In simple words Blockchain can be understood as a digital data bank which accumulates transaction data in a chain consisting of connected blocks. Those chains are stored decentralized by computers attending the network (also called Nodes), following the principle of peer-to-peer. Any transactions are then to be confirmed by processors participating in the process of validation (also called Miners) by calculating a hash. Blockchain-technology is regarded as eminently transparent, extremely difficult to manipulate and traceable basically unlimited in time. Whether Blockchain technologies are compatible with the General Data Protection Regulation (GDPR) valid since 25.5.2018, is highly questionable though.
Applicability of the General Data Protection (GDPR)
Blockchains are divided in public and private networks. In some cases of private Blockchains the processing of personal data (meaning any information relating to an identified or identifiable natural person) is immanent. Those cases especially occur when an application´s essential component is the identification of a transaction´s attendants, e.g. in a register of commercial property rights or applications of identity management. Usually these personal data are not stored in the Blockchain itself, but are rather replaced by hashes or personal IDs associated with the personal data stored in a data bank located behind. Nevertheless the appropriate pseudonyms suffice to identify a person and are therefore to be seen as personal data themselves.
A relation to personal data is possible in public networks as well. The reason is that the risk that natural persons´ identity is revealed during data processing comes along with the high level of transparency the trust in Blockchain-technology is based on.
Who is the responsible controller in a blockchain?
According to sec. 4 para.7 of GDPR, the person responsible for the verifiable compliance with the privacy regulations is the one who alone or jointly with others, determines the purposes and means of the processing of personal data. In doing so, the GDPR generally presumes centralized systems which ensure that positions of responsible persons and order processors are assigned bindingly.
Not really on the radar of GDPR are decentralized networks, such as applications based on Blockchain. Referring to public Blockchains, according to the predominant assessment in judicial literacy it is presumed, that every attendant organizing a knot is to be seen as a controller, based on his participation in transactions which take place in the system. Related to private Blockchains a controller shall be who controls the right of access, which leads to the classification of the appropriate minors and knot operators as processors as in sec. 4 para. 8.
Nevertheless a schematic classification of the participients is to be advised against, to prefer is a qualification focusing on the individual case.
Lawfulness of data processing
The processing of data is generally forbidden unless it is legally justified. This principle of course also applies for the processing in relation to Blockchain. Depending on the processing situation as well as the way personal data is handled, an appropriate justification can be based on a consent (Sec. 6 para.1 lit. a) GDPR), a contract (Sec. 6 para. 1 lit. b) GDPR) or the legitimate interests pursued by the controller or by a third party.
Referring to Blockchain-technology, a consent is not the appropriate justification according to data privacy law, because at the time of consent, the data subject does not know to whom his data will to be disclosured to. Furthermore, the data subject has to get the chance to withdraw his or her consent at any time with effect for the future. A withdrawal however is not intended by the architecture of Blockchain.
Depending on the purposes of data processing, processing within Blockchain applications might be lawful based on Sec. 6 Para. 1 lit. b) and f) GDPR, provided that the data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
But even if a legal permission exists, the problem remains that personal data has to be deleted as soon as the purpose, the processing is based on, is achieved (in case there are no legal obligations to store them furthermore). In opposition, it is the nature of Blockchain, that transaction data is stored permanently. Depending on the concrete business model, however, it is conceivable to counter this conflict of interest by means of a careful drafting of the contract, the purpose clause in Sec. 6 Para. 4 GDPR and the compatibility of transparency and participation in the network.
The obligation to inform and rights of the data subject
Furthermore, according to section 13 to 15 GDPR, legal obligations to inform and to uphold the rights of the data subjects have to be respected. Again, there are significant difficulties for which no legally secure solution has been found yet.
Depending on whether personal data has been obtained directly from the data subject or not, she or he shall be informed as listed in sec. 13 respectively sec.14 GDPR. As in relation to Blockchain personal data has usually not been obtained from the data subject, it might be argued that the provision of such information proves impossible or would involve a disproportionate effort, and therefore, according to sec. 14 para. 5 lit. b) GDPR can be omitted.
No such exception can be made in granting data subjects their rights of access, to rectification, to erasure (“right to be forgotten”), to restriction of processing, to data portability and to object. It is clear yet how to respect and grant those rights in respect of the architecture of Blockchain which impliments that data is stored long-time and immutable.
Wherever technical solution within the Blockchain application can be addressed, it is highly recommended to take all appropriate measurements. To waive the rights of the data subjects contractually is simply ineffective.
Outlook: After all - is there still a chance?
At first sight, and according to the current (especially German), strict interpretation, data privacy law and Blockchain-technology are hardly compatible. But the issue of law always lagging behind new technical developments is not an unknown phenomenon. It remains our responsibility to draw attention to this problem and to always try to reconcile law and technology through legal development and adaptation or to further develop the technology in the sense of data protection law.
In doing so, it should benevolently considered that the architecture of Blockchain already meets many of the GDPR´s requirements concerning privacy by technology design and privacy by design. It is therefore necessary to consider the “risk-based approach” laid down in the GDPR, according to which it is intended to make it possible to adjust the duties of the controller in accordance with the risks involved in the processing of data.