Skip to content

A blockchain is a shared immutable digital ledger that records transactions / documents / information in a block which is then added to a chain of other blocks on a de-centralised network.  Blockchain technology operates through a peer network, where transactions must be verified by participants before they can be added to the chain.

Notwithstanding its tremendous capabilities, in order for the technology to unfold its full potential there needs to be careful consideration as to how the technology can comply with new European privacy legislation, namely the General Data Protection Regulation (the “GDPR”) which came into force on 25 May 2018.  This article explores some of the possible or “perceived” challenges blockchain technology faces when it comes to compliance with the GDPR.

Personal data

The GDPR applies to the processing of “personal data” by controllers established in the European Union (EU), as well as companies outside the EU where their processing activities relate to offering goods or services to data subjects in the EU or to the monitoring of their behaviour.

The GDPR defines personal data as “any information relating to an identified or identifiable natural person.”  The GDPR will apply to any personal data that is stored or transmitted using a blockchain network.  Blockchain technology can be used to hide the actual identity of individuals using the network by assigning them a unique identifier such as an encrypted key, but if someone holds the code to decrypt that key, then the encrypted key may still constitute personal data under the GDPR.

There may be other instances, however, in which personal data (e.g., a person’s name or address) is directly shared through the network and stored in blocks.

Features of the blockchain network

Blockchain networks can either be public, in that everyone can access the network, or they can be private, as in closed to a certain set of individuals (or institutions) who have to be authorised to access the network.  They can also either be permissioned, so an individual or institution needs authorisation to be able to access and add to the network, or they can be permissionless, as in anyone can post to the network.  Bitcoin is an example of a public and permissionless blockchain, whereas a company that utilises blockchain technology as a proprietary back-office function to process their own data would most likely apply private and permissioned features to the network, as it is only that company that wishes to access and add to the network.

There are various ways in which blockchain technology is being used, with different features.  As discussed further below, which features apply will have an impact on how the technology can comply with the requirements under the GDPR.

De-centralised network

Blockchain technology is essentially a de-centralised network in which transactions / documents / information are recorded.  Especially for a public blockchain, no one individual is the ultimate keeper / owner of the ledger.  Instead, everyone who has access to the network can access, store and add to the ledger.  The GDPR, however, is very much tailored towards centralised networks, where there is a clear controller of the data (“data controller”) and defined third parties who merely process the data (“data processors”).  Under the GDPR these relationships are clearly defined and carry with them certain obligations and responsibilities.  In addition, data controllers and data processors are expected to govern their relationships under contract.  However, in a de-centralised network, who falls within these defined roles is far more unclear.  In essence, every person who accesses the network may be considered a data controller.

These relationships may be easier to reconcile with the GDPR under a private and permissioned blockchain network, for example a company’s own proprietary use of the technology to process information where only certain individuals within the organisation can access and post to the ledger.  However, where the blockchain network is public and permissionless, such as Bitcoin, managing these relationships will be far more difficult.  If you are not aware of every person using the network, how can you be clear on whom the GDPR obligations lie, and how can you ensure contracts are in place to define these relationships?

In addition, it may be difficult for a regulator to determine who is liable where a network is in breach of the GDPR.  Would it be the case that everyone is liable?

Immutable ledger

One of the most widely perceived challenges of blockchain and the GDPR is the inability to delete data.  The main benefit of blockchain technology is that the blocks in the chain cannot be deleted or modified, to ensure the security and accuracy of the record.  However, under the GDPR, data subjects have the right to rectification, where the personal data concerning them is inaccurate, and they may have the right to have their data erased (“right to be forgotten”).

For any blockchain network, both public or private, permissioned or permissionless, that directly stores personal data in a block the ability to comply with these rights may be more challenging.  However, it has to be remembered that the extent to which a data subject is entitled to have their personal data erased is not an absolute right.  The right can only be relied on if certain conditions are satisfied, for example, where the data subject withdraws their consent on which the processing is based.  But to what extent will a blockchain network be relying on consent to process the data?

There are also some possible solutions to avoid the need to consider these questions; the most effective would be to avoid recording any personal data within the blockchain itself.  Another is to anonymise the data, although the robustness of anonymisation techniques is not always fool-proof, making this the least preferred solution of the two.

The FCA and Blockchain

In the UK, the Financial Conduct Authority (“FCA”) has been considering the challenges of how blockchain technology may comply with financial services legislation, including the GDPR.  In April, 2017, the FCA published a Discussion Paper (DP17/03) on Distributed Ledger Technology (“DLT”).  The purpose was to “stimulate a dialogue on the regulatory implications of current and potential developments of DLT in the financial markets”.  The Discussion Paper explored the potential risks and benefits of DLT applications in financial services and whether it could promote the FCA’s statutory objectives of promoting effective competition, financial market integrity and financial consumer protection.  In December, 2017, the FCA published a Feedback Statement (FS17/4) to the Discussion Paper.

One of the issues that was most commented upon in the Discussion Paper was that of data protection in the context of DLT and the potential regulatory challenges of complying with the GDPR, when storing and processing client data.  However, whilst the FCA acknowledged that there are “significant challenges”, it believes that the combination of GDPR and the use of DLT has the potential to improve the way in which firms collect, store and process private information, which it believes would result in “significantly improved consumer outcomes”.

The FCA believes that its Discussion Paper was merely the beginning of the dialogue on the potential benefits and risks associated with the use of DLT in financial services.  The FCA is gathering more information and there will be further publications in due course.

The European Commission and Blockchain

The European Commission has recently launched the EU Blockchain Observatory and Forum which is focused on promoting blockchain throughout Europe.  The Forum recently ran a series of workshops on the impact of the GDPR on blockchain technology.

The use of blockchain technology will need careful consideration, as at this stage, there are several open questions.   Further guidance from the European Data Supervisory Board might in some instances be needed.

We will continue to monitor key developments in relation to the GDPR and blockchain, and will provide further updates.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Bruce Bennett Bruce Bennett

Bruce Bennett represents domestic and global financial institutions and other market participants in global market transactions and regulations. Bruce’s work spans capital markets and futures and derivatives markets, including regulatory matters involving the SEC, FINRA, the CFTC and the prudential banking regulators. He…

Bruce Bennett represents domestic and global financial institutions and other market participants in global market transactions and regulations. Bruce’s work spans capital markets and futures and derivatives markets, including regulatory matters involving the SEC, FINRA, the CFTC and the prudential banking regulators. He also leads the firm’s efforts in representing issuers and derivatives dealers in convertible notes and other equity-linked product transactions in entering into equity derivatives hedging transactions, as well as in matters relating to the regulation of broker-dealers.

Bruce co-chairs the firm’s Financial Services Group, is a Vice Chair of the firm’s Public Service Committee and is a member of the firm’s Diversity and Inclusion Committee.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.