One of the era’s biggest buzzwords, blockchain has become massively popular despite ongoing concerns regarding regulatory, privacy, even environmental issues. A relatively new front in the battle between blockchain opposers and supporters is the issue of blockchain’s GDPR compliance. While many believe that blockchain inherently cannot be GDPR compliant, luckily for the blockchain projects I advise, I do not agree with this claim.
It has been more than two months since the GDPR went into effect and many companies are still struggling to ensure they are fully compliant or, at least, to decide on a course of action which will minimize their exposure. But certain businesses—adtech springs to mind—have it tougher than others.
But for all the headache GDPR spells for adtech companies, blockchain-related businesses have it much, much worse. It should be noted that GDPR was first proposed by the European regulators long before blockchain was a trend. Therefore, the initial focus of the regulators was on SaaS companies and especially social networks which are, as opposed to Blockchain, centralized platforms.
Since blockchain technology (usually) relies on a distributed decentralized ledger, it must be immune to changes and omissions to gain trust and credibility. And since information on the blockchain, including personal information of data subjects, cannot be deleted, it has become a popular opinion that blockchain projects cannot be GDPR compliant.
Indeed, the GDPR provides data subjects with the right to request that their personal information will be deleted from the databases in which it is stored (Article 17(1) to the GDPR). This right is called the “the right to be forgotten” or the “right of deletion.” But what does “deletion” mean? The GDPR provides no clear answers.
One way to look at the requirement that information be deleted upon request is of course not to put it there in the first place. Just store any personal information off-chain and include in the blockchain only references and other information about this data. The personal data can be deleted, of course, making the referral information on the blockchain useless. The problem is that this solution reduces the blockchain’s effectiveness and transparency. It also increases exposure to hackers.
Another solution, adopted by certain blockchain companies, is to keep personal information on the blockchain while making it impossible to access if the data subject demands that it will be deleted. This could be achieved by such means as destroying keys or hashing the information, but nothing would constitute a complete, 100% deletion, so it would not guarantee 100% GDPR compliance.
So what can a blockchain company do if it wants to be GDPR compliant and operate without fearing the E.U. regulators and their massive fines? The answer, in my opinion, is a legal one, although the courts have yet to address the right to be forgotten and its enforcement. Simply put, I don’t think that the GDPR expects blockchain companies to delete any information at all.
Article 17(2) to the GDPR reads: “Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”
One way to read Article 17(2) is to assume that the soft obligations imposed on a controller with respect to information which was made public (basically, only to try to delete the information) are in addition to the hard obligation to delete in subsection 17(1). However, when considering the nature of the blockchain, such interpretation does not seem to follow the logic of protecting data subject’s rights. Storing information on the blockchain is very similar to making the information public. But in the case of blockchain, there is no “private” copy and “public” copies. All copies are public.
Reading Article 17(2) in the context of blockchain raises the question of why impose a fine on a controller for not deleting “his own copy”, but not hold him liable for not deleting all “public” copies for technology and costs reasons? If there is no “private” copy to delete, the only logical conclusion would be that Article 17(2) completely exempts blockchain companies for not deleting information due to technical and costs issues. It can also be asked why should a company be sanctioned for not deleting information the data subject agreed to make public (or store on the blockchain)?
While the above discussion suggests a solution to the blockchain’s “deletion” problem, there are still other issues that need to be addressed in order for blockchain-based platforms to be 100% GDPR compliant. However, even if the law cannot keep up with new technology, new technology should be taken into account when interpreting the law. It seems blockchain technology is here to stay, at least for a while longer. It will be a shame if it is killed off in the name of a law enacted before it was known.