities to manage the personal data of users separately from the blockchain (“off-chain”) and to reserve the use of blockchain technology for business-to-business (B2B) applications. The Observatory assumes that “blockchain networks should be used to store immutable proofs that certain data exists, rather than to store the data itself“[viii].
The Observatory’s general guidelines to stakeholders
The Observatory provides entrepreneurs and innovators with four rule-of-thumb principles, which can be used when designing blockchain-based applications:
- Start with the big picture: how is user value created, how is data used and do you really need blockchain?
- Avoid storing personal data on a blockchain. Make full use of data obfuscation, encryption and aggregation techniques in order to anonymise data.
- Collect personal data off-chain or, if the blockchain can’t be avoided, on private, permissioned blockchain networks. Consider personal data carefully when connecting private blockchains with public ones.
- Continue to innovate, and be as clear and transparent as possible with users.[ix]
In a nutshell, the Observatory’s fourth rule-of-thumb expresses its supportive attitude towards the use of blockchain technology. The Report clearly does not seek to slow the growth of blockchain technology by emphasising its incompatibility with the European regulation, but rather aims to encourage innovation.
To this end, the Report’s conclusion is rather optimistic, as it mentions the “promising research and development efforts under way to make it easier for blockchain application developers to comply with the GDPR.“[x] The Observatory recognizes and encourages the projects exploring the opportunity for blockchain to “ensure the robust protection of personal data in decentralised systems“[xi]. It mentions for example ongoing projects on the use of “chameleon hashes”, which contain a “trapdoor” allowing the hashed data to be broken. The trapdoor could be used to open the block, change the data and regenerate the block[xii].
In our opinion, an official European clarification on the interaction between blockchain and the GDPR would be very welcome in order to comfort the actors of the blockchain industry and to promote innovation.
[i] Report available under https://www.eublockchainforum.eu/sites/default/files/reports/20181016_report_gdpr.pdf.
[ii] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC.
[iii] European Commission Website, https://ec.europa.eu/digital-single-market/en/eu-blockchain-observatory-and-forum.
[iv] CNIL, Solutions for a responsible use of the blockchain in the context of personal data, under https://www.cnil.fr/sites/default/files/atoms/files/blockchain.pdf.
[v] Report, p. 28.
[vi] Report, p. 25.
[vii] Report, p. 30.
[viii] Report, p. 29.
[ix] Report, p. 5.
[x] Report, p. 6.
[xii] Report, p. 31.