The GDPR was conceived at a time of (mainly) centralised data silos. At first sight, as a distributed and append-only database, blockchain has some inherent difficulties from a GDPR point of view. How to identify the data controller? How to align blockchain with the principle of data minimisation? How to ensure the data subject’s rights, in particular the right of erasure? How to comply with the rules regarding transfers outside the European Economic Area? No doubt further reflection is required by the European regulators on how to overcome these complex issues, and we will not dig into those issues here.
Blockchain: a privacy-enhancing technology?
The purpose of this post is rather to focus on the opportunities. If we think beyond the difficulties set out above, it must be observed that blockchain offers a huge opportunity for the protection of personal data as required by the European legislator.
Two of the GDPR’s underlying goals are data sovereignty and the free movement of data. Our conviction is that blockchain, if adequately designed, can help achieve these goals by giving data subjects more control over their data and allowing them to selectively share their data, without intermediaries.
Blockchain is not necessarily good or bad: as any tool, it can be used for good or abused. The real challenge is therefore to design and promote its use as a privacy-enhancing technology.
First, it should always be assessed whether or not blockchain technology is appropriate for a given processing of personal data.
Secondly, where personal data is processed via a blockchain, the important goal is to design adequately this blockchain, based on the specific use case, in order to meet the GDPR requirements. It should not be impossible to limit the risks and solve the problems set out above via e.g. the use of a private or permissioned blockchain, and via off chain storage. But these issues must be tackled from the very early conception of the technological solution.
This is why IT and legal professionals must come together.