The European Union’s “right to be forgotten” privacy law is on a collision course with blockchain, whose defining feature is that it “never forgets” the vast amount of information it collects.
The technology is becoming integral to a growing number of businesses, and companies across the Europe-wide economic bloc want privacy regulators to clarify how blockchain and the EU’s landmark General Data Protection Regulation can coexist.
“There is serious tension between blockchain and GDPR,” said Jörg Hladjk, a partner with Jones Day in Brussels. “There is a general belief that blockchain technology uses anonymous data, but that is not really the case.”
The stakes are growing. The global blockchain market is forecast to explode this decade—from about $6 billion last year to $160 billion by 2029.
Blockchain’s distributed ledgers—which contain data that can’t be deleted or changed—are quickly evolving beyond cryptocurrency transactions to facilitating efficient supply chain management, product traceability, proof of identity, and countless other business functions.
“This is a completely new area for regulators that raises a ton of issues,” said Hladjk.
Europe’s privacy regulators must grapple with who controls blockchain data and who is liable if something goes wrong, as well as “how to exercise rights [and] legal bases for processing,” Hladjk said. “And often overlooked, whether a data protection impact assessment—and with what level of detail— is required.”
“Most of the time the data will rather be pseudonymous data and therefore personal data, which triggers the application of GDPR,” he said.
EU, US Guidance
The European Data Protection Board, an independent EU body charged with facilitating the GDPR, is working on blockchain guidance, but “we cannot say by when the guidelines will be ready for publication, nor can we comment on the possible content,” it said in an emailed statement.
That leaves companies to navigate the fast-moving technology as best they can.
“I’ve been asked if blockchain is legal or illegal so many times,” said Marijn Storm, a data protection associate with Morrison & Foerster LLP in Brussels. “It depends,” he said, on how the technology is used.
In the US, Congress for the first time in years this summer is considering comprehensive digital privacy legislation, spurred in part by the EU but also by a handful of state laws mimicking the GDPR, which took effect in 2018.
The federal American Data Privacy and Protection Act (H.R. 8152), which has bipartisan support and is awaiting a House vote, would for the first time give all Americans a right to access, correct, and delete their data. Laws in California, Colorado, Connecticut, Virginia, and Utah include a right to deletion, similar to the European right to erasure.
Especially in the EU, legal uncertainty can be “a reason not to use blockchain,” and is leading companies to adopt a wait-and-see approach, said Storm.
Data security and privacy is the top issue for those just venturing into blockchain, according to Deloitte’s 2021 Global Blockchain Survey.
Public blockchains that anyone can access, like Ethereum and Bitcoin, “do not fit simply into the principle of minimality, nor can they always ensure the data subject’s ability to change or delete data,” said Liisi Jürgen, head of IT law at NJORD law firm in Tallinn, Estonia.
For public blockchains, which are by definition open for anyone to join, it can be impossible to identify a central data controller responsible for compliance, creating a headache for authorities who will want to know who is liable if anything goes wrong.
Despite the uncertainties, data protection authorities have been slow to step in.
France’s Commission Nationale de l’Informatique et des Libertés published guidance in 2018, finding that storage of personal data on a blockchain should be restricted to “commitments” or hashes, which link to off-chain data. The CNIL also said permissioned blockchains, or nonpublic blockchains set up by a limited number of known users, were preferable to public blockchains.
“Reflection at the European level is essential” to issue definitive guidance on blockchain and the GDPR, CNIL said.
But four years on, this still hasn’t happened.
“We’re following the CNIL guidance and I think everyone is following that,” said Niels Vandezande, a consultant with Timelex digital technology lawyers in Brussels. “There are a lot of projects going on; everyone wants to do everything on the blockchain right now.”
Blockchain and crypto are so fast moving “it’s very hard for regulators to get a grasp,” he said.
Hungary’s data protection authority was one step ahead of CNIL, issuing blockchain guidance in 2017, though in relation to Hungary’s data protection law that was superseded in May 2018 by the GDPR.
Since 2017, Hungary’s law has received “general consultation requests from specific controllers,” relating to blockchain, but “has not received any specific complaint of data subjects regarding blockchain-based data processing,” said Gabriella Dél, the Hungarian data protection authority’s international rapporteur.
The encrypted nature of data on a blockchain—typically a hash that links to a wallet address—also makes it hard in practical terms to actually access personal data.
Through its use of encryption technology, blockchain is a tool for governing data in a way that protects information and facilitates trust in record-keeping, rather than exposing it or compromising its integrity, said Sujit Raman, general counsel of blockchain analytics firm TRM Labs.
‘Penetrate the Veil’
There are some areas that need further theorizing to mesh with privacy regulations, like blockchain’s rejection of centralized authorities that control data flows. Blockchain’s fixed nature also could pose a challenge for modifying or deleting personal data.
“There are ways to reconcile the concept of privacy with blockchain technology,” said Raman, who previously represented the US government in international data protection negotiations.
But under Europe’s GDPR, even encrypted data that can only be linked to a digital wallet counts as personal data because of the potential to identify wallet holders.
Chain analysis companies already profile cryptocurrency wallets based on public blockchain data, said Yannis Kalfoglou, author of “Blockchain for Business: A Practical Guide for the Next Frontier.”
Data “can be anonymized, it can be pseudonymized, it can be hashed, but that doesn’t mean its not recoverable,” he said. “You can always penetrate the veil.”
In contrast to the 2018 CNIL advice that permissioned blockchains are preferable, the future is public blockchains, said Mary Lacity, director of the Blockchain Center of Excellence at the University of Arkansas.
“The problem with private networks is they don’t scale,” while “governance issues are challenging” in larger private blockchains with many participants, she said.
Public blockchains could facilitate decentralized identity, in which individuals hold identity credentials in digital wallets and use them as a basis for a range of transactions—anything from buying a nonfungible token, to recording a property purchase, to accessing online government services, to providing proof of age to get into a bar.
For property registers, for example, “it would be perfect to have something immutable,” said Storm of Morrison & Foerster.
Decentralized identity could be attractive in Europe, as a digital alternative to identity cards that most EU states issue. Governments would grant the credentials held in digital wallets.
“The basic concept is that I would control all of my identity data,” said Jeremy Grant, managing director of technology business strategy at Venable LLP in Washington, D.C. “I decide who can see it and when.”
The challenge, though, for decentralized identity would lie in implementation, since this kind of identity architecture is premised on people’s ability to navigate their set of cryptographic keys, Grant said.
“Digital ID puts a lot of ownership on the citizen,” who would have to “manage actively” their credentials to ensure they don’t fall into the wrong hands, Kalfoglou said.