How can Article 17 GDPR and Blockchain technology reconcile with one another?
Written by Shrisha Sapkota
Blogger
Introduction
According to Article 173 TFEU, the European Union shall contribute to promoting policies for innovation and technological developments to ensure the Union’s competitiveness[1]. A resolution from the European Parliament on DLTs and blockchains emphasises that it is of the utmost importance that DLT uses are compliant with the EU legislation on data protection and notably with the GDPR. The resolution has called the Commission and the European Data Protection Supervisor (EDPS) to provide further guidance on this[2]. Recognising the potential for blockchain technology to assist in aspects of data protection, whilst also remaining conscious of the implications and risks the technology imposes on data protection, is vital when considering the path of regulatory guidance in this area[3]. Moreover, the goals of the GDPR, such as giving data subjects more control over their data and transparency can be achieved through blockchains as it upholds transparency by offering a transaction database without intermediaries and gives individuals control over their personal data by allowing them to share information only with trusted parties. Furthermore, there is a risk that this clash of Article 17 of the data protection legislation with blockchain renders the operation of blockchains unlawful[4], which would add restrictions to the application of revolutionary technology with the potential to encourage economic growth and benefit transactional processes and bring a new paradigm of data storage and governance[5]. Thus, it is important to research this topic and find ways in which the GDPR and blockchain technology could concord with one another.
The tension between the GDPR and these novel decentralised databases indeed reveals a clash between two normative objectives of supranational law: fundamental rights protection on the one hand, and the promotion of innovation on the other[6]. GDPR was fashioned for a world where data is centrally collected, stored and processed whereas the blockchains decentralise these processes[7].
With a paradigm shift of such radical contours, it is difficult to apply a legal framework constructed for a sphere of centralisation to one of decentralisation[8]. Moreover, the lack of legal certainty on numerous concepts of the GDPR makes it hard to determine how the GDPR should apply both to this technology and to others[9]. For example, the definition of ‘erasure’ or ‘purpose’ in Article 17 is not clear and it is difficult to identify personal data or data controllers in a decentralised network such as a blockchain network[10].
The right to be forgotten contradicts with tamper evidence in the blockchain which is regarded as the core value proposition of blockchain and one of the blockchains’ most heralded features[11].
Technical solutions
The European Data Protection Supervisor (EDPS) stresses the importance of enabling the manageability of personal data, i.e. their alteration, deletion and selective disclosure, as a means to protect people’s privacy[12]. Some technical solutions such as pruning and anonymisation techniques such use of chameleon hashes or different encryption methods have been suggested. In blockchain pruning, old transactions and blocks are deleted after a predefined amount of time, whereas old block headers containing the hashed version of the removed block data are maintained to ensure the integrity and security of the blockchain[13]. Similarly, developers are exploring the use of chameleon hashing in which a hash function that connects each block to the previous one is replaced with a standard chameleon hash, which contains a trapdoor, and with the knowledge of this trapdoor key, it is possible to replace the contents of the block. However, blockchains are designed to permanently record all transactions to ensure trust and integrity in the system, and introducing this technique can increase the chances of people maliciously rewriting the hashed object in the transaction without being identified[14]. Some have suggested storing data off-chain, but having near to immutable proof that the transaction occurred, referred to as ‘zero-knowledge proof’[15]. Transactional data that is stored off-chain can be modified and minimised in line with these legal requirements without touching the distributed ledger itself[16]. However, the situation is more difficult in relation to the pseudonymous public keys that cannot be retroactively removed from the ledger[17]. Nevertheless, the CNIL observes that it is technically impossible to grant the request for erasure made by a data subject when data is registered on a blockchain[18].
Others have suggested that formalised procedures of transmitting a key to the data subject or deleting the private key in a supervised setting could amount to erasure for the GDPR as the encrypted data would remain on-chain but could be accessed only by the data subject (through her exclusive control of the private key) or simply, no longer be accessed at all[19]. The CNIL also recognises that some cryptographic methods may make the data “almost inaccessible”, but it questions the extent to which these solutions provide full compliance with the GDPR as the solutions do not “strictly speaking, result in an erasure of the data insofar as the data would still exist in the blockchain”[20]. The German framework accepts that data isn’t deleted in instances of non-automated processing when the specific mode of storage makes this impossible[21].
Regulatory solutions
While the technical solutions can ensure how and what type of data is processed (anonymous, pseudonymised or encrypted) and focuses on what the data and the architecture are, a regulatory solution focuses on data protection and on who processes the data and how they are processed[23].
It has been illustrated that regulatory guidance or initiatives could provide legal certainty to solve the tension. Oftentimes, the interpretation of core GDPR concepts is burdened by a lack of harmonious interpretations between the various supervisory authorities in the European Union[24]. In the absence of conclusive court decisions, regulatory guidance is useful to provide greater legal certainty[25].
In permissioned blockchains, where the number of nodes is limited, there is a possibility to tamper data as if the majority of the dominant nodes or specific entities (authorities or enterprises) in charge and legally accountable vote for their version of the truth and to amend the ledger without interrupting its functionality[26]. However, introducing mutability in permissionless blockchains is rather challenging[27].
It is suggested that the supervisory authorities could coordinate action with the European Data Protection Board to draft specific guidance on the application of the GDPR to blockchain technologies[28]. Opinions such as the Article 29 Working Party that have not been endorsed by the European Data Protection Board (EDPB) could be updated to provide a guideline on new developments such as the anonymisation techniques, could be helpful to provide further legal certainty for the blockchain industry and beyond[29]. Moreover, certification mechanisms and codes of conduct could be included in the Regulation whereby regulators and the private sector collaborate to ensure that the principles of European data protection law are respected and GDPR’s overarching principles are applied to concrete contexts where personal data is processed[30]. These could be progressed and agreed between regulators and players within the industry, so that both may gain a more in-depth understanding, which may, in turn, be beneficial in leading to more practical approaches[31]. It has been done in cloud computing where many solutions towards similar problems arose after deploying a code of conduct[32]. Article 40 GDPR has foreseen its possibility and Article 42 GDPR encourages that data protection certification mechanisms be established in the form of data protection seals and marks to demonstrate compliance with the GDPR[33].
According to Article 6(1)(b) GDPR, the processing is justified for a performance of a contract to which the data subject is a party when the processing is necessary for a purpose that is integral to the delivery of that contractual service to the data subject and a withdrawal right cannot be invoked during the process[34]. Article 49(1)(a) GDPR foresees a solution as a transfer of personal data to a third country or an international organisation is possible if the data subject has explicitly consented to the proposed transfer, after being informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards[35]. This could be easily implemented on a private blockchain where access is controlled and can be subjected to terms and conditions, but it is not obvious how such consent could be acquired in respect of a permissionless chain[36].
As it is difficult to identify a data controller in a permissionless system, designing an architecture in which (at least) one accountable entity is legally responsible for ensuring the GDPR provisions are respected, could ensure privacy compliance in blockchain protocols while also preserving the essential nature and usefulness of the blockchain[37]. Moreover, States may appoint a trusted private party for control and accountability in the chain and the ability to validate the legality of the content and to modify the entire chronology of the chain or metadata related to the blocks, if required[38].
According to Article 6(1)(f), the processing is justified when it is necessary for the legitimate interest by the controller or a third party which does not override the interests and fundamental rights of the data subjects[39]. Thus, if a legitimate interest and a “controller” can be identified, then the processing of personal data on blockchains can be justified within the GDPR[40].
According to Article 23(1)(e) of the GDPR of the European Union or Member State law may restrict the scope of the obligations and rights provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the Union or a Member State, in particular, an important economic or financial interest of the Union or of a Member State, including monetary, public health and social security matters[41]. The numerous advantages of blockchain and their promises to transform the healthcare, business, government services along with other advantages could be regarded as a necessary and proportionate measure to protect public interests and may serve as a justification to restrict the scope of application of Article 17 GDPR on blockchains.
Overall, it has been observed that it might be possible to reconcile permissioned blockchains with Article 17 GPPR through the suggested means, but it seems very difficult to reconcile the two in a permissionless system. Hence, in my opinion, better regulatory guidance with a focus on blockchains and a detailed understanding of the nature of all types of existing blockchains could assist in the reconciliation of blockchain with Article 17 GDPR and other articles of the GDPR because it would clarify how GDPR could be applied to technology like blockchain and assist in creating a balance between promoting the technology and making sure that the data and the rights of the data subject are protected. As broad uncertainties regarding the interpretation and application of this legal framework to the technology exist, [42]regulatory guidance could be useful to interpret and apply it to technologies like blockchain. A clear interpretation of the terms in the GDPR, with a focus to promote blockchain technology but also guarantee compliance with the GDPR could be helpful for better understanding and application of both the regulation and technology and allow the two to reconcile with one another.
Overall, blockchains are revolutionary technologies, with many promises for the future. However, it has been difficult to apply a regulatory solution to them due to their structure, governance arrangements and perceived immaturity. Moreover, it is also difficult to apply the existing regulations to the technology. Thus, it is important to consider ways in which the two could reconcile with one another for the development of further innovation and protection of the privacy of data subjects.
Resources
[1] Consolidated version of the Treaty on the Functioning of the European Union [2012] OJ C 326, art 173.
[2] European Parliament resolution of 3 October 2018 on distributed ledger technologies and blockchains: building trust with disintermediation (2017/2772(RSP)) [2020] OJ C 11/7.
[3] Gibraltar Regulatory Authority, ‘Discussion paper regarding blockchain and the EU General Data Protection Regulation 2016/679 and the Data Protection Act 2004’ (IR05/19, 20 February 2020).
[4] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p. 88.
[5] Gwyneth Iredale, ‘6 Key Blockchain Features You Need to Know Now’ (101 Blockchains, 25 November 2020) <https://101blockchains.com/introduction-to-blockchain-features/> accessed 7 October 2021; ‘Blockchain and the GDPR’ (The European Union Blockchain Observatory and Forum) Thematic Report <https://www.eublockchainforum.eu/reports/blockchain-and-gdpr>.
[6] Michèle Finck, ‘Blockchains and Data Protection in the European Union’ (2018) 4 European Data Protection Law Review <https://doi.org/10.21552/edpl/2018/1/6> accessed 15 September 2021, pp. 17-35.
[7] Ibid
[8] Ibid
[9] Michèle Finck, ‘Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?’ (Panel for the Future of Science and Technology, July 2019), pp.1-101 <https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf> accessed 12 September 2021.
[10] ‘The GDPR and the Blockchain Technology’ (Website of the Republic of Poland, 21 November 2019) <https://www.gov.pl/web/digitalization/working-group-on-dlt-and-blockchain> accessed 17 September 2021.
[11] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p. 90.
[12] European Data Protection Supervisor (EDPS), ‘Opinion 5/2018, Preliminary Opinion on privacy by design’ (31 May 2018).
[13] Eugenia Politou and others, ‘Blockchain Mutability: Challenges and Proposed Solutions’ (2019) PP IEEE Transactions on Emerging Topics in Computing, pp. 1-1.
[14] Yangguang Tian and others, ‘Policy-Based Chameleon Hash for Blockchain Rewriting with Black-Box Accountability’, Annual Computer Security Applications Conference (Association for Computing Machinery 2020) <https://doi.org/10.1145/3427228.3427247>.
[15] Gibraltar Regulatory Authority, ‘Discussion paper regarding blockchain and the EU General Data Protection Regulation 2016/679 and the Data Protection Act 2004’ (IR05/19, 20 February 2020).
[16] Michèle Finck, ‘Blockchains and Data Protection in the European Union’ (2018) 4 European Data Protection Law Review <https://doi.org/10.21552/edpl/2018/1/6> accessed 15 September 2021, pp. 17-35.
[17] Ibid
[18] Solutions for a Responsible Use of the Blockchain in the Context of Personal Data’ (CNIL, September 2018) <https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf> accessed 29 November 2021.
[19] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p.
107.
[20] Solutions for a Responsible Use of the Blockchain in the Context of Personal Data’ (CNIL, September 2018) <https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf> accessed 29 November 2021.
[21] Bundesgesetzblatt Jahrgang 2017, ‘Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/ 679 und zur Umsetzung der Richtlinie (EU) 2016/680’ (44, 5 July 2017), art 35.
[22] Anne Toth, ‘Will GDPR Block Blockchain?’ (World Economic Forum) <https://www.weforum.org/agenda/2018/05/will-gdpr-block-blockchain/> accessed 11 October 2021.
[23] Gianluigi Maria Riva, ‘What Happens in Blockchain Stays in Blockchain. A Legal Solution to Conflicts Between Digital Ledgers and Privacy Rights’ (2020) 3 Frontiers in Blockchain 36, pp. 1-18
[24] Michèle Finck, ‘Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?’ (Panel for the Future of Science and Technology, July 2019), pp. 96.
[25] Gibraltar Regulatory Authority, ‘Discussion paper regarding blockchain and the EU General Data Protection Regulation 2016/679 and the Data Protection Act 2004’ (IR05/19, 20 February 2020).
[26] Eugenia Politou and others, ‘Blockchain Mutability: Challenges and Proposed Solutions’ (2019) PP IEEE Transactions on Emerging Topics in Computing, pp. 6.
[27] Ibid
[28] Michèle Finck, ‘Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?’ (Panel for the Future of Science and Technology, July 2019), pp. IV.
[29] Ibid
[30] Michèle Finck (n 19) 98.
[31] Gibraltar Regulatory Authority, ‘Discussion paper regarding blockchain and the EU General Data Protection Regulation 2016/679 and the Data Protection Act 2004’ (IR05/19, 20 February 2020).
[32] Ibid
[33] General Data Protection Regulation, art 40; General Data Protection Regulation, art 42; Michèle Finck, ‘Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?’ (Panel for the Future of Science and Technology, July 2019), pp 99.
[34] European Data Protection Board, ‘Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects’ (9 April 2019) para 30; General Data Protection Regulation, art 6 (1) (b).
[35] General Data Protection Regulation, art 49.
[36] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p. 103.
[37] Gianluigi Maria Riva (n 23) 15.
[38] Gianluigi Maria Riva (n 23) 14.
[39] General Data Protection Regulation, art 6(1)(f)
[40] Ibid
[41] General Data Protection Regulation, art 23 (1)(e)
[42] Ibid