New Guidance from the European Commission on the GDPR and Blockchains
The European Parliament’s Think Tank has joined in the academic debate that has been growing: can the GDPR and Blockchain technology exist together, allowing for both innovation and legal protection?
The Difficult Relationship Between the GDPR and Blockchains
A Blockchain is a database in which data is stored and distributed to a large number of systems, with all entries being visible to all users. It is a technology which can serve in a diverse range of processing operations with a number of different actors having different levels of access.
The GDPR assumes that each personal data point is owned by at least one data controller who can be responsible for it. Blockchain on the other hand, make this allocation of responsibility and accountability, in the European Commission’s own words, burdensome.
Blockchains also raise issues with the obligations concerning sub-contracting and the rules governing international transfers of data. It can be difficult to anonymise data, and data is often repurposed which goes against the obligation of obtaining ongoing consent for a specific purpose under the GPDR.
Data subjects are granted the right to be forgotten under the GDPR, but Blockchains cannot unilaterally modify data easily.
The CNIL published a report one year ago with some guidance for those who wished to use Blockchain technology and remain compliant; it warned that users of a Blockchain could be considered to be a controller, and hoped for technological advances that would offer solutions as to the rights regarding erasure, rectification and objection. So far, these technological advances are awaited.
The EU’s View?
The European Parliamentary Research Service has now published its opinion on the uniting of the GDPR and Blockchains.
It has pointed out the same issues as have been highlighted in previous discussions. It is difficult to appoint one specific data controller to a decentralised technology with many different players, which leads to issues with responsibility and accountability. Articles 16 and 17 of the GDPR requires data to be deleted easily whereas unilateral deletion in Blockchain is particularly onerous. It is difficult to ensure data minimisation and purpose limitation.
The study, like last year’s CNIL report, suggests that Blockchain technologies could in fact be used to achieve the GDPR’s objectives. It is possible that they could be used as a data governance tool, supporting alternative forms of data management and distribution, providing benefits which other contemporary solutions do not have. They can offer transparency as to who has accessed data, and they can reduce the costs of sharing data.
The GDPR required that data subjects are provided more control over the data which directly or indirectly relates to them, and the study suggests that Blockchain technologies could assist with this, allowing them the right of access (Article 15, to view the data held about them) and the right of portability (Article 20, to transfer their data to another controller) much more readily. It is suggested that technology could also help with the detection of data breaches and fraud.
The European Parliament hopes that Blockchain technologies can facilitate the inter-institutional sharing of data, which may in turn facilitate the development of AI. In order to advance Blockchain technologies to aid the GDPR and the development of AI fuelled systems, it has suggested some policy options to ensure safeguards.
The European Commissions “New” Policy Suggestions:
There is certainly a lack of legal certainty around the application of the GDPR to Blockchain technologies, and the European Commission has admitted this. Its explanation is that the technology behind Blockchains raises issues with the GDPR and all attempts to regulate these blockchains have revealed more uncertainties regarding the interpretation and application of laws.
The European Commission does not think that the GDPR needs to be revised, pointing out that the principles-based regulation was designed in a way that was neutral to all types of technology, in an attempt to survive in the quickly progressing data economy. Rather, the legal certainty for users of Blockchain technologies should be increased through regulatory guidance on specific mechanisms, from bodies like the European Data Protection Board (EDPB).
Bodies must also work together: there are currently updated opinions from the Article 29 Working Party on anonymisation techniques, which have not been accepted by the EDPB, for example.
The European Commission hopes that this method could provide certainty both to Blockchain stakeholders and the wider data economy.
Support Codes of Conduct and Certification Mechanisms
Since the GDPR was developed to be able to apply to any technology it can be difficult to apply to specific cases. The GDPR therefore provides certification mechanisms and codes of conduct for actors to adhere to. This has been achieved in cloud computing, and so the European Commission wonders if the same could be achieved in the context of blockchain technology.
For the development of codes of conduct which are applicable to Blockchain technologies, the Commission accepts that further research is required for the bigger sticking points with the GDPR, such as the right to be forgotten. For this, it has called for interdisciplinary research to find both technical and governance remedies by design.
Are these suggestions really new?
Ultimately, the Commission accepts that for now Blockchains need to be reviewed on a case-by-case basis. In the future, perhaps Blockchains which are specifically designed for such a purpose will assist with legal compliance, which in turn can encourage innovation in the technology sector.
The policy suggestions from the European Commission do seem to be suggestions that the tech community has expected for a while, but as usual, it seems that the law is struggling to keep up the pace with technology. For now…we wait!
For more information or for any legal inquiries, don’t hesitate to contact us.
Article by Lily Morrison, Legal Consultant @ Gerrish Legal, August 2019