Decentralization and Data Privacy: How Blockchain Challenges GDPR Principles
Whether blockchain-based projects can comply with the GDPR is a question of much debate and controversy at present. Many projects make bold claims that they are “GDPR compliant” or that the GDPR does not apply in the first place because they “don’t put personal data on the ledger.” At the same time, these projects often use the pseudonymous identifiers of individuals to write transactions to the ledger. Such pseudonymous identifiers are personal data,¹ so those claims are questionable.
Other projects claim to be compliant on the basis that they have solved the question of erasure, i.e. how to give effect to the data subject’s “right to be forgotten” in the context of an immutable, append-only ledger. This narrow focus on erasure loses sight of other core GDPR challenges in respect of distributed ledgers, including how to identify the relevant data controller(s) and processor(s) in a network, how to (reversibly) restrict processing, how to explain and honor objections to automated processing, and how to achieve compliant cross-border data transfers, among others.
Moreover, participants tend to dive head first into debating technical and nuanced details about the implementation of specific features or functionality in a given network, often losing sight of the bigger picture. In this way, solving one discrete issue often makes another tension harder to resolve, in a never-ending game of compliance whack-a-mole. By abstracting to a higher-level discussion based on the core GDPR principles, we can see how blockchain is, at least as presently conceived, fundamentally at odds with the Regulation.
Lawfulness, Fairness, and Transparency
One of the core principles of the GDPR is Lawfulness, Fairness, and Transparency. Lawfulness refers to having a lawful basis to process personal data, which raises the question of the lawful basis for writing data to the ledger in the first place. Most existing blockchain-based projects rely on "consent," but they often do not address the mechanism for obtaining adequate informed consent or its revocable nature. This leaves the claims of GDPR compliance in question.
In some cases, it could be argued that there is a "legitimate interest" in processing the data, but such an interest must be assessed on a case-by-case basis, weighing the interests of the controller against the rights and interests of the individual. This assessment is at odds with the automated nature of processing in blockchain networks.
It may also be argued that the data is processed in furtherance of a contract. However, the "contract" and its actual legal status must be clearly defined, and the implications of the contract being invalidated should be considered. If a blockchain-based project cannot answer the question of its lawful basis for putting data on the ledger, it should halt the process. This highlights the need for blockchain projects to address the lawful basis for processing personal data and ensure they are transparent in their approach.
Another core principle of the GDPR is Purpose Limitation. Personal data must be collected for specific, explicit, and legitimate purposes and should not be processed further in a way that is incompatible with those purposes. However, in blockchain networks, it is challenging to argue that data is not "further processed" beyond writing a transaction to the ledger. Since data is automatically replicated across all nodes in a network, individuals transacting may not be interested in having their transaction data broadcast to an indeterminate number of nodes across an unspecified geographic scope and stored indefinitely, which creates a potential disconnect between their intent and the excessive means used to achieve that purpose.
Even in permissioned networks, there may be some limitations on the scope of data replication. However, this does not solve the problem of the disconnect between the individual's intent and the excessive means used to achieve it. This further demonstrates the existence of a controller, separate from the individual transacting, who determines at least the "means" for processing.
Therefore, blockchain-based projects must ensure that they collect personal data only for explicit and legitimate purposes and that such data is not processed further in a manner incompatible with those purposes. They must also consider the role of the controller and how the data is used to achieve the intended purpose without overstepping the individual's intent. This highlights the importance of accountability in ensuring compliance with GDPR principles.
The GDPR's Data Minimization principle requires that personal data be collected only for the specific purpose for which it is necessary and that there is a rational link between the data collected and that purpose. In line with the Storage Limitation principle, the data should only be held for as long as necessary to fulfill the purpose. Unfortunately, many blockchain projects fail to meet this principle from the start.
While there may be some data minimization in terms of the data collected where zero-knowledge proofs or other technical measures are implemented in services relying upon an underlying ledger, the entire data processing lifecycle must adhere to the principle. The automatic replication of data across all nodes in a ledger violates the data minimization principle, as it results in excessive processing of personal data.
Furthermore, this violation also affects the Storage Limitation principle. Since data is automatically replicated across all nodes, there is no way to limit the storage of personal data. This creates a significant challenge for blockchain projects to comply with these two principles.
Therefore, blockchain-based projects must carefully consider the data they collect and ensure that it has a rational link to the specific purpose for which it is necessary. They must also ensure that data is only held for as long as necessary to fulfill that purpose and that the data processing lifecycle adheres to the Data Minimization principle. This will require technical measures that can effectively minimize the collection, processing, and storage of personal data.
Blockchain's Immutable Nature vs. GDPR's Right to Be Forgotten
The GDPR requires that reasonable steps are taken to ensure that personal data processed is accurate, up-to-date, and not incorrect or misleading. Any inaccuracies must be corrected, erased, or rectified without delay. While blockchain holds promise in providing better data integrity or "verified data," most projects tend to stop at that point.
However, linking information that exists off-ledger in the real world to data recorded on the ledger remains the most significant challenge to accuracy. For instance, in the case of "tokenized" real estate, the accuracy of ledger data depends on the real-world status of a given piece of real property. Similarly, in identity management, proving ownership and possession of a mobile device managing an individual's digital identity cannot be achieved merely by relying on the integrity of data on a ledger.
In addition, the GDPR's requirement for correcting, erasing, or rectifying inaccuracies presents significant challenges in an immutable, append-only ledger. The GDPR compliance requires blockchain-based projects to consider technical measures that enable them to link off-ledger information to on-ledger data and ensure that inaccuracies are rectified without delay.
Therefore, blockchain-based projects must ensure that reasonable steps are taken to guarantee the accuracy and integrity of personal data processed. They must also consider ways to link off-ledger information to on-ledger data, rectify inaccuracies without delay, and meet the GDPR's correction and erasure requirements. Achieving compliance with these principles will require technical measures that can effectively reconcile real-world data with on-ledger data.
The GDPR's Storage Limitation principle requires that personal data not be kept in a form that allows identification of data subjects for longer than necessary for the purposes of processing. This means that blockchain-based projects must have a clear retention period and a logical justification for that period. They should periodically review the data they hold and delete or anonymize data that is past a valid and justifiable retention period.
However, due to its nature as a permanent and immutable digital record, a blockchain is inherently at odds with the Storage Limitation principle, making it difficult to comply with this principle. Although techniques like pruning can help with data minimization, blockchain projects must find ways to reconcile the immutability of blockchain with the Storage Limitation principle.
Blockchain-based projects must ensure that they do not keep personal data for longer than necessary and that they periodically review and delete or anonymize data that is no longer necessary for the purposes of processing. They must also consider technical measures that can reconcile the immutability of blockchain with the Storage Limitation principle. Achieving compliance with this principle will require blockchain projects to adopt a flexible approach that is adaptive to changing data retention requirements.
Integrity and confidentiality
The GDPR's Integrity and Confidentiality principle requires that personal data be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures. While many ledger-based projects are working hard on data security measures, they often fail to understand the broader nature of the integrity and confidentiality principle, which goes beyond conventional data security.
Integrity means that the data recorded on the ledger is an accurate representation of what it is meant to represent. For instance, in the case of digital assets, the ledger should contain an accurate proxy for its real-world equivalent. As highlighted earlier, achieving accuracy in blockchain-based projects presents significant challenges.
Furthermore, confidentiality is hard to achieve on a publicly accessible and transparent ledger. The inherent transparency of a blockchain network raises concerns about how to ensure the confidentiality of personal data while also ensuring the integrity of the data.
Therefore, blockchain-based projects must ensure that appropriate security measures are in place to protect personal data from unauthorized or unlawful processing, accidental loss, destruction, or damage. They must also consider the broader nature of the Integrity and Confidentiality principle and find ways to reconcile the inherent transparency of a blockchain network with the need for confidentiality. Achieving compliance with this principle will require technical measures that can effectively ensure the integrity and confidentiality of personal data.
The GDPR's Accountability principle is often overlooked in the context of blockchain or distributed ledger technology. This principle requires that parties handling personal data take responsibility for their role in controlling the systems processing personal data and decisions regarding that processing. They must also have appropriate measures and records in place to demonstrate compliance with the GDPR's core principles.
Unfortunately, many blockchain or ledger-based projects argue that they are too "decentralized" to identify data controller(s) or take responsibility for giving effect to data subject rights. This argument can inadvertently prevent them from complying with the GDPR's Accountability principle.
Compliance with the Accountability principle requires blockchain-based projects to identify the data controller(s) and processor(s) responsible for processing personal data on the ledger. They must also take responsibility for ensuring that they comply with the GDPR's core principles and have appropriate measures and records in place to demonstrate their compliance.
Therefore, blockchain-based projects must recognize their responsibility for complying with the GDPR's core principles and the need to identify the data controller(s) and processor(s) responsible for processing personal data on the ledger. Achieving compliance with the Accountability principle will require blockchain-based projects to adopt a proactive approach that demonstrates their commitment to data protection and privacy.
GDPR Compliance is a significant challenge for blockchain-based projects. The immutable, transparent, and decentralized nature of blockchain networks presents unique challenges to achieving compliance with the GDPR's core principles, including the principles of lawfulness, fairness, and transparency, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
Blockchain-based projects must adopt a proactive approach to addressing these challenges by implementing appropriate technical and organizational measures to ensure compliance with the GDPR. They must also consider the broader implications of the GDPR's principles beyond data security and find ways to reconcile the immutability, transparency, and decentralization of blockchain networks with the GDPR's core principles.