Does GDPR work for Blockchain and Distributed Ledger Technologies?
The business world has talked of little else but GDPR over the last few months. In the technology sector, however - and in particular those involved in blockchain technology - some legal commentators believe there are “irreconcilable” differences between blockchain and GDPR, raising doubts as to whether the technology can achieve widespread adoption under the new data protection regime.
Blockchain technology isn’t just used in the Bitcoin or other cryptocurrency systems. Many applications use it, including those for executing contracts and authenticating fine art. Many experts believe that basic provisions under GDPR (such as the identification of a data controller and the role of a data processor) are impossible to comply with when using such technology.
Indeed, speaking at a Westminster eForum panel event in London at the end of May, Nigel Houlden, head of technology policy at the ICO said he has "nightmares" about blockchain's ability to protect personal data.
"To get its true efficiency [blockchain] needs to be an open network, because then you have cyber resilience – it's very difficult to attack 10,000 different actors. The trouble then is, who is controller and who is processor?" Houlden asked, admitting: "That gives me some nightmares."
He continued, "What I concern myself most with right now is things like the right to be forgotten, and how that can actually work with blockchain".
Article 17 of the GDPR states “[t]he data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.“
The problem is that this may not be possible if the personal data is stored on an open blockchain. One of blockchain’s main advantages is its resistance to modification of data. Each block of data contains a ‘hash’ of the previous one, thereby meaning that, in theory, every time a new computer joins a blockchain system, the data that's on the original block is replicated to the new computer. That is, in GDPR terms, a data transfer.
As things stand, whilst there are exemptions from the requirements of Article 17, blockchain has not been clearly listed as one of them. More importantly, and linked to this, the lack of clarity extends to whether cryptographic information on a blockchain will qualify as personal information in all or any circumstances. When one adds to this the lack of geographical restrictions on blockchain use there appears to be a very great deal of work to be done to unpick how GDPR and blockchain could work together.