There is significant uncertainty as to how European data
protection rules apply to blockchain technology, according to a
new study by researchers from Queen Mary University of London and
the University of Cambridge.
The analysis, published in the Richmond Journal of Law
and Technology, found that this uncertainty, coupled with
potential heavy fines under the EU’s General Data Protection
Regulation (GDPR), risks deterring European companies from
innovating with blockchain.
The GDPR came into effect in May 2018 and protects individuals’
data privacy rights. As so-called ‘data controllers’, companies
are responsible for respecting citizens’ rights when it comes to
their personal information. For example, under the GDPR,
individuals have the right to request that their personal data be
corrected or deleted. By combining cryptography and distribution,
blockchain makes it difficult to alter or delete information
stored ‘on the chain’, which may include personal data. This has
led some commentators to suggest that the technology is not
compatible with GDPR.
The authors of this new study agree that GDPR could be
potentially difficult for companies in the EU that want to use
blockchain for processing personal data. Fines under GDPR can be
as high as £17m, or four per cent of global turnover – whichever
is highest.
However, despite such concerns, the authors found that it may be
possible to design blockchain applications that are substantially
compliant with GDPR requirements. In practice, blockchain
applications can range from so-called ‘open’, decentralised
applications like Bitcoin to ‘closed’, more centralised
applications. The authors argue that organisations and businesses
could set up private blockchains which make it possible to manage
the data stored on the chain in a manner that is compliant with
GDPR - without compromising some of the core objectives of a
secure, distributed, ledger.
The researchers also found that technical solutions may enable
the deletion of personal data, while maintaining the integrity of
a blockchain. Promising examples include encrypting entries and
then deleting the relevant decryption keys - leaving only
indecipherable data on-chain - or using so-called ‘off-chain’
storage models.
Professor Christopher Millard, who leads the Cloud Legal Project
at Queen Mary said: “Blockchain is by no means the first emerging
technology to be branded as incompatible with privacy and other
fundamental legal principles. Blockchain applications may well be
disruptive, but that does not mean that they cannot be designed
and deployed in a legally compliant manner.”
Co-author Dave Michels, Researcher on the Cloud Legal Project at
Queen Mary, added: “Solutions like hybrid blockchains that
combine public and private elements have real potential to
promote data privacy. The French data protection regulator was
the first to provide much-needed guidance in this area. It would
be great to see other regulators follow their lead.”
