“Blockchain” and “GDPR” are certainly among the most popular buzzwords this year. Blockchain is a technology that many believe has great potential for the future. GDPR already keeps companies busy. By implementation of first blockchain use cases the topic data protection is currently discussed, because extensive data are processed in blockchain applications.
The decentralized blockchain network thrives on complex encryption and on transparent linking of transactions in a temporal sequence that is permanently stored. The technology is therefore considered to be particularly secure and inspires confidence. Thus, the essence of blockchain is to store data permanently. But how can this be reconciled with the principle of the right to be forgotten, which the GDPR regulates in Article 17?
Does GDPR apply at all?
First of all, the question arises as to whether GDPR is applicable at all. GDPR is only applicable if personal data are processed. If data are processed anonymously, GDPR does not have to be observed. It is therefore obvious to assume that data stored in blockchain are anonymised by means of complex encryption and hash values.
In a so-called public blockchain, which can be accessed by anyone, hash values can actually offer anonymity if, for example, the raw data is not known. Often, however, data is only processed pseudonymized because raw data is still available. If data is processed pseudonymized, the data protection laws are applicable. Personal data is understood to mean all information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, e.g. by assigning it to an identification number, to location data or to an online identifier. Pseudonymization allows such identification on a regular basis. The GDPR must therefore be observed.
For restricted and so-called private blockchains, to which only a limited group of subscribers has access, the user ID can be assigned to the person behind the assigned public key. Thus the data protection laws are applicable to such blockchains.
How can GDPR be applied to blockchain?
How blockchain applications can be designed to comply with the GDPR is currently extremely questionable. Already the problem mentioned at the beginning, how the right to be forgotten is to be converted, seems unsolvable at present. It is also questionable how the other rights affected can be asserted. To whom must the right of access be asserted? To what extent must the person responsible provide information? Who is the controller, i.e. who decides on the purposes and means of processing in the blockchain? In public blockchain, the responsible bodies could possibly be the operators of the nodes (i.e. participants who can carry out transactions themselves). In a restricted or private blockchain, the responsible body could be the organizational unit for access authorization. In this respect, clarity must be created in the future, because this information must be provided in accordance with Article 13 or Article 14 GDPR if the provision of information cannot be assessed as disproportionate in accordance with Article 14 (5) (b) GDPR.
Does GDPR prevent blockchain projects?
According to current circumstances, blockchain projects are difficult to combine with GDPR if personal data is stored in the blockchain. However, since the technology is predicted to have great potential, it is not unlikely that the existing hurdles will be overcome, e.g. through changes in the law. Various associations are already publishing proposed solutions as to how data protection must be adapted in the future so that blockchain technology can be used successfully.