In the fourth blog post by Austrian law firm Stadler Völkel Arthur Stadler and Sarah Pichler focus on the General Data Protection Regulation (GDPR) and Blockchain Technology.
General Data Protection Regulation and Blockchain Technology
by Arthur Stadler & Sarah Pichler
Transparency and Integrity
The most important reason for the interest in Blockchain and the latest discussions about its potential areas of application are the positive attributes linked to its mode of operation: security, anonymity and data integrity, without any third party serving as an authority and being in control of the transactions.
Blockchains thus are not only decentralized, but based on distributed ledgers. Data integrity is ensured by the creation of new blocks in a ‘consensus procedure’, meaning that each subsequent block contains a cryptographic image of the previous block. Each block therefore consists of multiple data points. This also leads to the fact that data cannot be manipulated or deleted once it is written, entered into the block and linked to the previously written block. Transparency in all aspects is given, as the public can see all transactions, but – allegedly – without information linking these transactions to identities.
Personal Data in Blockchains – Anonymous Content?
From a legal point of view, many aspects have to be considered when applying effective legal frameworks to rather new technical systems like Blockchain – national legislation as well as EU law have to be taken into account. One of the most recent Acts on EU level creating implementation requirements of great impact for companies is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, in the following ‘GDPR’), which will enter into force on 25 May 2018.
The objective of the GDPR is to strengthen and unify data protection for individuals within the EU by trying to give citizens full and ultimate control over all their data. Its scope of application is based on the definition of ‘personal data’ – the principles of data protection set up by the GDPR should apply to any information concerning an identified or identifiable natural person.
Blockchain databases allow or even promote transactions between parties without having to disclose their identity to the contracting party or the public –- at least in theory, where only private and public keys, i.e. numeric codes, are subject of conversation. Anonymity ranks amongst the most prominent features of Blockchain technology – and, remarkably enough, the terms ‘anonymity’ and ‘pseudonymity’ are also used in the GDPR, where ‘pseudonymisation’ is explicitly mentioned as an instrument to reduce data protection risks.
Pseudonymisation means the processing of personal data in such a manner that the personal data no longer can be attributed to a specific data subject (= an identified or identifiable natural person). Still, studies showed (based on Bitcoin, the most popular Blockchain) that there are possibilities for the de-anonymization of entries in blockchains: transaction analysis eventually allows that public keys can be traced back to IP addresses via a specific internet connection or connection owners. Since IP addresses are considered to be ‘personal data’ according to international and national jurisdiction, this could [potentially even more in the future with potentially more sophisticated back-tracking-applications] lead to unrestricted application of the GDPR to Blockchain technologies – always under the condition that ‘personable data’ is ‘processed’ within the meanings of the GDPR, causing numerous problems, of which only a few shall be pointed out in the following:
Legal Issues Resulting From The Application of the GDPR
The GDPR obliges so-called ‘controllers’, who determine the purposes and means of the processing of personal data, and ‘processors’, who process personal data on behalf of the controller, thus everyone who processes personal data, to correct behavior and to comply with the principles set up by the GDPR (transparency, data minimization, purpose limitation, to invoke just a few).
Between controllers and processors, contracts must be filed which set out the subject-matter and numerous details of the processing. Within the blockchain environment, countless contracts would thus be necessary – the concept of GDPR, creating responsibilities (Article 24 ff GDPR) for controllers of personal data, seems just not compatible with a blockchain system, where data is processed without individual controllers for individual processing operations.
In this context, it may be also be added that the rights of the data subject (e.g. the right to basic information, right to rectification) are difficult to be fulfilled, again because of the missing responsibilities due to the whole construction of blockchain. In addition, one of the most significant rights provided by the GDPR, the right to erasure or so-called ‘right to be forgotten’, stands in contrast with the fact that the public ledger cannot be modified or deleted after the data has been approved (as mentioned before).
Who’s The First To Come Up With Solutions?
For all or most of the open questions, research and technological development will certainly come up with possible solutions. At the moment, we see on the one hand providers of new cryptocurrencies and new blockchains, who focus on privacy issues from the beginning (such as Monero, a new digital currency which amongst others – to put it simply – ensures that the public address of users does not appear in the public record of transactions, i.e. the blockchain), e.g. by precluding personal data from being entered into the system.
At the same time, there are techniques being developed and improved right now on different services in already existing blockchains dealing with privacy issues, e.g. ‘Mixing’ (basically mixing up transactions/inputs of with other people’s to obfuscate the transaction flow, also used by Monero). Whether or not the newly developed blockchain scan meet all legal requirements, must be examined in detail – new areas of business will emerge and gain influence within the next months or years, such as service providers of certified encryption software explicitly designed for the use in blockchains.
Companies engaging in blockchain technology are well-advised to have a focus on the relevant (international) regulatory framework, which includes data protection law, at an early stage of the development of any blockchain-based application they develop or use, to incorporate and secure what serves as another key word of GDPR – privacy by design.