Data Privacy (GDPR)
This section considers privacy compliance requirements that may need to be evaluated in a blockchain project. It is focused on European privacy regulation, namely the General Data Protection Regulation (GDPR).
Blockchain is a technology with a high potential for development that raises questions on its compatibility with the GDPR. Compliance with the GDPR, however, is a key requisite as non-compliance may result in regulatory action ranging from orders to stop the project to administrative fines that can amount to 20m EUR or 4% of the annual turnover of the relevant members of the consortium.
To ensure GDPR compliance of a blockchain project, it must first be established whether personal data is stored, processed and/or transferred in the context of the blockchain project. If the answer is 'yes' the project must be able to satisfy compliance requirements both on a technical as well as on a governance level. The GDPR is based on the principle of 'accountability' which requires the relevant (joint) data controller(s), which are the entities that determine the means and purpose of data processing – to be able to provide sufficient evidence and documentation about GDPR compliance.
Key Principles and Concepts of GDPR
Key principles and concepts of the GDPR include:
The GDPR applies to the processing of personal data, i.e. any information relating to an identified or identifiable natural person ('data subject'); pseudonymous data, which is data that requires additional information in order to be linkable to a data subject, qualifies as personal data, too, but pseudonymity may be considered as a security element. Anonymous data is out of scope of the GDPR. In a blockchain project, anonymization techniques like 'salting' and differential privacy may be used to anonymize data that is stored on-chain.
The GDPR differentiates between data controllers as the entities determining means and purpose of data processing, and data processors that act under instructions of a data controller. Data controllers can also be joint data controllers. The different roles result in different compliance obligations. Therefore, it is important to assess the roles of all entities involved in a blockchain project (e.g. users, nodes, miners) and address the compliance requirements associated with the respective role. Governance models need to reflect GDPR requirements and deadlines stipulated by law, and ensure that a mechanism exists that ensures that the consortium is able to comply with external influx such as regulatory action and data subject requests.
The GDPR requires all processing of data to be in line with the data protection principles laid down in Art. 5 GDPR, i.e. lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality. (Joint) data controllers need to be able to demonstrate towards a regulator that these principles are observed, which results in the requirement of a comprehensive compliance documentation and data privacy management concept.
The processing of personal data always requires a legal basis, the most important of which are contractual necessity, consent and legitimate interest. Where a data processing is based on legitimate interest, the relevant (joint) data controller(s) must carry out and document a legitimate interest assessment.
The GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements, such as Article 16 (right to correction) and Article 17 (right to deletion). Thus, GDPR requires (joint) data controllers to be able to satisfy these data subject rights as well as respective regulatory requests, and a blockchain project that involves to processing of personal data needs to consider the implication of these rights early on (e.g. use of zero knowledge proofs, other privacy-enhancing technologies such as homomorphic encryption).
The GDPR requires the implementation of appropriate measures to ensure data security. The actual determination of measures is subject to the risks associated with the data processing activity and may entail inter alia encryption (transit and rest), role-based access concepts, and pseudonymization.
Where the processing of personal data is considered to carry particular risks for the rights and freedoms of data subjects, the relevant (joint) data controller(s) may be obliged to carry out a comprehensive data privacy impact assessment.
Internal references and dependencies
(Lists of internal references and dependencies)
References to best practice, examples
(List of references to best practice, examples)
Bibliography of selected references
Blockchain: legal and regulatory guidance report', The Law Society/Tech London Advocates. 2020. Blockchain: legal and regulatory guidance report | The Law Society
European Parliament. Directorate General for Parliamentary Research Services. 2019. Blockchain and the General Data Protection Regulation: Can Distributed Ledgers Be Squared with European Data Protection Law? LU: Publications Office. https://data.europa.eu/doi/10.2861/535.
‘Blockchain and the GDPR: Solutions for a Responsible Use of the Blockchain in the Context of Personal Data | CNIL’. n.d. Accessed 12 April 2021. https://www.cnil.fr/en/blockchain-and-gdpr-solutions-responsible-use-blockchain-context-personal-data.
'Blockchain and the GDPR: Addressing the compliance challenge, IAPP, December 2018, https://iapp.org/news/a/blockchain-and-the-gdpr-addressing-the-compliance-challenge/
Humbeeck, Andries Van. 2019. ‘The Blockchain-GDPR Paradox’. Journal of Data Protection & Privacy, March. https://hstalks.com/article/4997/the-blockchain-gdpr-paradox/.
Teperdjian, Raffi. 2020. ‘The Puzzle of Squaring Blockchain with the General Data Protection Regulation’. Jurimetrics Journal, June. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3638736.
Contributing authors: Stephan Zimprich, Partner, IP & Technology, Fieldfisher, Hamburg
Status of this document: draft
Last day modified: 2021-05-18