By Alistair Facciol and Sarah Cannataci[*]
Without a doubt, data is the new gold. Blockchain, the most recent technological development taking over the world as we know it, is realizing the potential of data now more than ever. Yet, at the same time, many question whether the principles established in the General Data Protection Regulation 2016/679 (‘GDPR’) are compatible with the foundations of this new technology.
Blockchain first rose to fame in the ashes of the financial crisis of 2008, and was then adopted as the underlying technology of hugely successful platforms such as Bitcoin and Ethereum. Best described as a distributed ledger, blockchain allows the recording of information in blocks at a point in time, with new transactions being added to a block and connected to a previous block of information via nodes. This allows the information to be stored across a network, therefore moving away from the traditional approach of centralized data. This methodology also ensures that information is protected through a multi-level approach via encryption.
Blockchain’s ingenuity might however prove to be challenging in the face of the GDPR. Firstly, its decentralized set-up automatically excludes the notion of a central entity – this is detrimental to the concept of accountability in that identifying a data controller would seem virtually impossible. The GDPR’s applicability has been extended from that adopted within its predecessor, Directive 95/46/EU. Once it comes into force in May 2018, the principles established within the GDPR will be applicable to “the processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”, as well as to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods and services, irrespective of whether a payment of data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union”. This establishment principle becomes even more complex when one considers the existence of private blockchain and public blockchain. In the former, participants have been vetted, and therefore the data controller in this situation would arguably be the entity in charge of operating the private blockchain. Conversely, in a public blockchain, as the name implies, anyone would be able to access and add to the ledger, and therefore every node would be considered to be a data controller. Reconciling this notion with that of ‘joint controllers’ and the determination of respective responsibilities in a transparent manner as expounded in the GDPR is inconceivable to say the least.
Secondly, the material scope of the GDPR is that of processing of personal data, so for its principles to be applicable to a blockchain, the latter must process such personal data. Personal data is deemed to be any information relating to an identified or identifiable natural person, account being had of the cost of and amount of time required for identification to take place. Here it is noteworthy to mention that the GDPR does not apply to anonymous data, but pseudonymised data which could be attributed to a natural person with the use of additional information still constitutes personal data. With this in mind, the likelihood is that the data constituting the basis of the transactions carried out through blockchain is information relating to specific individuals, and despite the encryption tools employed allowing access to authorised individuals only, typically such data would merely be pseudonymised and would therefore still fall within the understanding of personal data under the GDPR.
The GDPR also attracted a lot of attention due to its inclusion of the much debated ‘right to be forgotten’, which was first recognised in C-131/12 Google Spain SL & Google Inc. v. AEPD & Mario Costeja Gonzàlez. Officially referred to as the right to erasure, this allows the data subject to obtain from the controller the erasure of personal data where he has withdrawn consent, the data has been unlawfully processed and where the data is no longer necessary for the purposes for which it is collected or processed, amongst other grounds. As highlighted above, identifying the data controller on whom these responsibilities would lie is no easy task. Furthermore, especially in public blockchains, actually carrying out this erasure of data as requested by the data subject is virtually impossible due to the innate blockchain architecture. Erasing data stored on a blockchain would mean that the process must occur at every node, wherein the blockchain would have to be unmade one block at a time up until the point where the data was first entered, and then rebuilt again, across the whole network. One of the arguments put forward in this regard has been that the data is necessary for the processing purpose since the blockchain architecture demands a perpetual written chain.
This architectural issue also ties to the notion of Privacy by Design as included within Article 25 of the GDPR. Developed by Dr Ann Cavoukian in the late nineties, this approach “does not wait for privacy risks to materialise, nor does it offer remedies for resolving privacy infractions once they have occurred – it aims to prevent them from occurring”. In the advent of technological development and increased data processing, the EU legislators sought to include this notion within the GDPR, and in fact this imposes an obligation on the data controller to implement technical and organisational measures in line with data protection principles, both at the time of the determination of the means for processing as well as during the processing itself. At present, although data is often anonymised and encrypted, blockchain architecture seems to be incompatible with the notions of data minimisation, for example. Nevertheless, it must be noted that the obligation set out in the GDPR is not inflexible, in that in fact it takes into account the “state of the art, the cost of implementation and the nature, scope, context and purposes of the processing as well as the likelihood of risks to the rights of data subjects.
Created as part of the Data Protection Reform Package, the GDPR is meant to revitalize innovation and facilitate business development, but it is still unclear if the concepts underlying blockchain can be reconciled with the data protection principles and privacy concerns that have led to the promulgation of the GDPR - we will yet have to see.
 Neelie Kroes, Press Conference on Open Data Strategy, Brussels, 12th December 2011, as accessed on http://europa.eu/rapid/press-release_SPEECH-11-872_en.htm?locale=en
 Article 3, GDPR.
 “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person”, Article 4(1), GDPR.
- Here it is also noteworthy to mention the case C-582/14 Patrick Breyer v. Bundesrepublik Deutschland, which established that dynamic IP addresses, under certain circumstances, constitute personal data where a third party has the additional data necessary to identify the individual.
 Recital 26, GDPR.
 Article 17, GDPR.
 Ann Cavoukian, Privacy by Design: The 7 Foundational Principles - Implementation and Mapping of Fair Information Practices, as accessed on https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-implement-7found-principles.pdf