Blockchain technologies are arguably breaking many patterns nowadays. Just consider the instances on which the circulation of bitcoin and ethereum crypto currencies are based. There are lots of aspects to keep in mind as they introduce new paradigms, including but not limited to those of a legal nature. From this perspective, looking at the Blockchain/GDPR dualism is especially interesting. In particular, how the Blockchain will be able to support and respect the rules on the protection of personal data introduced by the GDPR.
According to the forecasts announced at the last World Economic Forum, as much as 10% of the world’s GDP will, by 2025, be determined by activities and services distributed through Blockchain technologies. This is a scenario that, sooner or later, will have to deal with regulations, first of all GDPR (the European General Data Protection Regulation).
As things are today, it seems like the new regulation will have a significant impact on at least three major areas of the Blockchain:
- Data stored in a Blockchain network is considered to be tamper-proof, so its deletion will not be possible once such data is placed in the distributed chain;
- Blockchain networks are inherently distributed, so the control itself over such data can be decentralized and delegated to all the Blockchain participants (e.g. Data miners, who in any case would not be considered Data Protection Officers as requested by GDPR);
- Smart Contract will be relying on their native automated decision-making mechanisms, thus opening up to non-trivial issues from the standpoint of possible disputes or litigations.
In general, two basic principles on which the value and power of Blockchain have been built upon seem, to date, to be mostly at risk of collisions with the GDPR:
- data entered in the Blockchain is public and accessible by anyone who participates in the chain;
- data in the Blockchain is stored without limitation
It will therefore be necessary to understand, on the one hand, how the protection of personal data can be reconciled into a system with huge amounts of data flows; on the other hand, how to comply with the rules around data retention in a system that inherently envisions indefinite archiving timescales.
Either way, alongside these challenges, the Blockchain/GDPR dualism could also offer interesting opportunities, for example, from the point of view of the so-called “security by design”, which guarantees decoupling of data from individual identity and data minimization (i.e. sharing of only the strictly necessary data elements). This is because in Blockchain data protection is ensured by:
- the public key of the sender of the transaction;
- the public key of the recipient of the transaction;
- a cryptographic hash of the content of the transaction;
- the date and time of the transaction.
It is therefore impossible to reconstruct the contents of a transaction from one-way cryptographic hash. And, unless one of the parties to the transaction decides to link a public key to a known identity, it is in general not possible to map and link transactions to individuals or organizations. This means that even though the Blockchain is “public by design” (where anyone can see all transactions on it) no personal information is made public.
Whatever the future brings, there are undoubtedly (too) many open points that still need to be addressed and solved – and it will be very interesting to see how! The one that particularly comes to mind is: how will the Blockchain be able to address the very thorny “right to erasure” matter, considering that, once again by design, the chains are basically non-modifiable?