Sometimes it seems that General Data Protection Regulations (GDPR) and blockchain are separated by a vast continental divide. Blockchain technologies gained prominence with bitcoin and those confusing adverts screened during the FIFA 2018 World Cup. GDPR also gained prominence in 2018 as new European data protection laws came in to force.
Blockchain is based upon Distributed Ledger Technology (DLT). A ledger is simply somewhere that you write things down to create an official (and usually permanent) record. A distributed ledger is where multiple copies of the same ledger are available. So how do you ensure the ledgers contain identical records? This is achieved using cryptographic ‘keys’ or electronic signatures to control who can do what within the shared ledger. And, depending on the rules for a particular blockchain network, entries can be created by one, some or all of the participants. Updates to the ledger can feasibly be performed instantaneously and shared to all copies.
The problem areas are
- Permanence of DLT transactions. There is no end date or data retention policy as required by GDPR “data-minimisation” principles
- The ability of anyone to view personal data is at odds with GDPR. To be compliant, data must be fully anonymous and, sadly, even “hashed” data is still personal data. This goes against GDPR “privacy by design” principles.
- DLT has no mechanism for removing data without breaking the chain. The “right to be forgotten” enshrined in GDPR is opposed to any permanence of data within DLT.
- The roles of data controller and data processor are blurred. This is desirable under DLT by against GDPR principles.
- DLT data can be processed anywhere in the world, which means that there is no guarantee that personal data will be processed outside of Europe.
Taking these points into consideration will mean that, as currently designed, a fully-compliant public blockchain is not possible and it would be impossible to make any currently operating chains to be compatible with data privacy regulation. It doesn’t mean that a public GDPR-compatible blockchain is impossible; it’s just a little bit more difficult.