GDPR v Blockchain – the right (but not the ability) to be forgotten
Blockchain technology is growing in popularity day by day as most large organisations continue to investigate how it can be used to revolutionise their businesses…. Read more
Blockchain technology is growing in popularity day by day as most large organisations continue to investigate how it can be used to revolutionise their businesses. Blockchain, at its core, relies on the immutability of recorded transactions (i.e. they cannot change over time). However, immutability doesn’t mean that a blockchain cannot be changed. After the DAO was hacked in 2016, the Ethereum community voted almost unanimously to roll back the transactions that illegally sent tens of millions of Ether to the hacker. This vote allowed the stolen Ether to be returned to its rightful owners, but resulted in a hark fork and Ethereum Classic was created in respect of those users who voted against rolling back the transactions, as they supported the principle of immutability.
This principle of immutability potentially conflicts with several key provisions of the new General Data Protection Regulation:
- the obligation for a controller before and at the time of processing to take appropriate measures designed to implement data minimisation (i.e. a controller should process as little data as possible to accomplish its task);
- the requirement that personal data be processed for no longer than is necessary for the purpose for which it is collected; and
- the requirement that personal data be processed in accordance with the rights of data subjects. One of these rights is the right to erasure known as the ‘right to be forgotten’.
All these provisions cause issues with blockchain technology but the right to be forgotten causes particular concern as there is fundamentally no way to erase personal data that is stored as part of a transaction on the blockchain without destroying the cryptographic integrity of the service and undermining the multitude of other benefits that blockchain technology brings, such as verifying transactions, preventing double spending and increased data security via encryption. However, it should be remembered that the right to be forgotten is not an absolute right, it only applies in certain circumstances. One of these circumstances is where the controller is relying on legitimate interests as its basis for processing, the data subject objects to such processing and there are no overriding legitimate grounds to continue the processing. Therefore, depending on the nature and amount of personal data that is the subject of the request and also as is likely in respect of a blockchain technology service, whether any other data subject’s personal data will be impacted by the erasure, it may be argued by the controller that the data subject does not have a right to request that they be forgotten as the controller has an overriding legitimate ground for the processing.
Data subject rights (such as the right to have data processed no longer than necessary and the right to be forgotten) are the cornerstone of data protection law and to ignore or seek to evade them undermines the core purpose of these laws; that is, giving everyone ownership of their data and a right to decide who that data is shared with and what happens to it. Any service that utilises blockchain technology and involves the processing of personal data must be carefully thought through to ensure that it complies, as best it can, with laws that are struggling to keep pace with technology that is advancing on an almost daily basis. Any such service, should, if possible, be segregated as much as is possible so that if personal data must be erased, the cryptographic integrity of only part and not all the service is destroyed. Finally, users of the service should, at the very least, be warned that if they do share personal data there is a chance it may never be deleted. This warning should be included in both the terms of use of the service and a clearly drafted privacy policy that is completely transparent about the nature of the services and its limitations in respect of fully complying with data protection laws.
GDPR Article 25(1)
GDPR Article 5(1)(e)
GDPR Articles 15 to 22
GDPR Article 17
GDPR Article 17(1)(c)
Share this blog
- Adtech & martech
- Agile
- Artificial intelligence
- EBA outsourcing
- Brexit
- Cloud computing
- Complex & sensitive investigations
- Connectivity
- Cryptocurrencies & blockchain
- Cybersecurity
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- Fintech
- Gambling
- GDPR
- KLick DPO
- KLick Trade Mark
- Open banking
- Retail
- SMCR
- Software & services
- Sourcing
- Travel