A question of compatibility: blockchain and the GDPR
When considering blockchain and the General Data Protection Regulation (GDPR), they might seem completely unrelated. The possibilities and consequences of both have been given great media attention, with debates about what the future holds for the technology and the regulation heightening over recent months.
However, is the relationship – or lack of one – between the two something of concern, or is it of little significance? Given the numerous applications of blockchain as it continues to expand into the mainstream – including payments, healthcare and security – the perceived lack of compatibility between applications of blockchain technology and the requirements under the GDPR is a concern shared by many. But are the two really unrelated? What could be gained from enabling the technology and the regulation to work alongside each other?
The mainstream view of blockchain in relation to personal data regulation appears bleak. Jan Philip Albrecht, a Member of the European Parliament who played an important role in the development of the GDPR, expressed that “certain technologies will not be compatible with the GDPR” and that “blockchain probably cannot be used for the processing of personal data”. The UK Law Commission expressed similar concerns in their scoping study of smart contracts, and the World Economic Forum have suggested the GDPR, in its current state, is not compatible with blockchain technology.
The right to be forgotten
One of the primary concerns around processing personal data on the blockchain involves the fact that information recorded on a typical blockchain cannot be erased, only amended. On the flipside, the GDPR enforces that, upon request, anyone holding personal data on an individual must be able to erase it if the person chooses to exercise their “right to be forgotten”.
This is creating significant debate as to whether applications of blockchain that process personal data are GDPR-compliant. However, there seems to have been little, if any, official legal analysis by relevant data protection authorities and legislators on how the requirements of the GDPR may be potentially interpreted to permit legal applications of blockchain technology to the processing of personal data, without compromising the desired protection of data subjects.
Slow adoption of blockchain
The true potential of blockchain solutions is yet to be fully deployed. According to the 2018 Gartner CIO Survey, only 1% of CIOs indicated that their organisation has adopted any kind of project involving blockchain. The reasons for this can be explained; in part, it is due to a skills shortage and the difficulties in finding qualified engineers to develop the solutions, however additionally it is due to the need for a change in the culture of IT departments and the way organisations traditionally operate in order to accommodate blockchain.
Only 8% of CIOs were actively experimenting with or planning to explore blockchain applications within their organisation and for 77% of surveyed CIOs, their organisation reported no interest in blockchain and no action planned to explore its potential uses.
Establishing blockchain use cases
Unfortunately, if not addressed, the perceived incompatibility between blockchain and the GDPR will only further discourage an increase in the technology’s adoption. Cooperation is needed between the legal industry, government and private sector stakeholders to unlock the great potential of blockchain technologies; by working together to identify and agree on blockchain use cases and technical work-arounds that still allow data subjects to be protected in ways functionally equivalent to the GDPR requirements, the incompatibility issues can be addressed.
For example, whilst we know that data recorded on a blockchain cannot be erased, can the right to be forgotten requirement of the GDPR be met if a work-around can be put in place to ensure that personal data on a blockchain has the ability to be made inaccessible to any and all members of the blockchain, or of the public, in any context and at any time?
More simply, a readily available work-around is maximising the use of private chains, as well as utilising off-chain solutions – using a hash to serve as a reference to personal data stored in a database outside the blockchain. These solutions would make sure that no personal data is kept on the blockchain, meaning any questions around compliance with the GDPR directly related to the use of blockchain would be avoided.
It is possible for blockchain and the GDPR to be compatible, if lawyers, technologists and legislators work to agree on how the GDPR can be interpreted to enable blockchain to function within its requirements. The result of such cooperation will be a better understanding of the true potential of blockchain, by making it more accessible and approachable and by encouraging a closer analysis of its technical, functional and legal foundation.
By Oana Dolea, GDPR practice lead, Matthew Williams, consultant, and Akber Datoo, managing partner, D2 Legal Technology