GDPR & Blockchain: At the intersection of data privacy and technology

Aerial shot of busy city intersection

Much ink and angst have recently been spilled on how the European Union’s General Data Protection Regulation (“GDPR”) could impact the development and adoption of blockchain technology. The interplay between GDPR’s data privacy rights and the concept of blockchain serving as a decentralized, incorruptible digital ledger have led to various takes on a classic philosophical paradox: “What happens when an unstoppable force meets an immovable object?

The 'unstoppable force', GDPR, has compelled companies to comply with new data privacy regulations if they want to do business in the European Union. Compliance with GDPR is not optional - since violations can result in colossal penalties of up to €20 million euros or four (4%) percent of global revenue, whichever is greater.

One may wonder how something as dynamic and fluid as blockchain could be considered an 'immovable object'. Well, blockchain is an immovable object since once a transaction or piece of data is recorded on the ledger, the data is immutable.

This has led to the assumption that GDPR will impede the development of blockchain because recording transactions on the ledger without the ability to delete them violates a core principle of GDPR, namely, the data subject’s “right to be forgotten.”

Note: While blockchain does present other GDPR compliance issues, this article will focus specifically on the “right to be forgotten.”

However, the concern that GDPR will hamper the development of blockchain fails to survive close scrutiny and application of GDPR’s core principle of the immutability of transactions
recorded on blockchain.

Contrary to popular opinion, it must be emphasized that GDPR is not intended to hinder businesses or innovation. Instead, GDPR was designed to give consumers the right to control their personal data and how companies collect and use it.

This dichotomy is evident in the text of GDPR itself. While GDPR grants consumers the right to control their personal data, it also recognizes that consumers’ interests/rights can be overridden by the compelling interest of the data controller (i.e. the companies collecting personal data) or governmental/public interest.

computer laptop macbook 93405

For example, one of the biggest concerns of GDPR’s impact on blockchain, is that the immutability of recorded transactions violates GDPR’s “right to be forgotten.” Article 17(1) of GDPR clearly provides that a data subject has the “right to be forgotten” by demanding the erasure of his/her personal data upon the withdrawal of consent, or upon his/her objections to the processing. However, Article 17(1)(b) and (3) recognizes that the data subject’ “right to be forgotten” can be overridden by the controller’s legal or legitimate grounds to process the personal data, or for compliance with a legal obligation, respectively. In the context of blockchain, it is easy to imagine a scenario where an individual’s right to be forgotten is overridden by the legitimate interest of the owners/operators of blockchain to comply with legal obligations.

Take for instance, in the financial context, financial institutions have to comply with what is commonly known as the “know-your-customer” rule and must keep records of such transactions, including the personal data of the parties involved in the transaction. In the context of global logistics, personal data contained in the shipping documents of international freight must be maintained and stored for legal compliance reasons.

From a technological standpoint, the fact that blockchain is still in its infancy stage also ensures that GDPR will not hinder the adoption of blockchain throughout industries. While popular cryptocurrencies, such as Bitcoin, use public blockchains, businesses and industries are racing to develop private or permissioned blockchains. The key difference between a public and private blockchain is that in a public blockchain, there is no central authority and anyone can view the information contained in the ledgers; whereas, in a private blockchain, a central authority oversees who has access and how the data is distributed/stored. Creation or adoption of private blockchains will allow companies to account for, and ensure compliance with, GDPR.

Tall buildings and clear sky

Additionally, certain features currently exist that will ensure blockchain will be in compliance with GDPR. One fundamental feature of blockchain that will support this process is known as “hashing,” where the data is encrypted or scrambled and only accessible to users with the correct hash key. Therefore, if all personal data that links the transaction to an individual is stored only in a hashed form on the ledger, such information would be encrypted and not publicly accessible.

Upon receipt of an individual’s request to be forgotten, the hash key can simply be deleted, which would render the personal data inaccessible despite being spread across offline databases (i.e. cryptographic data deletion).

Admittedly, Article 29 Working Party’s Opinion 05/2014 has concluded that hashing is a technique of pseudonymization and not anonymization, which raises concern that hashing alone may not satisfy GDPR’s data protection requirements. However, combining hashing with other features may result in ensuring blockchain’s GDPR compliance.

Another feature that could be useful for blockchain in the context of GDPR compliance, is the concept of “off-chain storage” of personal data. Instead of uploading an individual’s personal data onto the ledger, personal data can simply be maintained off the blockchain in a central location with only a hash of the personal data recorded on the ledger. Upon request, the personal data stored off the chain can simply be deleted, rendering the hash key useless. This workaround would reduce the transparency benefit of blockchain, but it ensures compliance with an individual’s “right to be forgotten.”

Finally, another solution around the immutability of blockchain is to utilize smart contracts for GDPR compliance. Smart contracts are self-executing contracts with the terms of the agreement between the parties written into the code and are automatically triggered by the occurrence of a condition or event. Smart contracts can be written in a way that revokes all access rights and/or deletes the contents (i.e. the terms and personal data contained therein) after a set period of time, rendering the personal data inaccessible.

So, what happens when the unstoppable force known as GDPR meets the immovable blockchain?

Nothing earth-shattering. Fortunately, blockchain, as a technology and as a standard, is still in its infancy, which will allow the community to develop workarounds and solutions to ensure GDPR compliance. Over time, it is more likely than not that blockchain and GDPR will coexist peacefully and further ensure data privacy.