The European Union’s “right to be forgotten” privacy law clashes with blockchain, whose defining characteristic is that it “never forgets” the vast amount of information it collects.
The technology is becoming an integral part of a growing number of businesses, and companies across the European economic bloc want privacy regulators to clarify how blockchain and the EU’s landmark General Data Protection Regulation can co-exist.
“There is a serious tension between blockchain and GDPR,” said Jörg Hladzk, a partner at Jones Day in Brussels. “There is a common belief that blockchain technology uses anonymous data, but this is not the case.”
The stakes are rising. The global blockchain market is expected to explode this decade, from around $6 billion last year to $160 billion by 2029.
Blockchain distributed ledgers, which contain data that cannot be deleted or altered, are rapidly evolving beyond cryptocurrency transactions to facilitate efficient supply chain management, product traceability, proof of identity, and countless other business functions.
“This is a completely new area for regulators that raises a lot of questions,” Hladzk said.
European privacy regulators must grapple with who controls data on a blockchain and who is liable if something goes wrong, as well as “how to exercise rights [and] legal grounds for processing,” Hladjk said. “And what is often overlooked is whether and at what level of detail a data protection impact assessment is required.”
“Most of the time the data will be more pseudonymous data and therefore personal data, which triggers GDPR enforcement,” he said.
US, US directions
The European Data Protection Board, an independent EU body tasked with facilitating GDPR, is working on guidelines for blockchain, but “we cannot say when the guidelines will be ready for publication, nor can we comment on their possible content,” it said in an extract via e-mail.
This leaves companies to navigate fast-moving technologies as best as possible.
“I’ve been asked whether blockchain is legal or illegal so many times,” said Marien Storm, data protection associate at Morrison & Foerster LLP in Brussels. “It depends,” he said, on how the technology is used.
In the US, Congress is considering comprehensive digital privacy legislation for the first time in years this summer, spurred in part by the EU but also by several state laws mimicking GDPR, which took effect in 2018.
The federal American Privacy and Data Protection Act (HR 8152), which has bipartisan support and awaits a vote in the House, would for the first time give all Americans the right to access, correct and delete their data. Laws in California, Colorado, Connecticut, Virginia and Utah include a right to erasure similar to the European right to erasure.
Companies Please wait
Especially in the EU, legal uncertainty can be “a reason not to use blockchain” and cause companies to take a wait-and-see approach, Storm said.
Data security and privacy is the top concern for those just getting into blockchain, according to Deloitte’s 2021 Global Blockchain Survey.
Public blockchains that anyone can access, such as Ethereum and Bitcoin, “do not simply fit into the principle of minimality, nor can they always ensure the ability of a data subject to change or delete data,” said Lizzie Juergen, head of IT law at NJORD law firm in Tallinn, Estonia.
For public blockchains, which are by definition open for anyone to join, it can be impossible to identify a central data controller responsible for compliance, creating a headache for authorities who will want to know who is responsible if something goes wrong.
Despite the uncertainty, data protection authorities have been slow to intervene.
France’s National Commission for Information and Freedoms published guidelines in 2018, finding that the storage of personal data on a blockchain should be limited to “commitments,” or hashes, that link to off-chain data. The CNIL also said that permissioned blockchains, or non-public blockchains created by a limited number of known users, are preferable to public blockchains.
“Reflection at the European level is essential” to issue final guidelines on blockchain and the GDPR, the CNIL said.
But four years later, that still hasn’t happened.
“We follow the CNIL guidelines and I think everyone follows it,” said Nils Vandesande, a consultant at Timelex digital lawyers in Brussels. “There are many projects going on; everyone wants to do everything on the blockchain right now.”
Blockchain and cryptocurrency are developing so quickly that “it’s very difficult for regulators to understand,” he said.
The Hungarian data protection authority was one step ahead of the CNIL by issuing blockchain guidelines in 2017, but in relation to Hungary’s data protection law, which was replaced in May 2018 by the GDPR.
Since 2017, Hungary’s law has received “general consultation requests from specific controllers” related to blockchain, but “has not received any specific complaint from data subjects regarding blockchain-based data processing,” said Gabriela Dell, an international Rapporteur of the Hungarian Data Protection Authority.
The encrypted nature of blockchain data—usually a hash that is associated with a wallet address—also makes it difficult in practice to actually access personal data.
By using encryption technology, blockchain is a tool for managing data in a way that protects information and facilitates trust in record-keeping, rather than revealing it or compromising its integrity, said Sujith Raman, general counsel at blockchain analytics firm TRM Labs.
“Peer Through the Veil”
There are some areas that need further theorizing to relate to privacy regulations, such as blockchain’s rejection of centralized authorities that control data flows. Blockchain’s fixed nature can also present a challenge to modify or delete personal data.
“There are ways to combine the concept of privacy with blockchain technology,” said Raman, who previously represented the US government in international data protection negotiations.
But under Europe’s GDPR, even encrypted data that can only be linked to a digital wallet is considered personal data because of the potential to identify wallet holders.
Chain analytics companies are already profiling cryptocurrency wallets based on public blockchain data, said Yanis Kalfoglu, author of Blockchain for Business: A Practical Guide to the Next Frontier.
Data “can be anonymized, it can be pseudonymized, it can be hashed, but that doesn’t mean it can’t be recovered,” he said. “You can always penetrate the veil.”
Contrary to the CNIL’s 2018 advice that permissioned blockchains are preferable, public blockchains are the future, said Mary Lasiti, director of the Blockchain Center of Excellence at the University of Arkansas.
“The problem with private networks is that they don’t scale,” while “governance issues are challenging” in larger private blockchains with many participants, she said.
Public blockchains could facilitate a decentralized identity where individuals hold credentials in digital wallets and use them as the basis for a range of transactions—everything from purchasing an irreplaceable token, to recording a property purchase, to accessing online government services, to providing proof of age to enter a bar.
For property records, for example, “it would be ideal to have something immutable,” said Morrison & Foerster’s Storm.
Decentralized identity could be attractive in Europe as a digital alternative to the identity cards that most EU countries issue. Governments will provide the credentials stored in digital wallets.
“The basic concept is that I will control all of my identity data,” said Jeremy Grant, managing director of technology business strategy at Venable LLP in Washington, D.C. “I decide who can see it and when.”
The challenge for decentralized identity, however, would be in implementation, since this kind of identity architecture relies on people’s ability to navigate their set of cryptographic keys, Grant said.
“Digital identification puts a lot of ownership on citizens,” who will need to “actively manage” their credentials to ensure they don’t fall into the wrong hands, Calfoglu said.