Exploring the Blockchain, GDPR & Personal Data: What to Know

April 9, 2022

The last few years have been game-changers for privacy rights. In January 2020, Google announced that it would phase out third-party cookies by the beginning of 2022. In April 2021, Apple’s iOS 14.5 also introduced data tracking changes, which require app developers to get user permission before they can track or access their devices. Both of these developments were responses to tightening privacy regulations and increased consumer interest in protecting their personal data.

As privacy becomes increasingly important, think tanks and institutions have started analyzing whether certain technologies comply with the privacy laws such as the EU’s General Data Protection Regulation (GDPR). Some institutions, such as the U.S.-based National Institute of Standards and Technology (NIST), believe that it’s impossible to determine whether blockchain meets GDPR requirements. However, other institutes, such as the European Union Blockchain Observatory and Forum, believe that blockchain technology is subject to the GDPR.

As of 2022, we still don’t really know if GDPR applies to blockchain technology. This is because blockchain has characteristics — namely, anonymity, immutability, and decentralized control — that make it difficult for companies to determine whether they are GDPR-compliant. However, companies should be on the safe side and try to be as GDPR-compliant as possible when using blockchain technology.

Read on to learn more about blockchain, the role of blockchain in GDPR, blockchain data security, and the potential role of GDPR and data privacy within the blockchain.

What Is Blockchain Technology?

A blockchain is a public ledger that is distributed among the nodes of a network. Blockchains store information in digital clusters called blocks that have certain storage capacities. Once a blockchain is full, it will close and link to the previously filled block, creating a chain of data called the blockchain.

Blockchains are decentralized and immutable, which means that any data entered into the chain is irreversible. As a type of distributed ledger technology (DLT), they’re often used in cryptocurrency systems to maintain decentralized and secure records of transactions. Unlike traditional databases, they guarantee security by requiring all users to consent before any changes to the ledger data can be made. Blockchains are a great way of tracking changes and transactions since they generate exact time stamps every time a block is added to the chain.

Blockchains are also commonly used in smart contracts, decentralized finance (DeFi) applications, and non-fungible tokens (NFTs).

Blockchain and GDPR

The GDPR is one of the strictest privacy laws in the world. It applies to every organization that deals with EU citizens’ personal data and requires organizations to obtain clear, affirmative consent from users before they can access or use users’ personal information.

Every type of personal data that directly or indirectly identify an individual falls under the scope of the GDPR, including:

  • Name
  • Date of birth
  • Phone numbers
  • IP address
  • Gender
  • Race or ethnic origin
  • Biometric data
  • Sexual orientation
  • Health data
  • Political beliefs

Since the GDPR governs all forms of EU citizens’ personal data, data within blockchains theoretically fall under the scope of the GDPR.

Differences in Objectives and Structure Between GDPR and Blockchain

However, there are some differences in objectives and structure between GDPR and blockchain. This has made it challenging to determine how GDPR applies to blockchain.

Blockchain is much more decentralized than other data systems governed by the GDPR.

To begin with, blockchain’s decentralized nature makes it difficult to determine how GDPR applies to it.

For example, you need to know the identities of the data controller and the data processor to understand how GDPR applies to a given situation, since these two classes of organizations require different levels of responsibility.

Data controllers are individuals, public authorities, agencies, or other bodies who determine the purposes of personal data and how to process it. As key decision-makers, they determine the purposes for data collection and the method and means of data processing. Accordingly, they must actively show full compliance with all GDPR protection principles. By contrast, data processors are individuals, companies, agencies, or other bodies that process personal data on behalf of a data controller.

These definitions work well in non-blockchain scenarios. However, they don’t work very well when applied to public blockchain models, since nodes can’t be defined as data processors or data controllers.

Blockchain nodes transcend borders, while the GDPR outlines standards according to borders.

Blockchain’s highly decentralized nature also makes it challenging for companies to identify where nodes are located. In a public blockchain, nodes may be anywhere in the world. This means that EU citizens’ personal data may be sent outside the European Economic Area (EEA) without the company knowing when or where the transfer took place. As a consequence, companies may not be able to comply with the GDPR’s requirement for data transfer agreements between EU-based data exporters and non-EU-based data importers.

Blockchain is immutable, making it impossible to change information.

The GDPR gives data subjects the right to request to have data about them erased or changed. However, this may be impossible due to the immutable nature of information on blockchains.

The Potential Role of GDPR and Data Privacy Within the Blockchain

All in all, companies will find it challenging to comply with GDPR standards if they’re using blockchain to store and process EU citizens’ information. However, it is possible to mitigate these issues by adopting modified blockchain models.

For instance, you could adopt a private permission based blockchain, which allows you to identify all users, categorize them as processors or controllers, and limit the transfer of data outside the EEA. The International Association of Privacy Professionals (IAPP) has also suggested creating your own modified blockchain solution. You can do this by asking yourself the following questions:

  • What milestones or goals will my blockchain model achieve?
  • What are the risks involved in processing and storing personal data in blocks?
  • What will the data flows look like?
  • Who will be able to input data into the blockchain?
  • How will nodes interact with each other?
  • Who will have access to the output data?
  • Do I really need to store personal data on the blockchain? Think about the principle of data minimization and think about what data will be used on the blockchain.
  • Does my blockchain solution have data protection, security, and information risks? How can I mitigate and address these risks?

Wrapping Up

Blockchain is a flexible solution for storing and processing transactions and information. However, it presents a number of challenges for GDPR compliance since there are many differences in objectives and structure between GDPR and the blockchain. The GDPR was designed to govern top-down databases with easily-identifiable users, while blockchain is highly decentralized, immutable, and transcends borders. It’s possible to remain GDPR-compliant if you store and process personal information via blockchain, but you need to put in a lot more work. You may have to adopt a private permission-based blockchain or create your own modified blockchain for data privacy.

Learn more about blockchain, GDPR compliance, and privacy by subscribing to our blog.