Blockchain and the General Data Protection Regulation Can distributed ledgers be squared with European data protection law? STUDY Panel for the Future of Science and Technology EPRS | European Parliamentary Research Service Scientific Foresight Unit (STOA) PE 634.445 – July 2019 EN Blockchain and the General Data Protection Regulation Can distributed ledgers be squared with European data protection law? Blockchain is a much-discussed instrument that, according to some, promises to inaugurate a new era of data storage and code-execution, which could, in turn, stimulate new business models and markets. The precise impact of the technology is, of course, hard to anticipate with certainty, in particular as many remain sceptical of blockchain's potential impact. In recent times, there has been much discussion in policy circles, academia and the private sector regarding the tension between blockchain and the European Union's General Data Protection Regulation (GDPR). Indeed, many of the points of tension between blockchain and the GDPR are due to two overarching factors. First, the GDPR is based on an underlying assumption that in relation to each personal data point there is at least one natural or legal person – the data controller – whom data subjects can address to enforce their rights under EU data protection law. These data controllers must comply with the GDPR's obligations. Blockchains, however, are distributed databases that often seek to achieve decentralisation by replacing a unitary actor with many different players. The lack of consensus as to how (joint-) controllership ought to be defined hampers the allocation of responsibility and accountability. Second, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements, such as Articles 16 and 17 GDPR. Blockchains, however, render the unilateral modification of data purposefully onerous in order to ensure data integrity and to increase trust in the network. Furthermore, blockchains underline the challenges of adhering to the requirements of data minimisation and purpose limitation in the current form of the data economy. This study examines the European data protection framework and applies it to blockchain technologies so as to document these tensions. It also highlights the fact that blockchain may help further some of the GDPR's objectives. Concrete policy options are developed on the basis of this analysis. STOA | Panel for the Future of Science and Technology AUTHOR This study was written by Dr Michèle Finck at the request of the Panel for the Future of Science and Technology (STOA) and managed by the Scientific Foresight Unit, within the Directorate-General for Parliamentary Research Services (EPRS) of the Secretariat of the European Parliament. ADMINISTRATOR RESPONSIBLE Mihalis Kritikos, Scientific Foresight Unit (STOA) To contact the publisher, please e-mail [email protected] LINGUISTIC VERSION Original: EN Manuscript completed in July 2019. DISCLAIMER AND COPYRIGHT This document is prepared for, and addressed to, the Members and staff of the European Parliament as background material to assist them in their parliamentary work. The content of the document is the sole responsibility of its author(s) and any opinions expressed herein should not be taken to represent an official position of the Parliament. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy. Brussels © European Union, 2019. PE 634.445 ISBN: 978-92-846-5044-6 doi: 10.2861/535 QA-02-19-516-EN-N http://www.europarl.europa.eu/stoa (STOA website) http://www.eprs.ep.parl.union.eu (intranet) http://www.europarl.europa.eu/thinktank (internet) http://epthinktank.eu (blog) Blockchain and the General Data Protection Regulation Executive summary In recent years, there has been ample discussion of blockchain technologies (or distributed ledger technology – DLT1) and their potential for the European Union's digital single market. A recurring argument has been that this class of technologies may, by its very nature, be unable to comply with European data protection law, which in turn risks stifling its own development to the detriment of the European digital single market project. The present study analyses the relationship between blockchain and the GDPR, so as to highlight existing tensions and advance possible solutions. It looks into developments up until March 2019. 1. Blockchain technology In essence, a blockchain is a shared and synchronised digital database that is maintained by a consensus algorithm and stored on multiple nodes (computers that store a local version of the database). Blockchains are designed to achieve resilience through replication, meaning that there are often many parties involved in the maintenance of these databases. Each node stores an integral copy of the database and can independently update the database. In such systems, data is collected, stored and processed in a decentralised manner. Furthermore, blockchains are append-only ledgers to which data can be added but removed only in extraordinary circumstances. It is important to note that blockchains are a class of technology. Indeed, there is not one version of this technology. Rather, the term refers to many different forms of distributed database that present much variation in their technical and governance arrangements and complexity. This also implies, as will be amply stressed in the analysis below, that the compatibility between distributed ledgers and the GDPR can only be assessed on the basis of a detailed case-by-case analysis that accounts for the specific technical design and governance set-up of the relevant blockchain use case. As a result, this study finds that it cannot be concluded in a generalised fashion that blockchains are either all compatible or incompatible with European data protection law. Rather, each use of the technology must be examined on its own merits to reach such a conclusion. That said, it is easier to design private and permissioned blockchains in a manner that is compatible with EU data protection law than public and permissionless networks. This is because participants in permissioned networks are known to another, allowing for the definition, for example, of contractual relationships that enable an appropriate allocation of responsibility. Furthermore, these networks are, in contrast to public and permissionless networks, designed in a way that enables control over the network, such as to treat data in a compliant manner. Moreover, there is control over which actors have access to the relevant personal data, which is not the case with public and unpermissioned blockchains. 2. The European Union's General Data Protection Regulation The European Union's General Data Protection Regulation (GDPR) became binding in May 2018. It is based on the 1995 Data Protection Directive. The GDPR's objective is essentially two-fold. On the one hand, it seeks to facilitate the free movement of personal data between the EU's various Member States. On the other hand, it establishes a framework of fundamental rights protection, based on the right to data protection in Article 8 of the Charter of Fundamental Rights. The legal framework creates a number of obligations resting on data controllers, which are the entities determining the means and purposes of data processing. It also allocates a number of rights to data subjects – the natural persons to whom personal data relates – that can be enforced via-à-vis data controllers. 1 Various definitions of blockchain and distributed ledger technology exist, and some of these stress different technical features of these respective forms of data management. Given the nature of this study and the lack of definitional consensus the terms are used synonymously. I STOA | Panel for the Future of Science and Technology 3. The tension between blockchain and the GDPR In recent years, multiple points of tension between blockchain technologies and the GDPR have been identified. These are examined in detail below. Broadly, it can be argued that these tensions are due to two overarching factors. First, the GDPR is based on the underlying assumption that in relation to each personal data point there is at least one natural or legal person – the data controller – whom data subjects can address to enforce their rights under EU data protection law. Blockchains, however, often seek to achieve decentralisation in replacing a unitary actor with many different players. This makes the allocation of responsibility and accountability burdensome, particularly in light of the uncertain contours of the notion of (joint)-controllership under the regulation. A further complicating factor in this respect is that in the light of recent case law developments, defining which entities qualify as (joint-) controllers can be fraught with a lack of legal certainty. Second, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with legal requirements such as Articles 16 and 17 GDPR. Blockchains, however, render such modifications of data purposefully onerous in order to ensure data integrity and to increase trust in the network. Again, the uncertainties pertaining to this area of data protection law are increased by the existing uncertainty in EU data protection law. For instance, it is presently unclear how the notion of 'erasure' in Article 17 GDPR ought to be interpreted. It will be seen that these tensions play out in many domains. For example, there is an ongoing debate surrounding whether data typically stored on a distributed ledger, such as public keys and transactional data qualify as personal data for the purposes of the GDPR. Specifically, the question is whether personal data that has been encrypted or hashed still qualifies as personal data. Whereas it is often assumed that this is not the case, such data likely does qualify as personal data for GDPR purposes, meaning that European data protection law applies where such data is processed.