Since it came into effect in May last year, the General Data Protection Regulation has changed the game on privacy and data use. This summer saw the Information Commissioner’s Office, the UK’s data privacy watchdog, announce its intention to fine British Airways £183m and Marriott International £99m for improper management of people’s data. But while the GDPR may seem in a strong legislative position – especially when similar regulations are being drafted around the globe – its application, and even its appropriateness, for the emerging digital world is being challenged by blockchain.
In the EU’s report on blockchain and the GDPR, regulators concede that ‘multiple points of tension’ have been identified, and a considerable ‘lack of legal certainty’ surrounds the issue. One area of uncertainty is the definition of ‘personal data’. The GDPR deals with information about people’s online activity and personal details, but you might think that public keys and transactional records – the bread and butter of blockchain networks – are data of a different kind.
When personal data has been encrypted or hashed, the lines become blurred. Hashing is a type of data configuration where personal identifiers are replaced with a unique, fixed-length code. But if the hashing can still be retrofitted to a particular ‘hash function’ and individual details gleaned, does the data remain personal? Often yes, because it is merely ‘pseudonymisation’, not complete ‘anonymisation’.
And it is an important question because two of blockchain’s core functions seem to conflict with the GDPR in a more fundamental way. The first is the unchangeable nature of the record. Blockchain ledgers are intentionally designed to make later modification and deletion extremely difficult. While this allows for a reliable data record, it apparently conflicts with one of the GDPR’s key principles of ‘storage limitation’ and with the much-hyped ‘right to be forgotten’.
The principle of storage limitation means personal data must not be kept for any longer than necessary to fulfil the purposes for which the data was collected. The right to be forgotten means individuals can request for material previously published about them to be deleted in some circumstances. With this in mind, the conflict with blockchain is rather obvious. When one of the technology’s greatest selling points is that it cannot be changed other than in the most extraordinary circumstances, how does this coordinate with a regulation that demands personal data can be deleted?
This problem may be difficult to solve, but it is not impossible. A solution may not achieve total erasure, but it will work so long as it satisfies the demands of regulators. For instance, one solution could be to delete the elements that allow for verification, such as the hash function’s ‘secret key’. This is the code used to generate the hash and therefore conceal the original data. And while this type of solution does not necessarily remove data from the blockchain ledger altogether, it is one that some of the EU’s data protection regulators see as the ‘next best thing’ in constituting an effective removal.
One of blockchain’s other benefits is the ‘distributed’ character of its ledger. No one individual or agent controls the definitive record, and each member of the network usually holds exactly the same copy of the entire ledger. While this embeds trust and reliability in information-sharing, it creates complications with the GDPR’s classification of data ‘controllers’.
Under the GDPR, a person – either ‘legal or natural’ – who determines the purposes and means of processing personal data is a ‘controller’ with responsibility for ensuring the data is managed in line with the GDPR’s data protection principles. Blockchains may distribute and democratise power over any transaction, but they distribute responsibility too. When there is a data breach and people’s lives are affected, who can be held accountable? Assigning a causal pattern to any change in data possession may be impossible.
The problem does not end there. In categorising the managers of any dataset, the GDPR makes a distinction between data ‘controllers’ and data ‘processors’, who transfer and modify the data under the instruction of the controller. In a conventional analysis, this makes sense. Processors have a number of obligations in relation to data management, but ultimate responsibility lies with the controller.
In a blockchain world, however, the distributed character of the ledger means that binary distinctions between ‘controllers’ and ‘processors’ are hard to make. The CNIL, the French data regulator, recently concluded that all blockchain actors are to be designated as ‘controllers’ where the blockchain captures professional or commercial transactions.
The concern is that this may result in otherwise innocuous actors being assigned responsibilities for data protection where they are not in a position to enable others to benefit from the rights afforded under the GDPR.
Clarifying the position
As the EU is keen to emphasise, two of blockchain’s central features are difficult to reconcile with the GDPR. But the GDPR is a principles-based regulation, designed to be technology-neutral and future-proofed. Much of the problem, therefore, is not with blockchain or the GDPR themselves, but a lack of legal clarity around how specific concepts under the GDPR ought to be applied in this context.
Without a clear framework with well-defined rules, blockchain development might struggle to advance. So the European Data Protection Board should coordinate with national regulators to draft fresh guidelines on blockchain. And – with one eye on Brexit – perhaps the ICO will turn its attention to blockchain shortly, now that its initial call for input on an auditing framework for another high-profile technology (artificial intelligence) has come to a close.
Paul Knight is a partner at Mills & Reeve