Blockchain can be described as a secure, distributed database. It presents certain key features that make it potentially compliant with a strict interpretation of GDPR, such as transparency, anonymity, digital verification and the irreversibility of records.
However, some parts of the GDPR may be difficult or even impossible to comply with in the crypto-space. Take for instance the right of rectification and the right of erasure. These seem to be incompatible with the core function of a blockchain, namely that of keeping within the system an immutable copy of all previous transactions. Indeed, this problem extends to all blockchain systems, including (perhaps especially) to those specific to the field of data storage.
If we consider GDPR as a whole, many of its other requirements seem to be a perfect match for blockchain. For example, blockchain data secured by cryptographic techniques are very well suited to ensuring a high level of (data) security in accordance with Article 32 of the Regulation.
Blockchain’s various different configurations offer new ways of analysing GDPR. With regard to data storage, fragmenting documents across different hard drives enhances individuals’ control over their data, by making it impossible for a single node to access its contents as there is no one single point of control and, consequently, no data controllers. This is a strong argument against a strict interpretation of GDPR in the crypto space. The alternative would be to apply GDPR to blockchain in a strict way that views all participating nodes as data controllers, and any distributed data processing by them as non-compliant with GDPR and therefore (presumably) unlawful. But that would be nonsensical given that the aims of blockchain and GDPR are closely aligned: giving people back control over their data. It is for this reason that EU institutions will surely soon be urging further clarification on this point.
GDPR compliance is therefore a significant question mark for many existing procedures and frameworks. Nevertheless, blockchain technologies have a significant advantage in the fact that, absent a dominant protocol, the quick pace of ongoing research will allow for the development of future solutions. The lack of any tailored legislative intervention in this dynamic and rapidly evolving space may therefore allow for a solution to the regulatory dilemma to emerge from the technology itself. Even though it isn’t yet clear to what extent blockchain technologies will need to comply with data protection law, many have already begun to explore technical solutions to GDPR compliance. In particular, it has been proposed to store personal data off-chain, while storing on the blockchain only a hashed reference to these data and metadata.
Off-chain storage of personal data will surely make blockchain systems compliant with GDPR, but in turn this raises some new issues. In fact, it will introduce an additional layer of complexity, making systems increasingly prone to potential breaches, while at the same time reducing individuals’ control over their data.
By Paolo Tasca
