What is the tension between blockchain technology and the General Data Protection Regulation (GDPR)?

Written by Shrisha Sapkota
Written by Shrisha Sapkota

Blogger

case management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdomcase management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdom

 

Features of Blockchain technology and their advantages:

 

Decentralised Data Storage

 

As blockchain uses a distributed ledger, transactions and data are recorded identically in multiple locations[1]. Blockchains offer the promise of the decentralised handling of data and data sovereignty, a concept that focuses on giving individuals control over their personal data and allowing them to share [2]this information only with trusted parties[3]. Blockchain networks achieve resilience through replication[4]. The ledger’s data is resilient as it is simultaneously stored on many nodes, so that, even if one or several nodes fail, the data goes unaffected[5]. In light of such replication, there is no central point of failure or attack at the hardware level[6]. The distributed storage of data which has numerous benefits as a single centralised party is prevented from tampering with the data; there is no master copy, hence no single point of failure, reducing the chances of a possible attack succeeding, and there is less risk of a denial-of-service attack[7]. Without blockchain, each organisation had to keep a separate database and the traditional paper-heavy processes are time-consuming, prone to human error and often require third-party mediation[8]. By streamlining these processes with blockchain, transactions can be completed faster and more efficiently as documentation needs the exchange of paper and reconciliation of multiple ledgers[9]. Through its design, a distributed ledger moreover reduces verification costs (the verification of a transaction’s attributes) and networking costs as it can bootstrap and operate a marketplace without the need for an intermediary[10].

 

Consensus Protocols

 

A consensus protocol allows all nodes of the blockchain, and the DLTs in general, to agree on a single version of the truth, i.e. on the transactions and the order in which these are listed on the newly-mined block, without the need of a trusted third party[11]. In the blockchain system, the transactions are recorded by any of the network nodes and all the nodes participating in the network can record and check the transactions and access the information contained in the blocks and the chronology of the block sequence. The nodes contain software to analyse whether the occurred transactions correspond with the formal information of the preceding set of blocks and the data within blocks remain permanently in the blocks to be verifiable[12]. Thus, the majority of the nodes must approve the proposed modification to modify the information contained in one block and validate the transaction[13]. When a block is modified, it occupies a new position in the chain, and the old block also remains to prove the chronology of the transactions and there is no possibility for the old block or transactions to be removed[14].

 

While only a selected set of nodes are responsible for validating the block in a permissioned blockchain, every node in a permissionless blockchain could take part in the consensus process which serves the purpose of establishing decentralised trust in untrusted environments[15].

 

Since a third party is no longer needed in a blockchain to verify data integrity and to maintain trust, as opposed to centralised architectures, consensus algorithms[16]. In a blockchain, every agreement, contract, process, task and payment could have a digital record and signature that could be identified, validated, stored and shared due to which intermediaries like lawyers, brokers and bankers might no longer be necessary[17]. Individuals, organisations, machines and algorithms can freely transact and interact with one another with little friction. Blockchains enable such decentralisation through their ability to replace traditional trust intermediaries with trust-based in numbers[18]. Moreover, blockchain allows building trust and transaction between two businesses by verifying the identity and capacity of any counterparty through a combination of past transaction history on the blockchain, reputation scores based on aggregate reviews, and other social and economic indicators[19]. This mitigates several types of financial risks and allows parties who do not know each other to trust each other and transact. Similarly, blockchain could dramatically reduce the cost of transactions[20].

 

Immutability

 

Immutability can be defined as the ability of a blockchain ledger to neither be edited nor deleted and remain a permanent, indelible, and unalterable history of transactions after they are verified and recorded into the blockchain.[21] This is a definitive feature of a blockchain which is the consequence of the blocks being chained together with the hash value that contains a reference to the preceding block of the preceding block and being cryptographically linked[22]. As all transactions are immutably recorded and are time- and date-stamped, the entire history of a transaction can be viewed by members which increases efficiency, transparency and accountability[23]. This functionality of blockchain technology ensures that no one can intrude in the system or alter the data saved to the block, keeping the data authentic[24] and bringing more trust in the network and integrity to the data that businesses use and share every day[25].

 

Blockchains are an innovative system for determining ‘who did what when’ that can be deployed to enable coordination between parties that were not previously possible[26]. In providing a distributed and verifiable record of data, blockchains may come to transform record-keeping systems[27]. By creating a record that can’t be altered and is encrypted end-to-end, blockchain helps prevent fraud and unauthorised activity[28].

 

The General Data Protection Regulation:

 

The General Data Protection Regulation (GDPR) is a regulation on data protection in the European Union (EU) and the European Economic Area (EEA) that was put into effect on May 25, 2018[29]. Its primary aim is to enhance individuals’ control and rights over their personal data and to improve business opportunities by facilitating the free flow of personal data in the digital single market[30]. It lays down rules relating to the protection of the processing of personal data and rules of natural persons concerning the free movement of personal data[31]. It protects fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data, which is based on Article 8 of the Charter of Fundamental Rights.

 

Material Scope of the GDPR

 

According to Article 2(1) GDPR, the regulation applies to the processing of personal data by automated means and processing of personal data other than by automated means which form part of a filing system or are intended to form part of a filing system. According to Article 4(2) GDPR, ‘processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, etc[32]. In respect of blockchains, this broad understanding of data processing implies that the initial addition of personal data to a distributed ledger, its continued storage and any further processing constitutes personal data processing under Article 4(2) GDPR[33]. Blockchain-enabled data processing qualifies as data processing “through automated means”[34].

 

According to Article 4(1) of the GDPR, ‘personal data’ is any information relating to an identified or identifiable natural person,  the “data subject”. An identifiable natural person can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[35]. Hence, when a data subject is no longer identifiable, the data is rendered anonymous and it does not amount to personal data[36].

 

 Nevertheless, personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information is considered to be information on an identifiable natural person[37]. According to Article 4(5) GDPR, “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a data subject without the use of additional information[38].

 

Practice reveals that public keys can enable the identification of a specified natural person[39] and academic research has shown that public keys can be traced back to IP addresses, aiding identification[40]. In Patrick Breyer v. Germany, dynamic IP addresses were classified as personal data[41]. A public key serves to identify a natural person and cannot be attributed to a data subject without being matched with additional information such as a name, address or other identifying information and, thus, qualifies as pseudonymous data according to Article 4(5) GDPR[42].

 

Any other categories of data that may be used on a blockchain, but are not public keys are categorised as transactional data[43]. The data contained within a transaction, for example, a diploma or a property deed, can be categorised as transactional data, according to the French Data Protection Authority.[44]. Transactional data constitutes personal data where it directly or indirectly relates to an identified or identifiable natural person[45]. Both public keys and transactional data can be used in plain text, in encrypted form, or hashed when put on the blockchain[46]. It has been clear that public keys and transactional data stored in the blocks qualify as personal data in plain text. Additionally, according to Article 29 Working Party, encrypted data and hashed data, both qualify as pseudonymised data as original values can be derived from an attribute or set of attributes[47].

 

The Territorial Scope of the GDPR

 

According to Article 3(1) GDPR, the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not[48]. Additionally, according to Article 3(2) of the regulation, it applies to the processing of personal data of data subjects who are in the Union related to offering them goods or services; or the monitoring of their behaviour taking place within the Union by a controller or processor not established in the Union[49]. Due to this, the applicability of the GDPR is broad and not limited to the Union. As miners and nodes can be based anywhere, the regulation limits all blockchain-based applications that have an indirect link to the Union[50]. Particularly, unpermissioned blockchains usually run on nodes located in various jurisdictions across the globe, leaving creators with no control over the geographic spread of the network[51].

 

The Tension Between Blockchain and the GDPR

 

The decentralised nature of a blockchain network, the requirement to gain consensus from the computers in its network to edit or remove data and the permanence of the information recorded in it, gives rise to difficulties concerning personal data processing through this technology. These characteristics of blockchain mainly stand in tension with the principles of data minimisation, purpose limitation and storage limitation mentioned in Article 5 GDPR, the right to obtain confirmation from the controller as to whether personal data concerning data subjects are being processed as mentioned in Article 15, the right to obtain rectification of information without undue delay as per Article 16 GDPR and the right to be forgotten as per Article 17 GDPR[52].

 

For example, in accordance with Article 15 GDPR, a data subject has the right to obtain confirmation from the controller whether or not her personal data is being processed[53]. Under Article 15(2) GDPR, data subjects are moreover entitled to be informed about safeguards that apply where data is transferred to third countries[54]. A pertinent question in respect of blockchains is how this can be applied on a blockchain given that a node validating a block in the EU will thereafter share that information with all nodes of the blockchain, irrespective of their geographical location[55]. Similarly, Article 15 GDPR raises important questions in relation to its application to DLT given that controllers do not know which data is stored on the blockchain as they often only handle the encrypted or hashed version thereof[56]. The GDPR mandates that personal data be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’[57]. However, data once added to a blockchain will perpetually remain part of the chain, given that it is an append-only database that continuously expands and they accumulate data with each additional block[58]. Therefore, due to several factors as such, the GDPR stands in tension with blockchain technology.[59]

 

References

[1]

[2]

[3]

[1] ‘Benefits of Blockchain – IBM Blockchain’ <https://www.ibm.com/topics/benefits-of-blockchain> accessed 8 October 2021.

[2]

[3] ‘Identity & Blockchain: The Road to Self Sovereign Identity’ (BlockchainHub, 17 October 2017) <https://blockchainhub.net/blog/blog/decentralized-identity-blockchain/> accessed 2 October 2021.

[4] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p.7.

[5] Ibid

[6] Ibid

[7] Ibid 16.

[8] Benefits of Blockchain – IBM Blockchain (n 1).

[9] Ibid

[10][10] Christian Catalini and Joshua Gans, ‘Some Simple Economics of the Blockchain’ (2016) Rotman School of Management Working Paper No. 2874598, 1 <https://papers.ssrn.com/ sol3/papers.cfm?abstract_id=2874598> accessed 14 September 2021.

[11]  Eugenia Politou and others, ‘Blockchain Mutability: Challenges and Proposed Solutions’ (2019) PP IEEE Transactions on Emerging Topics in Computing, pp. 1-1.

[12] Gianluigi Maria Riva, ‘What Happens in Blockchain Stays in Blockchain. A Legal Solution to Conflicts Between Digital Ledgers and Privacy Rights’ (2020) 3 Frontiers in Blockchain 36, pp. 1-18

[13] Ibid

[14] Ibid

[15] Eugenia Politou and others (n 10).

[16] Ibid

[17] Karim Lakhani and Iansiti Marco, ‘The Truth About Blockchain’ [2017] Harvard Business Review (HBR) 118.

[18] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p. 11.

[19] D Tapscott and A Tapscott, Blockchain Revolution: How the Technology Behind Bitcoin Is Changing Money, Business, and the World (Penguin Canada 2016).

[20] Karim Lakhani and Iansiti Marco, ‘The Truth About Blockchain’ [2017] Harvard Business Review (HBR) 118.

[21] Eugenia Politou and others (n 10); Kevin Doubleday, ‘Blockchain Immutability — Why Does It Matter?’ (Fluree PBC, 30 June 2019) <https://medium.com/fluree/immutability-and-the-enterprise-an-immense-value-proposition-98cd3bf900b1> accessed 8 October 2021.

[22] Eugenia Politou and others (n 10).

[23] Benefits of Blockchain – IBM Blockchain (n 1).

[24] Kaushiki Srivastav, ‘A Guide to Blockchain Immutability and Challenges – DZone Security’ (dzone.com) <https://dzone.com/articles/a-guide-to-blockchain-immutability-and-chief-chall> accessed 8 October 2021.

[25] Kevin Doubleday (n 20)

[26] Finck (n 3) 10.

[27] Ibid

[28] Benefits of Blockchain – IBM Blockchain (n 1)

[29]Ben Wolford, ‘What Is GDPR, the EU’s New Data Protection Law?’ (GDPR.EU, 7 November 2018) <https://gdpr.eu/what-is-gdpr/> accessed 7 October 2021.

[30] Commission, ‘Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ COM (2012) 11 final

[31] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119/1, art 1.

[32] General Data Protection Regulation, art 4(5).

[33] Michèle Finck, ‘Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?’ (Panel for the Future of Science and Technology, July 2019), pp.10.

[34] Ibid

[35] General Data Protection Regulation, art 4(1).

[36] General Data Protection Regulation, Recital 26.

[37] Ibid

[38] General Data Protection Regulation, art 4(5).

[39] Michèle Finck, ‘Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?’ (Panel for the Future of Science and Technology, July 2019), pp 27.

[40] Michèle Finck, Blockchain Regulation and Governance in Europe (Cambridge University Press 2018), p 97.

[41] Case C‑582/14 Patrick Breyer v Bundesrepublik Deutschland [2016] ECLI:EU:C:2016:779, para 65.

[42] Michèle Finck (n 38) 26.

[43] Michèle Finck (n 38) 21.

[44] ‘Solutions for a Responsible Use of the Blockchain in the Context of Personal Data’ (CNIL, September 2018) <https://www.cnil.fr/sites/default/files/atoms/files/blockchain_en.pdf> accessed 25 September 2021.

[45] Michèle Finck (n 19) 29.

[46] Ibid

[47] Article 29 Working Party, ‘Opinion 05/2014 on Anonymisation Techniques’ (WP 216, 10 April 2014).

[48] General Data Protection Regulation, art 3(1).

[49] General Data Protection Regulation, art 3(2).

[50]  Michèle Finck, ‘Blockchains and Data Protection in the European Union’ (2018) 4 European Data Protection Law Review <https://doi.org/10.21552/edpl/2018/1/6> accessed 15 September 2021, pp. 27.

[51] Ibid

[52] General Data Protection Regulation

[53] General Data Protection Regulation, Article 15

[54] General Data Protection Regulation, Article 15

[55] Michèle Finck, ‘Blockchains and Data Protection in the European Union’ (2018) 4 European Data Protection Law Review <https://doi.org/10.21552/edpl/2018/1/6> accessed 15 September 2021, pp. 17-35.

[56] Michèle Finck, ‘Blockchains and Data Protection in the European Union’ (2018) 4 European Data Protection Law Review <https://doi.org/10.21552/edpl/2018/1/6> accessed 15 September 2021, pp. 17-35.

[57] General Data Protection Regulation, Article 5(1)b

[58] Michèle Finck, ‘Blockchains and Data Protection in the European Union’ (2018) 4 European Data Protection Law Review <https://doi.org/10.21552/edpl/2018/1/6> accessed 15 September 2021, pp. 17-35.

[59]

case management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdomcase management software, practice management software, legal accounting software, legaltech, technology for lawyers, case management, immigration, london, united kingdom

Similar to this article