Blockchain and GDPR: is the data protection of blockchain technology compliant?

A blockchain generates private and public keys, with which each participant has individual access rights to part of the data chain and the data sets can also be shared between them.
Photo: Petr Bonek –

Blockchain applications are still largely limited to recording and storing transactions for cryptocurrencies. Although the crypto euphoria is currently muted, one should not conclude the value of the technology itself. Blockchain has the potential to change many areas of the economy and society – be it supply chain management, insurance or the financial industry. In the Hype Cycle for Blockchain and Web3 2022, Gartner states that enterprises are increasingly realizing the concrete business benefits of blockchain applications and are facing a turning point in adaptation.

Reading tip: Blockchain scam – Microsoft warns of new phishing method

Among the multitude of questions this raises, one is particularly central: can blockchain technology be made compatible with the GDPR? At first glance, regulations on data protection and blockchain technology collide on several levels.

The basic principle of the blockchain is the immutability of the commercial register. It is almost impossible to modify or delete data once written to the blockchain. Blockchain databases are actually “add-on-only” ledgers: all transactions are developed in a linear and chronological fashion. Changing or deleting data would require the consent of the majority of a channel, i.e. more than half of the minors. Only in exceptional circumstances is this practically conceivable – for example with a 51% attack.

However, the principle that makes blockchain technology secure conflicts at first sight with the right to erasure (right to be forgotten) provided for in Article 17 of the GDPR: according to this, individuals can request the deletion of their personal data with a person responsible for their processing. . Public blockchains, which everyone can access in principle, do not respect the principle of data economy and cannot guarantee that data subjects can modify or delete data.

According to Article 4 no. 1, the GDPR applies when personal data is processed. As a rule, no directly personal data is stored in the blockchain, only hash values ​​(combinations of numbers and letters from cryptographic processes). However, if these are linked to concrete data sets – which is required, for example, when registering on many crypto exchanges – the hashes become pseudonymised data which is also covered by the GDPR.

Reading tip: $28 Million Stolen – Hackers Steal Deribit Crypto Wallets

However, there is currently no consensus on exactly how to implement the right to erasure, as different jurisdictions interpret the rules differently. One solution could be that deletion does not necessarily equate to data destruction. Data anonymization can also be interpreted as deletion. One such possibility would be the destruction of the private key associated with the transaction on the blockchain. For example, the French data protection authority believes that this would create the anonymity required by Article 17 of the GDPR. Another option would be to provide the data owner with a private key, without which read access is not possible.

The question of who is responsible for implementing the regulations within the meaning of the GDPR is also difficult to answer. Implicitly, the GDPR assumes centralization and a single legal entity. At its core, however, blockchain, as an amalgamation of several technologies, expressly relies on decentralization and achieves its resilience through replication. For example, the “controller” defined in the GDPR is difficult to identify in a blockchain and would depend on the specific use case. Public blockchains in particular are characterized by their decentralized structures. Many different actors could be identified as data controllers. Who should a data subject under Article 24 contact in this case?

All of these points raise the question of whether the GDPR should be adapted to new technologies – or whether blockchain technology can be used with respect for data protection. After all, blockchain offers certain advantages that follow the basic principles of the GDPR very closely. In this way, the blockchain guarantees transparency on the type of data storage and who accessed the data and when – and all this without formal request for information about the data. Control over what happens with one’s own data is therefore higher than with conventional central storage.

In other places, however, it remains difficult. As stated above, there are certain options for technically addressing the right to erasure. In fact, some tensions seem almost insurmountable without challenging the very essence of blockchain technology. So far, the European Data Protection Board has only announced binding guidelines for dealing with blockchain. As long as they are not published, uncertainty for companies will remain. To stay on the safe side, you should prefer alternative solutions to store GDPR-relevant data. Managers should always critically ask themselves whether blockchain is really the best solution for their project or whether conventional approaches at this stage lead to the goal faster and, above all, legally. (pc)

Leave a Comment