For some people, Blockchain or distributed ledger technology (DLT) holds almost mystical potential to revolutionize everything. While there is more than a bit of hyperbole associated with blockchain, it is a fact that many corporates are incorporating DLT within their operations to streamline and remove friction within operations. And this is not just about finance.
When it comes to transparency and identification management blockchain can provide a heightened degree of both. Simultaneously, it can be utilized in a way to minimize users identifiable information. It just depends.
So what about the European Union’s General Data Protection Regulation (GDPR)? Whether you like it or not, this is the law in Europe. And it creates some questions regarding the growing usage of blockchain tech. Under GDPR, an individual has the right to control their own information and who can see or use their data. Additionally, GDPR requires the right for individuals to have certain information erased or modified – something that clashes with a decentralized network.
To help decipher what GDPR means for DLT the European Parliament has published a report entitled, Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?
Authored by Dr. Michèle Finck, at the request of the Panel for the Future of Science and Technology (STOA), the report addresses the “tension” between blockchain and GDPR.
To quote the report:
“It will be seen that these tensions play out in many domains. For example, there is an ongoing debate surrounding whether data typically stored on a distributed ledger, such as public keys and transactional data qualify as personal data for the purposes of the GDPR. Specifically, the question is whether personal data that has been encrypted or hashed still qualifies as personal data. Whereas it is often assumed that this is not the case, such data likely does qualify as personal data for GDPR purposes, meaning that European data protection law applies where such data is processed. More broadly, this analysis also highlights the difficulty in determining whether data that was once personal data can be sufficiently ‘anonymized’ to meet the GDPR threshold of anonymization.”
The fact that blockchain is supposed to be hard to modify clashes with GDPR rules. Because of this fact, architects must design their tech to be compliant under the law. As there is a certain amount of ambiguity within GDPR the compliance, the task is even more opaque. It is an interesting polemic.
In the end, the study asserts that permissioned blockchain is far easier to reconcile within GDPR. But even then, it must be addressed on a case by case basis. It is possible to create a blockchain which provides the benefits of a data-driven economy while empowering an individual to control their information, according to the author. On this basis the paper provides three recommendations:
“First, it was suggested that regulatory guidance on the interpretation of certain elements of the GDPR when applied to blockchains should be provided to generate more legal certainty in this area. Second, it was recommended that codes of conduct and certification mechanisms should be encouraged and supported. Third, it was recommended that funding be made available for interdisciplinary research exploring how blockchains’ technical design and governance solutions could be adapted to the GDPR’s requirements, and whether protocols that are compliant by design may be possible.”
The report is available here.