Is GDPR the weak link in EU plans to strengthen blockchain?


25 Oct 2018

Image: © Andrey Popov/Stock.adobe.com

Where blockchain development meets GDPR privacy requirements could be a case of an irresistible force meeting an immovable object, writes William Fry’s technology team.

This month, the European Parliament passed the resolution, ‘Distributed ledger technologies and blockchains: Building trust with disintermediation’. This resolution was introduced by Eva Kaili, a Greek MEP. Kaili has said she wants to make the EU the “leading player in the field of blockchain” but has warned that “regulators need to make sure that all this effort will be embraced by the necessary institutional and legal certainty”.

Blockchain technology has been the subject of increasing scrutiny by a diverse field of industries. Many are exploring the potential application of rebuilding data processes so that digital information is distributed rather than copied. With companies such as AIG, Maersk, Microsoft, De Beers, Google and IBM all using blockchain on a diverse range of projects (covering everything from cloud infrastructure to smart insurance policies, to food safety monitoring and import controls), a wider understanding appears to be emerging that the technology genuinely has a multitude of useful applications beyond the cryptocurrencies that ushered it into existence.

According to Kaili, who is also the chair of the European Parliament’s Science and Technology Options Assessment Panel, “Blockchain and distributed ledger technologies in general have a strong disruptive element that will affect many sectors.” But, she added, any regulations applied need to be “open-minded, progressive and innovation-friendly”.

The GDPR hurdle for blockchain

The parliament’s October resolution included the following key recommendations:

  • That a legal analysis is done as to the legal enforceability of blockchain smart contracts among EU member states
  • That technical standards for distributed ledger technologies are developed
  • That universities and training institutions adopt blockchain-based curricula
  • For any consideration of regulation on blockchain to cover the removal of barriers and approach the application of rules using both a technology and business-neutral model
  • For the European Commission and European Central Bank to identify risk when it comes to incorporating cryptocurrencies into the European payment systems
  • That analysis is conducted to ensure no competition issues arise by decentralising infrastructure to the extent that monopolies are created
  • That an examination of the decentralisation of EU citizens’ data is conducted to prevent misuse

During the debate in parliament, a concern emerged on the final point, namely that although blockchain technology may facilitate the decentralisation of EU citizens’ personal data, how could such public ledgers ever be compliant with the General Data Protection Regulation (GDPR)?

For instance, the right to be forgotten under Article 17 of GDPR provides for the erasure of personal data of any EU citizen upon request. However, a fundamental principle of blockchain technology is that information held on the chain can only be added rather than taken away. Whenever personal information cannot be deleted, there would appear to be a direct conflict with GDPR requirements.

Possible workarounds

Some technologists have pointed to methods that can be deployed when storing information via blockchain without contravening data protection principles.

For instance, some propose that if the information stored on a blockchain is sufficiently limited – say, to 180 bytes – it could still function and potentially not constitute processing of personal data under the GDPR.

Additionally, information stored on the blockchain can often be encrypted so that personal information is sufficiently hidden and anonymised without affecting transaction verification. This approach forms the basis of emerging ‘privacy coin’ technologies such as Dash and Zcash.

A paradoxical conundrum

The October resolution acknowledges it is of the “utmost importance” that blockchain technologies are compliant with the GDPR, and calls upon on the European Data Protection Supervisor to provide further guidance. However, it appears that privacy concerns under GDPR may prove to be an irresistible force meeting an immovable object when it comes to the deployment of the technology in certain instances.

While there is considerable potential to be explored, companies, organisations and regulators need to understand that the standards of GDPR are not easily applicable to blockchain. They will need to consider the potential impact on privacy and not just possible benefits to improving processes.

With the October resolution, the European Parliament appears eager to promote Europe as a leader in the development of the global blockchain market. It is also clear that there will need to be work done with member states to protect the rights of citizens, particularly when it comes to data protection.

Although the October resolution establishes only non-binding recommendations at this stage, there is a clear appetite from both the regulatory and commercial sectors to focus on the potential of this technology. Undoubtedly, it could be profoundly disruptive to established intermediary processes. However, it remains to be seen whether the technology likewise (and inevitably) might be disruptive to concepts of individual privacy in the era of GDPR.

By David Cullen, John O’Connor and Leo Moore, with Alex Towers contributing

John O’Connor and Leo Moore are partners in William Fry’s technology group, which is led by partner David Cullen. Solicitor Alex Towers also works with the technology team, which advises Irish start-ups and established international brands on technology matters such as data protection, intellectual property, licensing, outsourcing and e-commerce.

A version of this article originally appeared on the William Fry blog.