Blockchain technology, has come to prominence since the creation of Bitcoin back in 2009. In sum, Blockchain is a decentralized, distributed ledger system that stores and records information in blocks. Each block is cryptographically linked to each other to form a chain known as the Blockchain. This makes the blockchain highly immutable.
There are two types of Blockchain systems- a public blockchain and a private blockchain. A private blockchain only allows authorized entities to participate and control the network[1], whereas a public blockchain is completely open to the public for participation. A private blockchain is also more centralized, as it requires an entity that decides who participates in the network and the extent of that participation. Usually, corporations prefer to use a private blockchain for their business.
GDPR and Blockchain
The GDPR states that there must be an identifiable data controller responsible for enforcing legal obligations in compliance with the GDPR[2]. In a decentralised public blockchain where no one has more control over the other, there is doubt whether a data controller can be identified or how joint controllership would be established.
The European Parliamentary Research[3] suggests that caselaw could offer assistance. The broad interpretation of ‘joint-control’ in the case of ‘Wirtschaftsakademie Schleswig-Holstein' [4] states that anyone who chooses a particular technical infrastructure (like Blockchain) can be a joint-controller even though they may only have limited control over the purposes and no meaningful control about the means of processing.
However, the inability of any participant in a public blockchain to actually exercise control means there is a possibility this broad approach would not be adopted for the purposes of a public blockchain. If joint controllership is allowed, all public blockchain participants are effectively given legal obligations they effectively cannot enforce.
A way around this could be the utilisation of a purely private blockchain. Purely private blockchains (not a private blockchain that interfaces with a public blockchain) require an entity to decide who can participate and the extent of that participation[5].This entity could be the identifiable data controller.
Immutability of Blockchain systems
The GDPR states that individuals have the right to have their personal data erased on request[6]. This obviously sits uneasily with the idea of the highly immutable nature of blockchain systems.
To erase/modify information on a blockchain, blockchain participants would have to agree to reverse transactions/change information. In the event where there is a minority of participants who don’t agree, forking occurs. Forking is essentially the splitting of a blockchain into two separate paths.
The idea of complete immutability of a public blockchain system is not true but the low possibility and high financial cost of changing information on a public blockchain makes immutability almost impossible[7]. This sits uneasily with the right to be forgotten prescribed in the GDPR.
However, changing information on a purely private blockchain is cheaper and more feasible[8]. It would simply require members of a private blockchain (and participants might know/have the possibility of knowing each other) to agree to change information/delete previous blocks. Purely private blockchains would have an easier pathway to comply with GDPR’s ‘right to be forgotten’.
Data Flow from EU to Non-Eu Countries
The GDPR only allows data flow from EU to non-EU countries if the non-EU country’s data protection has been deemed adequate through adequacy decisions, or Standard Contractual Clauses or Binding Corporate Rules (though there is some uncertainty on the degree of compliance that standard contractual clauses offers if it is used in isolation of any further due diligence).[9]
In a purely decentralized public blockchain system, it would be highly probable that information would be flowing to non-Eu countries. Yet, it would be impossible to trace each country specifically due to the anonymity provided by a blockchain. Unless EU authorities prescribe standard rules and processes that all blockchains would need to adhere to (like the standards offered by Standard Contractual Clauses and Binding Corporate Rules), GDPR compliance seems quite unlikely to enforce.
Where purely private blockchains are used within corporations, it seems easier to comply with the GDPR as they might know where their clients are situated and can ensure GDPR compliance accordingly.
Relevance
As corporations start to be swayed by the hype surrounding blockchain systems, it is important to understand there are several challenges with ensuring GDPR compliance. The utilisation of purely private blockchain systems circumvents, to a great degree, the issues. However, it is also more centralized and begs the question: Is blockchain really revolutionary if a substantial degree of centralisation is required to comply with the GDPR?
EU Authorities are yet to specifically crackdown on GDPR compliance within Blockchain systems, but it is important for corporations to keep these principles in mind as they go about structuring their blockchain systems for their business. With fines for non-compliance amounting to 20 million euros/4% of entire global turnover, compliance should be in the interest of every corporation.[10]
For more information please visit our website microsite on Data Protection & Cyber Law or contact Ms. Munevver Kasif at This email address is being protected from spambots. You need JavaScript enabled to view it..
[1] Toshendra Kumar Sharma, ‘Public vs Private Blockchain: A comprehensive comparison’ (Blockchain Council) Accessed 6 July 2021
[2] Art.24 EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679
[3] Dr Michèle Finck, ‘Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European Data Protection Law?’ (European Parliamentary Research, July 2019) Accessed 6 July 2021
[4] Case C-210/16 - Wirtschaftsakademie Schleswig-Holstein [2018]
[5] Toshendra Kumar Sharma, ‘Public vs Private Blockchain: A comprehensive comparison’ (Blockchain Council) Accessed 6 July 2021
[6] Art.17 GDPR
[7] Gideon Greenspan, ‘The Blockchain Immutability Myth’ (CoinDesk) Accessed 6 July 2021
[8] Toshendra Kumar Sharma, ‘Public vs Private Blockchain: A comprehensive comparison’ (Blockchain Council) Accessed 6 July 2021
[9] Art. 45, 46 GDPR
[10] Art. 83 GDPR
Back to News
