This study by Roberta Filippone analyses blockchain technology through the “..lens of the individuals’ control over their personal data, to assess whether blockchain can empower the individuals’ control in compliance with European data protection law”.
The study looks at two potentially competing initiatives, the General Data Protection Regulation (GDPR) which is intended to give individuals the right to control how data about them is collected and used, including a right to have that information erase, and blockchain technology which may require the collection and long term retention of personal metadata to provide transparency and non-repudiation.
… the blockchain’s ledger is characterized by its immutability, meaning that every purchase, transfer or vote become part of a permanent record from which data cannot be erased.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
However, I think the GDPR provides and escape hatch:
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
I think all five of those can be applied to making the argument that the right to erase does not apply to blockchain technology used for financial transactions, identification, public records and smart contracts.
We are living in interesting times!