Blockchain and individuals’ control over their personal data

Blockchain and individuals’ control over personal data in European data protection law by Roberta Filippone

Blockchain challenges the European data protection law at its very foundations. Blockchain is a peer-to-peer technology with a distributed community and fragmented actions, while the GDPR’s obligations are conceived for centralized architectures where there is a clear distribution of roles and activities. In particular, under the GDPR’s approach, data controllers and data processors are those actors who have to comply with this legislative framework, bearing responsibilities in case they do not. However, blockchain is a technology whose core aspect is the absence of a middleman, namely a controller. Peer-to-peer design challenges the application of traditional legal regulation and questions who must comply with the GDPR and, thus, who has to be held liable for the processing and protection of personal data through the implementation of adequate technical and organizational measures as the principle of accountability calls for (Art. 5(2), GDPR).102

This study by Roberta Filippone analyses blockchain technology through the lens of the individuals’ control over their personal data, to assess whether blockchain can empower the individuals’ control in compliance with European data protection law.

Blockchain and individuals’ control over personal data in European data protection law by Roberta Filippone

Blockchain challenges the European data protection law at its very foundations. Blockchain is a peer-to-peer technology with a distributed community and fragmented actions, while the GDPR’s obligations are conceived for centralized architectures where there is a clear distribution of roles and activities. In particular, under the GDPR’s approach, data controllers and data processors are those actors who have to comply with this legislative framework, bearing responsibilities in case they do not. However, blockchain is a technology whose core aspect is the absence of a middleman, namely a controller. Peer-to-peer design challenges the application of traditional legal regulation and questions who must comply with the GDPR and, thus, who has to be held liable for the processing and protection of personal data through the implementation of adequate technical and organizational measures as the principle of accountability calls for (Art. 5(2), GDPR).102

This study by Roberta Filippone analyses blockchain technology through the “..lens of the individuals’ control over their personal data, to assess whether blockchain can empower the individuals’ control in compliance with European data protection law”.

The study looks at two potentially competing initiatives, the General Data Protection Regulation (GDPR) which is intended to give individuals the right to control how data about them is collected and used, including a right to have that information erase, and blockchain technology which may require the collection and long term retention of personal metadata to provide transparency and non-repudiation.

… the blockchain’s ledger is characterized by its immutability, meaning that every purchase, transfer or vote become part of a permanent record from which data cannot be erased.

Art. 17 GDPR:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

However, I think the GDPR provides and escape hatch:

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise or defence of legal claims.

I think all five of those can be applied to making the argument that the right to erase does not apply to blockchain technology used for financial transactions, identification, public records and smart contracts.

We are living in interesting times!

Does GDPR apply to EU citizens in the United States?

Does GDPR apply to EU citizens in the United States by GDPR News

If they deal with a business or organization in one of the non-EU countries they may be in, any personal data they provide is not covered by the GDPR rules, as they are not located within the EU at the time. It is not the citizenship of the person that is important, but where they are situated.

Looking at another example helps to further illustrate who the GDPR applies to. A US citizen is temporarily residing or travelling in France, which is an EU country. They make a purchase from a local store and provide personal information during the transaction. This personal information is covered by GDPR as the person is located within the EU as the purchase takes place.

From these examples you can see that the personal data of an EU citizen residing in the US, for example, would be dealt with according to individual data protection laws within the US and would not be subject to GDPR compliance, whereas the personal data of a US citizen residing in the EU would be subject to GDPR regulations.

Short answer. It depends but ordinarily ... NO!

IANAL but the information in this Compliance Junction article seems legit. Two staff members from Pivoti covered PCI DSS and GDPR at last nights ( and at times contentious) GDPR and Privacy Event of the New Jersey Chapter of the ISC2.

So ... hey Europeans. If you come to the USA and shop at the small local shops in my town, don't expect you're EU legal rights to be respected. The local coffee shop which has no presence in the EU and has no website that sells/service EU citizens is not subject to GDPR. If you are a local business, the local business association or chamber of commerce in your town may be the best place to get help. EU laws do NOT apply to natural persons or US only businesses doing business in the USA.

The primary determining factor is the location of the individual when considering whether GDPR rules apply. Any business or organization that processes the data of people living within the EU, no matter where the group is located, should comply with the GDPR stipulations or face being fined for non-compliance.

Chris Aldrich and David Shanske, I think that you will be happy to know that Webmentions should meet the intentions of the GDPR if:

  • they have a privacy policy in place that lists articulates the information their website collects,
  • if they disable any sort of analytics,
  • and have a way to remove/anonymise IP addresses in their database and logs,
  • provide a way for users to remove ordinary comments (or move those to Disqus) since Webmentions already support deletion.

I am leaning toward using the open-source Isso on this website.