One of the biggest headaches using blockchain for data security is the clash with GDPR, having the right for your data to be "forgotten". One of the founding pillars of blockchain is its immutability and therefore begs the question, will blockchain and GDPR ever be able to peacefully co-exist? We provide the contextual reasons as to why this is a continuous struggle.
Immutability:
One of the core pillars of blockchain is its immutability. However, this might be incompatible with users’ right to erasure under the Data Protection Act 2018 which transposes the EU General Data Protection Regulation (GDPR) into UK law. This is because a user’s data could be written onto a blockchain, making it stored forever within that chain. Even if a majority of nodes cooperate to remove the data, depending on how it was stored, it could be locked in forever. The removal of data could therefore generate unwanted attention for users wishing to be forgotten or never be able to be completely removed without a trace.
Public/private keys:
On a blockchain, participants execute transactions by signing them with their private keys (without disclosing it) and broadcasting the transaction to all other network participants. The other participants only see the public key representing the participant making the transaction, which they are unable to read without the private key. However, if users make multiple transactions with the same key, they might become identifiable due to the size or pattern of those transactions. Their public key could fall under the GDPR definition of ‘personal data’ and will be subject to GDPR guidelines.
Personal data:
Transactions on a blockchain may include personal data such as an identification number. Blockchains assign data with a code known as a hash. The hash function takes input data, which may include personal data, and turns it into output data of a fixed length. A cryptographic hash function works only one way, meaning that the output cannot subsequently be reversed. The Article 29 Working Party (an EU advisory body) considers such personal data to be pseudonymised rather than anonymised. Accordingly, this type of data should remain subject to the GDPR.
For all questions regarding the topics raised in this blog, please contact a member of our team of digital asset legal experts.