Posted on 27 June 2020
Authored by Tanya Varshney
The European Union’s General Data Protection Regulations (“GDPR“) seeks to regulate the way personal data is stored, collected, processed etc. by a “data controller”. A controller is a natural or legal person or any authority that determines the purposes and means of the processing of personal data. Such a data controller must comply with the GDPR obligations. However, when it comes to blockchain servers, there are some grey areas with their compatibility with the GDPR. The European Parliamentary Research Service (“EPRS“) released a study on “Blockchain and the General Data Protection Regulation”. This study firstly acknowledges that since blockchains are distributed databases, the challenges in complying with the GDPR would depend on the specific technical design of the blockchain server. Blockchain, in simple terms, is a decentralized digital database. Since it is ‘decentralized’, it is hard to determine who is actually a data controller. Moreover, some GDPR obligations such as data erasure, modification, minimization, etc. become difficult to comply with given that data is stored on a chain of blocks across multiple servers. This article seeks to discuss the challenges with respect to applicability of the GDPR to blockchain servers and potential solutions for the same.
Applicability of the GDPR is limited by two factors – the territorial extent and the nature of data. This section discusses the territorial scope of GDPR with respect to blockchain servers. The GDPR applies where processing of ‘personal data’ occurs (a) in the context of activities of an establishment of the data controller or processer in the European Union; or (b) processing of personal data of such subjects who are in the European Union. In simple terms, GDPR would be applicable when data is collected for activities occurring in European Union (for example, personal or behavioral information collected as web cookies while browsing a website selling clothes in the European Union regardless of whether the controller or processor are in the EU), or when data of a natural person in the European Union is collected (for instance, data of a tourist in France collected by controllers or processors outside the EU as long as the data behavior that is being monitored occurs within the EU territory).
Given the broad territorial scope, regardless of where the data is being stored or processed, the blockchain systems would come under the scope of GDPR when the data subjects or the company or authority relaying on blockchains or where specific activities such as sale of good or services are based in the EU.
The basic premise for the applicability of GDPR rests on the data processed being “personal data”, that is, the data must be in relation to an identified or identifiable natural person. There are some concerns whether the GDPR would be applicable to blockchain servers where data is stored as encrypted or hashed data. The primary question would be whether the data stored would be identifiable to a natural person. GDPR recognizes the concept of ‘pseudonymisation’, that is, the processing of personal data in a way that it can no longer be identifiable to a specific data subject. However, it must be noted that pseudonymised data is not precluded from the data protection measures under the GDPR but is acknowledged as a recommendation to reduce the risks with respect to privacy of the data subjects. The EPRS also notes that even encrypted data would ‘likely’ qualify as personal data under GDPR as it is difficult to assess whether the encrypted data has been sufficiently anonymised. Additionally, Recital 26 to the GDPR also notes that pseudonymised personal data which could also be attributable to a natural person by use of any additional information would also have to comply with the GDPR obligations. Additional information could include internet protocol addresses, cookie identifiers, radio frequency identification tags, etc. as these may leave traces which may allow data to be attributable to a particular data subject.
Blockchain servers often use public keys which are essentially a string of letters and numbers that represent each user’s data – somewhat similar to an account number. There are also private keys, also letters and numbers, but somewhat similar to passwords. While the data stored in blockchain servers is encrypted or hashed, based on the technical design, such data could also be decrypted by the use of private keys. There is definitely some uncertainty regarding the degree of identifiability the data must have to come under the meaning of personal data. In this regard, the EPRS suggests that the appropriate test would be whether the controller or another person are able to identify the data subject in using all the ‘means reasonably likely to be used’.
Data Storage, Modification, Erasure and Minimisation
Chapter 2 of the GDPR lays down some key principles with respect to processing of personal data which include purpose limitation (the data must be processed for a specific purpose), data minimisation (personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed), accuracy, storage limitation (data must not be stored longer than necessary) and consent. Given these requirements, when data is collected, the consent obtained must also delineate the way data is going to be stored based on the technical design of the blockchain server. There is also some uncertainty regrading the storage of data for a continued period of time in distributed ledger when the data was collected for perhaps a single blockchain transaction. As noted above, the compatibility of this with GDPR would depend on the nature of the consent contract between the controller and subject. There are also some concerns with data minimisation and accuracy when it comes to blockchain systems as most servers are designed in a way that data cannot be removed from the blocks.
There are definitely some grey areas with respect to applicability of the GDPR to blockchain systems due to the unique and complex technical designs. However, some steps may be taken in order to bring such systems into compliance with the GDPR. Some cryptocurrency services, such as Monero, use ‘secret keys’ for one-time transactions. When the purpose of data collection is to ascertain where a particular transaction has occurred or not, zero-knowledge proofs that provide binary answers (such as yes/no or true/false) can be used. Additionally, creation of editable block chains can solve some challenges that arise with respect to data minimisation and accuracy.
That being said, the main thing to be kept in mind by data controllers using blockchain systems is that consent must be appropriately taken with respect to the specific design of the system. The terms should be intelligible and easily accessible, using clear and plain language. Moreover, the GDPR also necessitates that the data subject must have the right to withdraw their consent anytime. This may cause some problems where the blockchain servers are not editable. There must be a clear affirmative action while giving consent which would imply that even click-wrap and shrink-wrap agreements would be acceptable.
 Article 4(7), GDPR.
 Article 3, GDPR.
 Article 4(1), GDPR.
 Article 4(5), GDPR.
 Recital 28, GDPR.
 Recital 30, GDPR.
 Article 7(2), GDPR.
 Article 7(3), GDPR.
 Recital 32, GDPR.