A study published by the European Parliamentary Research Service (EPRS) seeks to examine whether the European Data Protection Regulation and the ancillary framework (GDPR) can coexist with the peculiar nature of blockchain technologies. The study argues that the multiple points of friction which have emerged between the GDPR and blockchain technologies are mainly due to three factors:
Blockchain can be instrumental in solving issues pertaining to data transparency. Blockchain-based smart contracts can also automate the sharing of data, therefore contributing to the reduction of transaction costs, and facilitating data-sharing among European institutions. Ultimately, this may also lead to the development of an EU-wide artificial intelligence (AI) platform.
Blockchain also provides data subjects with increased control over who has accessed their data (Article 15 GDPR), how they can manage their personal information (data portability, covered in Article 20 GDPR) and protect them from unauthorized modification. Such streamlining of processes can also lead to better data management amongst different bodies accessing the same dataset stored on a single blockchain network where the respective data controllers could be a node in the network.
While significant tension exists between the nature of blockhain technologies and EU privacy laws, the study has also highlighted two major points:
As a result, the study puts forward three policy options:
While there is uncertainty as to how the EU privacy regulations can be applied to this technology, the study does not recommend revising the GDPR, rather to consider it as an expression of principle-based regulation, designed to be technologically neutral. Subjects wanting to use blockchain should, however, seek regulatory guidance on how the existing legislation applies to their specific case. The study also guides authorities to work with the European Data Protection Board to draft specific guidance on the application of the GDPR to blockchain technologies and support architects to design compliant use cases;
GDPR is designed to be a technology-neutral legal framework; therefore code of conduct and certification mechanisms are to be created and applied on an ad-hoc basis whilst adhering to a consistent data protection standard;
Funding should be made available for interdisciplinary research exploring how blockchain’s technical design and governance solutions could be adapted to the GDPR's requirements, and if protocols that are compliant by design may be created.
Chapter V of the GDPR states that personal data can only be transferred to third countries that (i) benefit from adequacy decisions, (ii) offer appropriate safeguards, or (iii) on the basis of derogation. Since multiple blockchain nodes may be located outside of the EU, transfers of personal data are only possible on the basis that the country the data is transferred to ensures adequate data protection levels. The country in question must, therefore, score high in terms of respect for the rule of law, human rights, and fundamental freedoms as well as enforce relevant legislation and practices. If the European Commission deliberates that the country in question offers adequate safeguards, an adequacy decision (which is to be reviewed at least every 4 years) is issued and implemented.
Transfer to third countries not benefitting from an adequacy decision is only possible if the data controller has put in place appropriate safeguards. These include binding corporate rules, which can take the form of contractual clauses or provisions, to be inserted into administrative arrangements between public organisations or bodies and which are subject to the prior approval from the competent supervisory authority. Individuals must be informed of the transfer of their data to a third country and of all the measures put in place to safeguard them.
