After Facebook announced Libra as a new cryptocurrency, many discussions started regarding definition of a blockchain and various regulatory obstacles for cryptocurrencies. This article gives perspective on regulatory definition of blockchain technologies and regulatory challenges when it comes to personal data protection.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter: “the GDPR”) is legal act that regulates data protection of living natural persons and is applicable since 25thMay 2018. GDPR sets higher standards for the protection of personal data than the Directive 95/46/EC.
Processing of personal data, in the sense of the GDPR, means any operation or set of operations that is performed on personal data, which, among other, includes collection, recording, organisation, structuring, storage, adaptation, alteration and other similar procedures. For the purpose of this article it is important to note that pseudonymisation also constitutes the processing of personal data, in accordance with the GDPR, and that pseudonymised data is generally considered as personal data.
Pursuant to the Article 4 of the GDPR, “personal data” means any information relating to an identified or identifiable natural person (‘data subject’).
The GDPR defines roles within the processing of personal data and prescribes “data controller” as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, and “data processor” as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Article 26 of the GDPR determines the relationship that involves more than one controller who jointly determine means and purpose of the processing of personal data and names them “joint controllers”.
Blockchain enables the decentralised database founded on the cryptographic principles. While in the case of traditional databases data is located in a single or a few places (e.g. computers, servers, cloud), blockchain records data and activities on each of its active parts. Considering the fact that every part of blockchain must verify and record certain activity, the data recorded on blockchain is almost impossible to alter. Therefore, it is certain that every record on the blockchain has actually been made.
By defining the terms like data controller, processor, and joint controllers, the GDPR implies the existence of centralised system of the processing of personal data. Such a model presupposes that the each participant (natural persons or legal entities) in the processing of personal data is more or less determined, with the clear definition of the rights and obligations, and that each specific processing of personal data is being done at one or few locations. In reality, certain business processes and information systems are difficult to place within the scope of aforementioned terms. One of the examples that accentuates this problem is the use of blockchain technologies.
Blockchain and personal data protection
If a blockchain contains personal data, the GDPR is applicable. Considering the decentralised nature of blockchain based technologies, it is hard to determine the roles within the processing of personal data (data controller, data processor, joint controllers) and the data is practically impossible to delete. The GDPR prescribes that every data subject (therefore, a natural person whose data is being processed) has the right to be forgotten if the personal data are no longer necessary in relation to the purposes of the processing, if the data subject withdraws consent on which the processing is based, if the personal data have been unlawfully processed, or in order to comply with a legal obligation in the European Union or Member State law to which the controller is subject.
Blockchain is designed in such a manner that every part of the system contains information on the entire system. In other words, information, once recorded on blockchain, not only stay recorded, but are also accessible to all who use that blockchain. In Article 25, Paragraph 2, the GDPR prescribes the obligation of data controller to implement appropriate technical and organisational measures for ensuring that the processing of personal data is not automatically available, without the intervention of an individual, to unlimited number of persons. Therefore, the GDPR is being violated by the mere fact of recording personal data on the blockchain because the data will become accessible to everyone, for an indefinite time.
When it comes to blockchain based technologies, there are also issues regarding the territorial scope of the GDPR. The GDPR applies to every processing of personal data if the data controller or data processor are established in the European Union, as well as to those who are established outside the European Union, whose processing activities relate to offering of goods or services within the European Union or are monitoring the behaviour of data subjects located within the European Union.
Considering the fact that blockchain is a database decentralised organisationally and geographically and its users are scattered all around the world, it is therefore difficult to identify the location of the processing of personal data and it is not possible to establish appropriate safeguards that the GDPR prescribes for the export of personal data outside of the European Union.
Private and permissioned blockchain
Everything aforementioned applies primarily to public, permissionless blockchains. Those kinds of blockchains are open to all persons with the access to the computer, without imposed restrictions regarding who can access the blockchain platform and confirm the transactions. On the other hand, the permissioned blockchain sets restrictions on various levels, depending on the particularities of the platform, regarding the reading of the data, request for new transaction, and confirming the transactions.
Permissioned blockchains are most often private blockchains, which means that the permission for recording and confirming data have one or few entities which hold very high level of trust from other users and all participants are quantified and clearly identified. Central entity can in some cases restrict the right of certain participants to access the data. Central entity (or more of them) has the ability to change the rules of a private blockchain and also to decline the transaction with regards to the rules.
Private blockchain with the high level of centralisation has clearly defined and quantified participants. Such system enables the alteration of data already recorded on a blockchain and can be territorially confined.
Out of the afore-mentioned differences between private and public blockchains, conclusion can be drawn that, depending on the level of decentralisation, certain questions and issues regarding the application of the GDPR arise. The more the blockchain is decentralised, the more the application of the GDPR is unclear. On the other hand, certain level of the centralisation could make one private blockchain a conventional database and private blockchains could be considered as not-blockchain because they lose their essential features and advantages.
Data protection impact assessment
Considering all the stated risks, if an organisation wishes to implement blockchain as a technology that will lower the costs, enhance efficiency, and ensure the trust between many different organisations or departments, it is required to assess possible risks regarding the protection of personal data before implementation of a blockchain technology.
The GDPR prescribes the obligation of data controller to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data before the processing, in particular when using new technologies, while taking into account the nature, scope, context, and purposes of the processing, if it is likely to result in a high risk to the rights and freedoms of natural persons.
Data protection impact assessment (DPIA) is the assessment of certain risks when it comes to personal data processing. “Risk” is the scenario that describes an event and its consequences assessed with regards to severity and likelihood.
That would mean that, before using blockchain technologies, it is necessary to analyse what kind of blockchain is to be implemented (public, private, permissioned), who will be considered as a data controller, who will be a data processor, what are the related risks, how will data subjects exercise their rights, and what could be a legal basis for processing of personal data. When carrying out the assessment, the advice of data protection officer should be requested, and in the event of the remaining risks, it is possible to seek out the opinion of the competent supervisory authority.
Data protection by design and by default
Pursuant to the Article 25 of the GDPR, the data controller shall implement appropriate technical and organisational measures, such as a pseudonymisation and data minimisation. With regards to blockchain technologies, there are few possible solutions:
- One of the solutions is to process the personal data outside of the blockchain (off-chain), and to store on the blockchain only unique identifier (hash) that serves as a link to certain data stored on an off-chain database. Even though that identifier would be a pseudonym for a certain set of data, and thus within the scope of the GDPR, data stored off-chain could be deleted or altered if needed or by the request of data subject.
- The second option is the use of side-chains, which could be called parallel blockchain. The level of security and privacy integrated in them depends on the specific technology that they use. They are independent of the blockchain and, in the event of the unauthorised access, the harm could be limited.
- The third option is Zero knowledge proof cryptographic technique which enables two parties to prove the veracity of a certain proposition, without revealing any details of that proposition, except the fact that it is true. The example of blockchain that uses such a technology is Zcash (ZEC).
From the analysis of the blockchain technologies with regards to personal data protection, we can conclude that a series of risks have been identified which should be taken into consideration before developing and implementing blockchain technologies.
The GDPR regulates processing of personal data not the blockchain itself. However, if a blockchain contains personal data, the GDPR is applicable, and it is necessary to follow all the principles and provisions in order to avoid high fines and to accomplish compliant solutions. Considering the nature of blockchain technologies, it is crucial to keep in mind the risks and integrate personal data protection at the very beginning of the project.
 For the purposes of this article, our basic considerations will include prominent blockchain technologies such as Ethereum blockchain.
Marija Boskovic Batarelo LL.M. Law and Technology