Blockchain challenges the European data protection law at its very foundations. Blockchain is a peer-to-peer technology with a distributed community and fragmented actions, while the GDPR’s obligations are conceived for centralized architectures where there is a clear distribution of roles and activities. In particular, under the GDPR’s approach, data controllers and data processors are those actors who have to comply with this legislative framework, bearing responsibilities in case they do not. However, blockchain is a technology whose core aspect is the absence of a middleman, namely a controller. Peer-to-peer design challenges the application of traditional legal regulation and questions who must comply with the GDPR and, thus, who has to be held liable for the processing and protection of personal data through the implementation of adequate technical and organizational measures as the principle of accountability calls for (Art. 5(2), GDPR).102
This study by Roberta Filippone analyses blockchain technology through the “..lens of the individuals’ control over their personal data, to assess whether blockchain can empower the individuals’ control in compliance with European data protection law”.
The study looks at two potentially competing initiatives, the General Data Protection Regulation (GDPR) which is intended to give individuals the right to control how data about them is collected and used, including a right to have that information erase, and blockchain technology which may require the collection and long term retention of personal metadata to provide transparency and non-repudiation.
… the blockchain’s ledger is characterized by its immutability, meaning that every purchase, transfer or vote become part of a permanent record from which data cannot be erased.
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
However, I think the GDPR provides and escape hatch:
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
I think all five of those can be applied to making the argument that the right to erase does not apply to blockchain technology used for financial transactions, identification, public records and smart contracts.
We are living in interesting times!