Issues Between EU Data Protection, Use of Blockchain

• The GDPR may be a privacy regulation, but data protection is a core principle. Controllers, processers and sub-processors are held to high standards with respect to broad cybersecurity concepts and specific breach notification requirements. Blockchain's encryption and decentralized structure makes the network and data highly tamper-resistant and, in theory, less vulnerable to unauthorized modification than a single instance database.
• The GDPR represents a shift to consumer ownership of their own data, requiring companies to provide visibility and control to individuals, on demand. Blockchain is being used as the base technology for dozens of applications focused on consumer control of data from identification to monetization.
• The GDPR has made great strides by requiring not only transparency into what companies will do with consumer data, but also mandating clear consent mechanisms to ensure that consumers understand what companies are sharing, with whom and for what purpose. Blockchain and cryptocurrency came into existence in part because of a loss of trust in financial institutions. Blockchain continues to be leveraged in ways that bridge the gap in consumer trust in areas as varied as news and insurance.
• As with most coming of age stories, the tale of these two Generation Z kids is not without conflict. In this case, the GDPR's right to erasure and blockchain's fundamental immutability may be akin to an unstoppable force meeting an immovable object.

'Privacy By Design'

• Increased use of private or enterprise blockchains, which are blockchain systems used by one company or amongst companies in the same industry. Unlike public blockchains, which provide decentralized utility and access to as many users as possible, private and enterprise blockchains limit the dissemination of personal information to just one company or a limited number of companies. In reducing the scale of the chain, fewer individuals have access to sensitive information and the possibility of data breaches significantly diminish.
• Use of pseudonymization techniques in combination with data stored off-chain. In order for data to be considered pseudonymous under GDPR, the data must “no longer be attributed to a specific data subject without the use of additional information” (GDPR Art. 4(5)). Pseudonymous data, unlike anonymous data, therefore still allows for re-identification. While pseudonymization techniques make it more challenging for users to identify data subjects, it does not scrub all identifying personal information. Pseudonymization with pointers to personal data stored off-chain in a manner that allows the personal data to be destroyed — and thus removes the link to the data on the chain and renders it anonymized — may allow a user to remove all of their personal information from the chain, as required by the GDPR's right to erasure.
• Development of mutable blockchains. For example, the R3 Corda team is currently exploring “sophisticated anonymization techniques” that would allow users to edit and/or delete their personal information shared on a private blockchain, giving them 100% control over their own data. This “self-sovereign solution” would “ensure provisions in GDPR that allow individuals to access and correct their personal data would be fulfilled and provides a compliant solution to restrict data processing.”
• Reliance on exceptions to the right to erasure. The right to erasure is not absolute in all circumstances. For instance, the right to erasure does not apply to the extent that processing is necessary for compliance with a legal obligation that requires processing by EU or Member State law, and it does not apply to the extent that processing is necessary to establish, exercise or defend legal claims. (GDPR Art. 17(3)(b) and (e).) Other exceptions may also apply. Businesses might reject a request for erasure of personal data based on recognized exceptions in the GDPR, but there is little guidance in this area and whether these exceptions will successfully apply to blockchain solutions has yet to be tested.