Left to their own devices, organisations, both private and public, hoard personal data. The General Data Protection Regulation (GDPR) is a unified privacy regulation that introduced more privacy rights to data subjects by introducing new procedural and organisational obligations for data processors. GDPR curtails the unnecessary hoarding of data by data processors and also introduced a right for individuals to have their personal data erased. 

However, technology has a habit of running ahead of legislators. For instance, take blockchain: it relies on a distributed ledger system that is decentralised and immutable, and is intended to be a permanent and a tamper-proof record that sits outside the control of any one governing authority.

Anne Toth, head of Data Policy at the World Economic Forum, contends that because data stored on the blockchain, including personal data, cannot be deleted, there is no way to exercise “the right of erasure” that people are granted under GDPR. Toth further argues that blockchain is not designed to be GDPR-compatible. Or rather, we believe that GDPR is not blockchain-compatible the way the regulation was written to date.

Others have propounded that the ‘right of erasure’ can be reconciled with blockchain technology by persuading regulators that ‘erasure’ does not have to imply that data is literally deleted and that making data permanently inaccessible without deletion should produce the same result.

The challenge is that GDPR does not define what it means to ‘erase’ data

Where personal data is saved on a blockchain in hashed form (meaning that the data is transformed in a way that it cannot be reverse engineered to its original state), one can argue that the existence of the hashes on the blockchain are not in violation of GDPR as data is sufficiently anonymised, such that it falls outside the definition of personal data under the GDPR regulation in the first place.

Yet, the Article 29 Working Party (now replaced by the European Data Protection Board) in its Opinion 05/2014 on Anonymisation Techniques had partially concluded that hashing may still leave some small possibility of a successful brute force attack. A brute force attack is an instance where an attacker tries an extremely large number of guesses with the hope of eventually guessing correctly, thereby exposing hashed personal data stored on blockchain.

Still others contend that an alternative solution might be that of encrypting all personal data with a key and in the event that a data subject would request his blockchain data to be erased, the key would be deleted, which in layman’s terms should be tantamount to deletion for GDPR purposes. The challenge is, however, that GDPR does not define what it means to ‘erase’ data.  Another possible reconciliatory solution in respect of the ‘right of erasure’ might be that of keeping personal data in separate ‘off-chain’ databases, but to do so would sacrifice several of the benefits of using blockchain in the first instance.

In the light of the above, companies should be aware of the risk of developing blockchain technologies that will include personal data of EU-based individuals until such time as we have clarification on the interpretation of the obligation to ‘erase’ data, or until GDPR is amended to take blockchain into account, to our mind a matter of time.

Antoine Demicoli, a senior manager at KPMG in Malta, has written his LLD thesis on data protection.


Comments not loading?

We recommend using Google Chrome or Mozilla Firefox.

Comments powered by Disqus