This summer, a comprehensive study referring to data protection lawyers and Blockchain named “Blockchain and the General Data Protection Regulation. Can distributed ledgers be squared with European data protection law?” has been published by the European Parliament. In the quest for an answer to this widely discussed question, the author of the study provides quite a few valuable insights.
What are the main causes of tension between blockchains and the GDPR?
- First, the GDPR is based on the underlying assumption that in relation to each personal data point there is at least one natural or legal person – the data controller – that is responsible and accountable for the processing of that data. However, for both data protection lawyers and academics, defining which entities qualify as (joint-) controllers (especially in light of recent developments in the case law discussed here) is (still) an extremely complicated task. There is a broad consensus that even users will (at least in some circumstances) be considered as data controllers under the GDPR.
- Second, the GDPR is also based on the assumption that data can be modified or erased where necessary to comply with legal requirements. Blockchains, conversely, render the unilateral modification of data purposefully onerous in order to ensure data integrity and increase trust in the network.
- Other examples of the tension between the blockchain, the GDPR and the data protection lawyers relate to the overarching principles of data minimisation and purpose limitation, as well as the right to erasure (the “right to be forgotten”).
- In reality, blockchains are a class of technologies with disparate technical features and governance arrangements. Therefore, the compatibility of these instruments with the GDPR can only be assessed on a basis of detailed case-by-case analysis.
- It can be easier for private and permissioned blockchains to comply with the GDPR requirements as opposed to public and permissionless blockchains.
- The lack of legal certainty pertaining to numerous concepts of the GDPR makes it hard for the data protection lawyers to determine not only how the latter should apply to this technology, but also to others.
It is impossible to state that blockchains are, as a whole, either completely compliant or incompliant with the GDPR – each concrete case must be examined by a data protection lawyer and other specialists.
You can find a link to quite a long, but insightful study here.