GDPR & Blockchain: At the intersection of data privacy and technology

Much ink and angst have recently been spilled on how the European Union’s General Data Protection Regulation (“GDPR”) could impact the development and adoption of blockchain technology. The interplay between GDPR’s data privacy rights and the concept of blockchain serving as a decentralized, incorruptible digital ledger have led to various takes on a classic philosophical paradox: “What happens when an unstoppable force meets an immovable object?

The 'unstoppable force', GDPR, has compelled companies to comply with new data privacy regulations if they want to do business in the European Union. Compliance with GDPR is not optional - since violations can result in colossal penalties of up to €20 million euros or four (4%) percent of global revenue, whichever is greater.

One may wonder how something as dynamic and fluid as blockchain could be considered an 'immovable object'. Well, blockchain is an immovable object since once a transaction or piece of data is recorded on the ledger, the data is immutable.

This has led to the assumption that GDPR will impede the development of blockchain because recording transactions on the ledger without the ability to delete them violates a core principle of GDPR, namely, the data subject’s “right to be forgotten.”

Note: While blockchain does present other GDPR compliance issues, this article will focus specifically on the “right to be forgotten.”

For example, one of the biggest concerns of GDPR’s impact on blockchain, is that the immutability of recorded transactions violates GDPR’s “right to be forgotten.” Article 17(1) of GDPR clearly provides that a data subject has the “right to be forgotten” by demanding the erasure of his/her personal data upon the withdrawal of consent, or upon his/her objections to the processing. However, Article 17(1)(b) and (3) recognizes that the data subject’ “right to be forgotten” can be overridden by the controller’s legal or legitimate grounds to process the personal data, or for compliance with a legal obligation, respectively. In the context of blockchain, it is easy to imagine a scenario where an individual’s right to be forgotten is overridden by the legitimate interest of the owners/operators of blockchain to comply with legal obligations.

Take for instance, in the financial context, financial institutions have to comply with what is commonly known as the “know-your-customer” rule and must keep records of such transactions, including the personal data of the parties involved in the transaction. In the context of global logistics, personal data contained in the shipping documents of international freight must be maintained and stored for legal compliance reasons.

From a technological standpoint, the fact that blockchain is still in its infancy stage also ensures that GDPR will not hinder the adoption of blockchain throughout industries. While popular cryptocurrencies, such as Bitcoin, use public blockchains, businesses and industries are racing to develop private or permissioned blockchains. The key difference between a public and private blockchain is that in a public blockchain, there is no central authority and anyone can view the information contained in the ledgers; whereas, in a private blockchain, a central authority oversees who has access and how the data is distributed/stored. Creation or adoption of private blockchains will allow companies to account for, and ensure compliance with, GDPR.

Another feature that could be useful for blockchain in the context of GDPR compliance, is the concept of “off-chain storage” of personal data. Instead of uploading an individual’s personal data onto the ledger, personal data can simply be maintained off the blockchain in a central location with only a hash of the personal data recorded on the ledger. Upon request, the personal data stored off the chain can simply be deleted, rendering the hash key useless. This workaround would reduce the transparency benefit of blockchain, but it ensures compliance with an individual’s “right to be forgotten.”

Finally, another solution around the immutability of blockchain is to utilize smart contracts for GDPR compliance. Smart contracts are self-executing contracts with the terms of the agreement between the parties written into the code and are automatically triggered by the occurrence of a condition or event. Smart contracts can be written in a way that revokes all access rights and/or deletes the contents (i.e. the terms and personal data contained therein) after a set period of time, rendering the personal data inaccessible.

So, what happens when the unstoppable force known as GDPR meets the immovable blockchain?

Nothing earth-shattering. Fortunately, blockchain, as a technology and as a standard, is still in its infancy, which will allow the community to develop workarounds and solutions to ensure GDPR compliance. Over time, it is more likely than not that blockchain and GDPR will coexist peacefully and further ensure data privacy.