A study published by the European Parliamentary Research Service (EPRS) seeks to examine whether the European Data Protection Regulation and the ancillary framework (GDPR) can coexist with the peculiar nature of blockchain technologies. The study argues that the multiple points of friction which have emerged between the GDPR and blockchain technologies are mainly due to three factors:
- The need for a controller: the GDPR states that, for personal data points to be legal, there must be one data controller (which can be either a natural or a legal person) for each one of these points. This, however, defies the blockchain concept of decentralization and shared responsibility;
- The immutability of data: in accordance with GDPR provisions, a subject’s personal data can only be modified or erased (right to be forgotten) following a request from the owner of the data. However, the immutability characteristics of blockchain is possibly the keystone of data integrity and trust in the network. It is also unclear whether the data stored on blockchain can be sufficiently anonymized in order to meet the GDPR’s minimum anonymization threshold;
- The data minimization: while the GDPR requires for the collection and storage of data to be kept to a minimum and only for purposes which have been notified in advance to the data owner, blockchain technology is on the other hand underpinned by distributed ledger principles and replication on different machines (nodes). From a legal point of view, it is unclear if the purpose of data processing only includes the initial transaction or if it also encompasses the continuous processing of the data once on the chain. Blockchain architects are therefore compelled to design GDPR-compliant use cases following compliance-by-design principles.
How blockchain can contribute to data transparency
Blockchain can be instrumental in solving issues pertaining to data transparency. Blockchain-based smart contracts can also automate the sharing of data, therefore contributing to the reduction of transaction costs, and facilitating data-sharing among European institutions. Ultimately, this may also lead to the development of an EU-wide artificial intelligence (AI) platform.
Blockchain also provides data subjects with increased control over who has accessed their data (Article 15 GDPR), how they can manage their personal information (data portability, covered in Article 20 GDPR) and protect them from unauthorized modification. Such streamlining of processes can also lead to better data management amongst different bodies accessing the same dataset stored on a single blockchain network where the respective data controllers could be a node in the network.
While significant tension exists between the nature of blockhain technologies and EU privacy laws, the study has also highlighted two major points:
- The relation between this technology and the European legal framework can only be considered on a case-by-case basis;
- Blockchain can support GDPR in achieving its own objectives.
As a result, the study puts forward three policy options:
While there is uncertainty as to how the EU privacy regulations can be applied to this technology, the study does not recommend revising the GDPR, rather to consider it as an expression of principle-based regulation, designed to be technologically neutral. Subjects wanting to use blockchain should, however, seek regulatory guidance on how the existing legislation applies to their specific case. The study also guides authorities to work with the European Data Protection Board to draft specific guidance on the application of the GDPR to blockchain technologies and support architects to design compliant use cases;
Support codes of conduct and certification mechanisms:
GDPR is designed to be a technology-neutral legal framework; therefore code of conduct and certification mechanisms are to be created and applied on an ad-hoc basis whilst adhering to a consistent data protection standard;
Funding should be made available for interdisciplinary research exploring how blockchain’s technical design and governance solutions could be adapted to the GDPR's requirements, and if protocols that are compliant by design may be created.
Transfer of data to third countries
Chapter V of the GDPR states that personal data can only be transferred to third countries that (i) benefit from adequacy decisions, (ii) offer appropriate safeguards, or (iii) on the basis of derogation. Since multiple blockchain nodes may be located outside of the EU, transfers of personal data are only possible on the basis that the country the data is transferred to ensures adequate data protection levels. The country in question must, therefore, score high in terms of respect for the rule of law, human rights, and fundamental freedoms as well as enforce relevant legislation and practices. If the European Commission deliberates that the country in question offers adequate safeguards, an adequacy decision (which is to be reviewed at least every 4 years) is issued and implemented.
Transfer to third countries not benefitting from an adequacy decision is only possible if the data controller has put in place appropriate safeguards. These include binding corporate rules, which can take the form of contractual clauses or provisions, to be inserted into administrative arrangements between public organisations or bodies and which are subject to the prior approval from the competent supervisory authority. Individuals must be informed of the transfer of their data to a third country and of all the measures put in place to safeguard them.