The GDPR defines personal data as “any information relating to an identified or identifiable natural person.” The GDPR will apply to any personal data that is stored or transmitted using a blockchain network. Blockchain technology can be used to hide the actual identity of individuals using the network by assigning them a unique identifier such as an encrypted key, but if someone holds the code to decrypt that key, then the encrypted key may still constitute personal data under the GDPR.
There may be other instances, however, in which personal data (e.g., a person’s name or address) is directly shared through the network and stored in blocks.
Features of the blockchain network
Blockchain networks can either be public, in that everyone can access the network, or they can be private, as in closed to a certain set of individuals (or institutions) who have to be authorised to access the network. They can also either be permissioned, so an individual or institution needs authorisation to be able to access and add to the network, or they can be permissionless, as in anyone can post to the network. Bitcoin is an example of a public and permissionless blockchain, whereas a company that utilises blockchain technology as a proprietary back-office function to process their own data would most likely apply private and permissioned features to the network, as it is only that company that wishes to access and add to the network.
There are various ways in which blockchain technology is being used, with different features. As discussed further below, which features apply will have an impact on how the technology can comply with the requirements under the GDPR.
Blockchain technology is essentially a de-centralised network in which transactions / documents / information are recorded. Especially for a public blockchain, no one individual is the ultimate keeper / owner of the ledger. Instead, everyone who has access to the network can access, store and add to the ledger. The GDPR, however, is very much tailored towards centralised networks, where there is a clear controller of the data (“data controller”) and defined third parties who merely process the data (“data processors”). Under the GDPR these relationships are clearly defined and carry with them certain obligations and responsibilities. In addition, data controllers and data processors are expected to govern their relationships under contract. However, in a de-centralised network, who falls within these defined roles is far more unclear. In essence, every person who accesses the network may be considered a data controller.
These relationships may be easier to reconcile with the GDPR under a private and permissioned blockchain network, for example a company’s own proprietary use of the technology to process information where only certain individuals within the organisation can access and post to the ledger. However, where the blockchain network is public and permissionless, such as Bitcoin, managing these relationships will be far more difficult. If you are not aware of every person using the network, how can you be clear on whom the GDPR obligations lie, and how can you ensure contracts are in place to define these relationships?
In addition, it may be difficult for a regulator to determine who is liable where a network is in breach of the GDPR. Would it be the case that everyone is liable?
One of the most widely perceived challenges of blockchain and the GDPR is the inability to delete data. The main benefit of blockchain technology is that the blocks in the chain cannot be deleted or modified, to ensure the security and accuracy of the record. However, under the GDPR, data subjects have the right to rectification, where the personal data concerning them is inaccurate, and they may have the right to have their data erased (“right to be forgotten”).
For any blockchain network, both public or private, permissioned or permissionless, that directly stores personal data in a block the ability to comply with these rights may be more challenging. However, it has to be remembered that the extent to which a data subject is entitled to have their personal data erased is not an absolute right. The right can only be relied on if certain conditions are satisfied, for example, where the data subject withdraws their consent on which the processing is based. But to what extent will a blockchain network be relying on consent to process the data?
There are also some possible solutions to avoid the need to consider these questions; the most effective would be to avoid recording any personal data within the blockchain itself. Another is to anonymise the data, although the robustness of anonymisation techniques is not always fool-proof, making this the least preferred solution of the two.
The FCA and Blockchain
In the UK, the Financial Conduct Authority (“FCA”) has been considering the challenges of how blockchain technology may comply with financial services legislation, including the GDPR. In April, 2017, the FCA published a Discussion Paper (DP17/03) on Distributed Ledger Technology (“DLT”). The purpose was to “stimulate a dialogue on the regulatory implications of current and potential developments of DLT in the financial markets”. The Discussion Paper explored the potential risks and benefits of DLT applications in financial services and whether it could promote the FCA’s statutory objectives of promoting effective competition, financial market integrity and financial consumer protection. In December, 2017, the FCA published a Feedback Statement (FS17/4) to the Discussion Paper.
One of the issues that was most commented upon in the Discussion Paper was that of data protection in the context of DLT and the potential regulatory challenges of complying with the GDPR, when storing and processing client data. However, whilst the FCA acknowledged that there are “significant challenges”, it believes that the combination of GDPR and the use of DLT has the potential to improve the way in which firms collect, store and process private information, which it believes would result in “significantly improved consumer outcomes”.
The FCA believes that its Discussion Paper was merely the beginning of the dialogue on the potential benefits and risks associated with the use of DLT in financial services. The FCA is gathering more information and there will be further publications in due course.
The European Commission and Blockchain
The European Commission has recently launched the EU Blockchain Observatory and Forum which is focused on promoting blockchain throughout Europe. The Forum recently ran a series of workshops on the impact of the GDPR on blockchain technology.
The use of blockchain technology will need careful consideration, as at this stage, there are several open questions. Further guidance from the European Data Supervisory Board might in some instances be needed.
We will continue to monitor key developments in relation to the GDPR and blockchain, and will provide further updates.