Many people will predominantly be familiar with the term ‘blockchain’ in connection with bitcoin and money transfers in cryptocurrency. But blockchains can be used for all sorts of other purposes as well. There are many different applications for the extremely versatile blockchain technology, which is used by businesses and governments for maintaining international contracts for instance. There are currently also advanced pilots in maternity care, investigating the technology’s administrative merits in processes like registration of working hours. These are interesting and potentially beneficial new options, but how about the privacy of individual citizens? Are blockchain and privacy compatible concepts or is there an unbridgeable gap separating the two? In this blog, we will take a look at blockchain technology from a European-legal privacy perspective.
Blockchain – what is it and how does it work?
Blockchains are somewhat similar to the ‘ledgers’ used for recording transactions. Which in practice are large databases, usually controlled by a single organisation or ‘trusted third party’. If anyone wants to access – or change – data recorded in one of the ledgers, they need authorisation from this organisation.
The difference is that blockchains, in their ledger role, are public and de-centralised, with no central administrator. Instead, blockchains and the data they contain, are controlled collectively and on a ‘peer-to-peer’ basis by everyone participating in them. These participants all have identical copies of the blockchain stored on their computers and can therefore access the data.
Who, at any given point in time, has actual access, depends on the type of blockchain. Public blockchains, like bitcoins, have no specific owners and are accessible to everyone. This makes the system transparent and verifiable. In the case of a private blockchain, on the other hand, participation in the network can be limited to an agreed-upon group of users or parties. In the context of compliance with the General Data Protection Regulation (GDPR), the difference between public and private blockchains is relevant in a number of ways. In this blog, the blockchain-related GDPR issues will be discussed under the heading ‘Legal challenges with regard to privacy’.
Apart from this, blockchains are principally non-editable. The actual data, e.g. transaction details like amount and beneficiary, are stored in a so-called ‘block’, using data from previous ‘blocks’. This way, data are ‘stacked’ – i.e. mutations are recorded in a ‘chain’- which, in principle, makes it impossible for data to be removed from old blocks or changed. This latter blockchain characteristic, also known as ‘immutability’, is what will be discussed below from a specifically privacy-legal perspective.
Legal challenges with regard to privacy
Where personal data are being processed in blockchains, the GDPR applies if other relevant conditions – in terms of its scope as specified in Article 2 and Article 3 of the GDPR – are also met, i.e. the controller’s establishment in the European Union or its activities being targeted at persons within the EU. And it is here that the development and increasing use of blockchain technology raises a number of tricky questions concerning applicability and enforceability of data protection legislation.
Data minimisation and the ‘right to be forgotten’
Basically, data contained in a blockchain are permanently stored, as they cannot be simply changed or removed. As a basic concept, where personal data are involved, this is incompatible with the GDPR, specifically in connection with the principle of data minimisation (Article 5,1,c GDPR) which means that the processing of personal data should be limited to what is relevant and necessary for the purpose of processing.
One other essential aspect of the GDPR concerns the rights of data subjects, covered in Articles 12 through 22. In this context, it is questionable whether data subjects can exercise their rights, such as the right to be forgotten, since blockchain is specifically designed to store data in a permanent and decentralised manner. Here, the concept of blockchain data processing appears to be principally incompatible with the GDPR’s intention of giving data subjects more control over their data.
Another question is whether, in the realm of blockchain technology in general and specifically in the case of an open, public blockchain, it is possible at all to identify a (common) controller in the sense of the GDPR. It should be clear to data subjects at all times who is monitoring the processing and to whom they can turn if they want to exercise their rights. Apart from this, the GDPR specifies a number of specific obligations for any party qualifying as the controller.
According to Article 4(7) GDPR the controller is the party determining the purpose and means of processing. In the context of a private blockchain, it will probably be easy to identify the controller(s), as it is transparent who the participants are and what authorisations they have.
In the case of a public blockchain, this is more complicated because of the open and decentralised nature of the blockchain. With large numbers of usually unidentified participants, it is difficult to say who is in charge and which parties might qualify as joint controllers. This makes agreements on fulfilling GDPR obligations nearly impossible. Thus, the (apparent) absence of a controller can affect compliance with the basic principles of personal data processing.
Blockchain technology as a solution for added privacy
Blockchains however, may also have positive privacy effects. For instance, the technology can be used for registration of given or withdrawn consent and to restore ownership of personal data to the individual data subjects. Increased use of blockchain technology may allow citizens and organisations to stay in control of their own (personal) data, including their digital identities, the latter benefit also known as ‘self sovereign identity (SSI)’ or ‘being master of one’s own identity’.
Using a digital identity based on blockchain technology would certainly simplify interaction in the blockchain. The possibility of generic digital identification would be a big step in restoring data ownership to the data subject, who would no longer have to depend on central controlling organisations within a construct of localised data. It would make it easier for data subjects to exercise their rights, such as the right to data portability and the right of access. All in all, the result would be a safer and more reliable practice of personal data processing, with better protection of the privacy of citizens.
Finally, there is a certain degree of flexibility in the GDPR, thanks to its technology-neutral formulation. Already, we are seeing a willingness on the part of supervisory authorities to make use of this flexibility. So, it seems fair to say that the GDPR is definitely not a general ban on the use of blockchain technology. However, the overall purpose of safeguarding privacy will, in many cases, diminish transparency, which is one of the defining blockchain benefits. All the more reason for developers of (public) blockchain applications to seriously reflect on the design of their applications in order to offer an adequate level of privacy protection (‘privacy by design’).
Privacy by design
Privacy by design (Article 25(1) GDPR) stipulates that organisations must prioritise the privacy of data subjects during the design of products or services involving personal data processing by taking ‘appropriate technical and organisational measures’, such as pseudonymisation. Blockchain applications use various pseudonymisation techniques, such as ‘asymmetrical encryption’ and ‘hashing, to shield data from other users. In the GDPR, pseudonymisation is covered in Article 4(5).
Data encryption in blockchain technology may be a key way of providing appropriate protection of personal data and safeguarding the privacy of users. It is important to note however, that in spite of these encryption measures, the GDPR continues to apply. It takes one further step – anonymisation instead of pseudonymisation – for this no longer to be the case. In this context, the European Parliament has explicitly stated that ‘data in a public ledger are pseudonymous and not anonymous’.
Blockchain technology is a way of decentralised (personal) data management in databases in which the participants collectively maintain transactions taking place in the blockchain.
The GDPR applies to all blockchains storing personal data. Although technology-neutral in its formulations, the GDPR seems to have implicitly been designed to cover the field of central databases managed by easily identifiable organisations. One of the characteristics of blockchain technology is the decentralised nature of data recording in which identification of a controller is not always possible. This is a radical approach not directly compatible with the GDPR. Other blockchain properties also seem to be at possible odds with key GDPR elements. The legislation’s flexibility however, does suggest room for new technologies, apart from which the blockchain technology itself on the other hand offers potential for extended control by data subjects and better protection of their privacy.
If governments and businesses are to profit from the benefits of blockchain technology, careful consideration of options for GDPR compliance, including privacy by design, is essential. In short, high time for a critical inspection of the current state of, and future potential for, privacy and personal data protection within the blockchain technology.