European Parliament’s Blockchain Resolution lays the framework to reconciling the GDPR and blockchain.
On October 3, 2018, the European Parliament passed a resolution on distributed ledger technologies and blockchain (the “Blockchain Resolution”). The Blockchain Resolution emphasizes the importance of taking an “innovation-friendly” regulatory approach, while also recognizing that it is of the “utmost importance” that blockchain technologies are compliant with the General Data Protection Regulation (“GDPR”). The GDPR is the European Union’s (“EU”) robust data protection legislation that applies not only to entities established in the EU that process personal data, but also to entities that are established outside of the EU that offer their products or services to EU residents or track the behavior of EU residents. The GDPR mandates that personal data only be processed if there is a lawful basis to do so, and gives rights to data subjects that provide them with significant control over the processing of their personal data. Further regulatory guidance on how the GDPR will be applied to blockchain is needed for blockchain innovation to continue.
The Blockchain Resolution reiterated that blockchain technology promotes the pseudonymization of users but not their anonymization. Anonymization irreversibly destroys any way of connecting the data to a natural person. Pseudonymization de-identifies the data in such a way that, with additional information, connecting the data to a natural person is possible. Although direct identification of individual users of a blockchain network is not possible, indirect identification is possible. Because user data on the blockchain is pseudonymized, it is subject to the GDPR. GDPR compliance is not about the technology, but rather how the technology is used to process personal data, and application of the GDPR’s principles to blockchain proves highly challenging. Immutability of data and decentralization of control, arguably the two most innovative aspects of blockchain, inherently conflict with provisions of the GDPR.
One issue that requires further guidance is how to determine which actor is the data controller of a blockchain network. The GDPR was fashioned with the implicit assumption that data in the digital world is controlled by identifiable actors. Blockchain technology seeks to achieve radical decentralization of data by replacing identifiable actors with the public. How does the GDPR apply to blockchain technologies that are not controlled by an identifiable actor? For example, Bitcoin is not controlled.
As far as the GDPR is concerned, it must be possible to identify a data controller. It is the data controller who is ultimately accountable for compliance with the GDPR and liable if the GDPR is breached. Among other obligations, the GDPR requires that data controllers process data lawfully, as defined in the GDPR, or face the consequences.
In a private, permissioned blockchain, determining the data controller is straightforward. The centralized company that runs the blockchain is the data controller for purposes of the GDPR.
Determining who the data controller is for a decentralized, public blockchain becomes difficult, if not impossible. There is currently an intense debate to determine who the data controller should be in these decentralized, public blockchains. There are strong arguments for and against finding that the protocol developer, the actors who host the nodes, the network users, or the publishers of smart contracts should be considered as data controllers. The conclusion of this debate will lead to significant liability for one or several of these actors and will influence future development of public blockchain technologies. Because this uncertainty around data controllership makes it difficult to assess a party’s responsibilities and potential liability under the GDPR, further regulatory guidance in this respect is urgently needed.
An additional obstacle arises in the right to erasure and rectification of data. Blockchains are immutable. True blockchain rely on the logging and storing of data chains. Prohibiting data modification or removal enables trust in a decentralized blockchain. Thus, deleting data would disrupt the chain and undermine the rationale behind blockchain. How does one reconcile that with the “right of rectification” and “right of erasure?” One potential solution posed by the EU Blockchain Observatory and Forum’s October 16, 2018, report on blockchain and the GDPR would be to use blockchain to store immutable proofs that certain data exists and store the data itself outside of the blockchain.
It is important to note that a Resolution from the European Parliament is not legally binding. A Resolution merely seeks to set forth the parliament’s position, with a view to promote other EU institutions to enact legislation accordingly. In the Blockchain Resolution, the European Parliament clearly expressed a position to support blockchain and the need for further regulatory clarity regarding blockchain and the GDPR. It is likely that the Blockchain Resolution will lead to further pro-blockchain policy and legislation.