The Tension between GDPR and Blockchain: Are they Polar Opposites or Can they Co-exist

A potentially problematic challenge for industry and legislators is the apparent tension between privacy rights and the rapid adoption of blockchain-based applications which are expected to reach $10.6 billion in revenue by 2023.

There is a school of thought that blockchain is antithetical to and incompatible with safeguarding privacy rights. One of the most notable blockchain skeptics – David Gerard –argues that if “you were silly enough to put personal data into an append-only ledger which is a proof-of-work blockchain — that’d be flat-out insane.”

There is certainly merit to this argument. The ambition of blockchain is to provide an immutable ledger of transactions which cannot be modified by a participant within the blockchain, but rather controlled by complex consensus-based algorithms. While a blockchain provides a trusted framework for the integrity and auditability of transactions it stands in stark contrast to the ambition of the GDPR Regulation, the foundation of which is to enable data subjects to exercise greater degree of control over the processing of personally identifiable information.

The GDPR Regulation provides data subjects with enhanced rights to withdraw consent, access, correct and in some cases erase their personal information. “The structure of the blockchain does not allow for any such changes. Any attempt to modify the information recorded about a prior transaction could break the chain, and the transactions that were conducted in reliance on the pre-existing data could not be erased or superseded.”

The contrarian position is that blockchain and privacy rights can in fact be complimentary as both are predicated on the desire to confer greater degree of control on individuals over their information – albeit from two different ends of the spectrum of control. The ambition of blockchain is to remove agency costs by obviating the need for intermediaries to control data while at the same time ensure the trustworthiness, traceability and security of transactions. GDPR on the other hand is designed to primarily enable data subjects to exercise greater degree of control over the processing of their personal information. Both blockchain and GDPR are designed to “democratize” data by giving more control over its use to individuals.

There is a further argument for the co-existence of blockchain and GDPR privacy rights grounded on the inevitability of accelerated adoption of blockchain-based applications and that their impact “will be more transformational than the internet itself.” In an article, Anne Toth, Head of Data Policy, World Economic Forum, LLC posed the following:

“While European policymakers were debating and finalizing aspects of GDPR, blockchain wasn’t on most people’s radar. This is yet another example of where regulation is addressing a problem in the rear view mirror rather than looking at the road ahead…. In this case, while we wait for the rules to play catch up, the question we have to ask is whether existing blockchain applications that store personal data are now rendered illegal until this is sorted.”

In between these polar opposite arguments there may be a pragmatic middle ground:

• Article 6 of GDPR stipulates six grounds for the legal basis of processing personally identifiable information: data subject consent, performance of a contract, compliance with legal obligations, protect the interests of data subjects, public interest and legitimate business interests. Blockchain-based applications such as Smart Contracts and Know Your Customer may process personally identifiable information based on either legitimate business interests or pursuant to a contractual obligation. Smart Contracts are typically permissioned blockchains which are written by and agreed to by the contracting parties and they determine the rules by which such contracts self execute. Similarly, Know Your Customer applications within financial services are permissioned blockchains and compliance with GDPR may be based on legitimate business interests. For example, the UK the Financial Conduct Authority published a Discussion Paper on Distributed Ledger Technology in which they contend that “the combination of DLT (Distributed Ledger Technologies) and GDPR has the potential to improve the way in which firms collect, store and process private information which it believes would result in significant improved customer outcomes.”
• There is a potential argument that the immutability of blockchains may be consistent with Article 4 of GDPR relating to ‘pseudonymization’ of personal information such that “personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately”. While pseudonymization falls within GDPR protection as such data may be re-identified (i.e. not anonymized) one possible way to address this gap is to store personally identifiable information off the blockchain.
• Some argue that blockchain may be a “catalyst for data protection…blockchain databases are particularly interesting because they allow - at least in theory - transactions between parties without having to disclose their identity directly to the contracting party or the public. If a transaction cannot be traced back to the involved individuals, their fundamental right to self-determination is not affected.” However, the merits of this argument may not stand up to GDPR requirements as the authors of the article have cautioned that “Whereas it is true that no names, addresses, telephone numbers, or any other comparable information making it possible to readily identify the participants without significant effort there are various possibilities remaining for the de-anonymization of corresponding entries.”

A particularly instructive analysis of the co-existence of blockchain and GDPR is the French data protection authority (CNIL) which provides helpful guidance on best practices related to the implementation of GDPR compliant blockchain applications:

“Organizations should carefully determine whether they need blockchain in the first place, particularly a public one; if you choose to go forward, practice data minimization when registering data on a blockchain.”