GDPR challenges for blockchain technology
The European Union General Data Protection Regulation (GDPR) which will come into force on May 25, 2018 is the most discussed law across Europe. It contains stricter standards for collecting and processing personal data and may greatly impact how new technologies will be released. For example, blockchain is one of the hottest topics in the world of technology nowadays which in its current state will most probably be incompatible with GDPR.
Which data can be regarded as personal data in Blockchain?
Under the GDRP personal data is data related to identified or identifiable natural person. Moreover, as pseudonymous data might qualify as personal data and only anonymous data falls outside the scope of legal framework of GDPR. Therefore, two types of data on blockchain can be considered as personal data: public keys and transactional data stored in the blocks. Transactional data and public key are pseudonymous data. Even though a public key is a sequence of numbers, it is still possible to identify a person if additional information such as IP address etc. is available. Transactional data is either encrypted or hashed in blockchain, so one may think that it is anonymous data. However, encrypted data can be decrypted with correct keys, consequently, it is not irreversible which is required by the GDPR in order to be anonymous data. Hashing process is defined by Article 29 Working Party as a pseudonymization technique and, thus, hashing function does not help to solve the issue.
Who is a data controller on blockchain i.e. to whom are GDPR obligations addressed?
Blockchain is a decentralized distributed ledger operated by all nodes without any central point of control. On the one hand, none of the nodes may be qualified as data controller or every node may fall under such person. On the other hand, a data subject himself may be considered as a data controller, since data subject has a private key and he is the one who is adding personal data in the blockchain for his own purposes. Therefore, depending on the operation in the blockchain and blockchain type, the data controller or processor may be a different person.
Where are GDPR obligations applied?
GDPR applies to the data controller or data processor which operate in the EU or which processing activities relate to either the offering of goods or services to a data subject based in the EU or where they monitor behavior that takes place in the Union. Since miners are located all around the world and data is hashed by a randomly selected miner, almost every miner may be an obligated person under GDPR as they are processing reversible personal data.
Exercising of data subject rights on blockchain
GDPR introduces new rights such as a right to be forgotten and right to amend personal data. Such rights will most probably meet the greatest challenge for blockchains. Blockchain is an immutable technology meaning all the data stored is public and cannot be amended or deleted. It is the biggest value of blockchain and at the same time it is the biggest problem of blockchain as the data subject must be able to demand for the processor to remove personal data under GDPR.