GDPR v Blockchain – the right (but not the ability) to be forgotten
Blockchain technology is growing in popularity day by day as most large organisations continue to investigate how it can be used to revolutionise their businesses…. Read more
Blockchain technology is growing in popularity day by day as most large organisations continue to investigate how it can be used to revolutionise their businesses. Blockchain, at its core, relies on the immutability of recorded transactions (i.e. they cannot change over time). However, immutability doesn’t mean that a blockchain cannot be changed. After the DAO was hacked in 2016, the Ethereum community voted almost unanimously to roll back the transactions that illegally sent tens of millions of Ether to the hacker. This vote allowed the stolen Ether to be returned to its rightful owners, but resulted in a hark fork and Ethereum Classic was created in respect of those users who voted against rolling back the transactions, as they supported the principle of immutability.
This principle of immutability potentially conflicts with several key provisions of the new General Data Protection Regulation:
- the obligation for a controller before and at the time of processing to take appropriate measures designed to implement data minimisation (i.e. a controller should process as little data as possible to accomplish its task);
- the requirement that personal data be processed for no longer than is necessary for the purpose for which it is collected; and
- the requirement that personal data be processed in accordance with the rights of data subjects. One of these rights is the right to erasure known as the ‘right to be forgotten’.
All these provisions cause issues with blockchain technology but the right to be forgotten causes particular concern as there is fundamentally no way to erase personal data that is stored as part of a transaction on the blockchain without destroying the cryptographic integrity of the service and undermining the multitude of other benefits that blockchain technology brings, such as verifying transactions, preventing double spending and increased data security via encryption. However, it should be remembered that the right to be forgotten is not an absolute right, it only applies in certain circumstances. One of these circumstances is where the controller is relying on legitimate interests as its basis for processing, the data subject objects to such processing and there are no overriding legitimate grounds to continue the processing. Therefore, depending on the nature and amount of personal data that is the subject of the request and also as is likely in respect of a blockchain technology service, whether any other data subject’s personal data will be impacted by the erasure, it may be argued by the controller that the data subject does not have a right to request that they be forgotten as the controller has an overriding legitimate ground for the processing.
GDPR Article 25(1)
GDPR Article 5(1)(e)
GDPR Articles 15 to 22
GDPR Article 17
GDPR Article 17(1)(c)