One of the benefits in blockchain is that it allows to publicly share records which are stored in different computers. Basically it is like an electronic registrar enhancing transparency.

This however contradicts some basic concepts of data privacy protection especially in light of the GDPR whose goal is exactly the opposite – to restrict and monitor the distribution and transfer of personal data.

In less than a month, the GDPR will become enforceable throughout the EU (and the EEA).  Subjects (more commonly known as users) will soon have much more control regarding the data that they share. The most recent example of the shifting towards this goal has been demonstrated by the Cambridge Analytica matter. Facebook had transferred to Cambridge Analytica personal data of their users without permission and is now facing potential lawsuits and even criminal charges.

In short, from 28 May onwards, users will have more rights when it comes to their data. The most common these rights are the right of access, data protection by design and the right to be forgotten.

In contrast, blockchains’ objectives are to allow maximum transparency to ensure the reliability of transactions involving cryptocurrencies (or simply to maintain a public register not specifically designated for crypto transactions, ie, medical records). This is because blockchains are decentralized databases, namely, networks whereby users upload data to cloud computing systems.

There is a concept known as immutability of transactions. It means that transactions are not changeable once they are written on a blockchain so that data cannot been deleted. Every transaction that takes place will be published and linked to a public key that represents a specific user. The key is encrypted so that no one can identify the user. However, the re-use of the public key can refer to the user thus s/he becomes identifiable. This is done in order to facilitate a transaction so it can be verified that it is attributed to the right person/entity. Even if one transaction cancels a previous one, the information is still recorded and will be kept permanently.

This collides with the right of users that any personal data relating to them will be deleted/not published at all. In regards to blockchain the public key is basically the personal data hence it is protected under the GDPR.

Another example is in relation to what is known under GDPR as data protection by design. There is now a legal requirement upon the holders and processors of data to demonstrate that the deletion or amendment of data will be easily made (ie, simple IT will be used).

These two examples pose a substantial challenge to blockchain because in order to protect the accuracy of the related transactions as indicated above, sophisticated methods such as hashing[1]  and encryption are used.

The question is how the blockchain industry is going to adapt itself to the GDPR and what mechanisms will be used to settle the gaps?

Possible Solutions

1. Smart contracts – smart contracts are basically on-line accounts which allow parties to transact without the need to use human legal services. Due to their nature, they can contain mechanisms governing access right, ie, a contract will revoke all access rights thereby making all content invisible to others albeit not erased.
2. Permissioned blockchains – the use of restricted or permissioned blockchains so that access is restricted and the uploading or changing of information will be made by authorised personnel. They will ensure that privacy rules are complied with (ie who can view the information and to what extent).
3. Off chain ledgers – personal data will be stored separately on another system that is safeguarded in accordance with data protection rules. As an example, a personally identifiable information (PII) will be used rather than, say, a public key and only authorised parties will have access to the data.

To summarise, although there is essentially a collision between GDPR and blockchain, some safeguards can be placed in order to achieve an appropriate balance so that the importance of blockchain will be maintained on one hand and users rights for securing their personal data will be  protected on the other.

On a practical level you should also bear in mind that from 28 May 2018 onwards, data protections rules take precedent when it comes to offering services to clients whereby  personal data is used. This also applies to services involving blockcahins of any sort.

We can help you to assess your risks and advise you as to how you can stay in compliance whilst maximizing your commercial objectives.

[1] Generated code of a fixed length for a given piece of digital information that allows document’s authentication. It cannot be reversed engineered to discover the original document. Under GDPR it is considered encrypted information thus subject to data protections rules.