This article is an abridged version of the full paper “March of the blocks: GDPR and the blockchain”, published jointly by Slaughter and May and Cravath, Swaine and Moore LLP in February 2019, as commissioned by the Center for Global Enterprise. A version of this article was first published in Privacy Laws & Business UK Report (Issue 102, March 2019).
Blockchain technology has advanced significantly over the past decade, and now provides a real alternative to traditional database solutions. However, the General Data Protection Regulation (GDPR) presents substantial compliance hurdles to the ongoing development of blockchain solutions that involve storing (and transacting with) personal data. Some commentators have gone so far as to call blockchain fundamentally incompatible with the GDPR. However, with some collaborative, proactive and innovative thinking by lawmakers and technology providers alike (and some much needed, up-to-date guidance from European regulators) blockchain solutions that respect the fundamental principles of data protection and privacy are, in our view, achievable.
A background to blockchain
Simply put, a blockchain is a series of blocks of data, linked together by a cryptographic hash to form a chain. Cryptographic hashing, which is one of the cornerstones of blockchain technology, works by using an algorithm to turn each block of data into a random, fixed-length, output (known as a “hash”). Each block of data includes a hash of the chain’s previous block. Because the previous block in the chain itself includes a hash of the block before that one (and so on all the way back to the first block), the blocks form a continuous, unbroken chain of reliable data. This means that multiple parties can hold separate copies of the same blockchain and can easily verify that a particular copy of the chain has not been modified or is different from any other copy. It is for this reason that blockchain technology is being applied to an increasing number of solutions for recording, processing and sharing information in a decentralised and easily accessible and auditable way.
One of the most widely acclaimed features of a blockchain is that the information stored on it is immutable; the data of any block in the chain cannot be modified without changing the hash of every block that follows it. This is because the hash stored in each block of the chain effectively acts as a “fingerprint” of the previous block. A hashing algorithm can then be passed over the previous block in the chain to confirm that it generates the correct hash. If the previous block is changed in any way, the algorithm will of course not generate the correct hash, and the chain will break.
Interestingly, as businesses have developed progressively more innovative blockchain-based solutions to an increasingly broad range of data-related problems, governments, regulators and organisations have become more active in creating meaningful support for blockchain’s huge potential. That said, there still remains significant concern about the application of the GDPR to blockchain technology, and about the difficulty of achieving a GDPR-compliant blockchain solution.
Blockchain vs GDPR
Some of the most revolutionary features of blockchain technology, notably the generally immutable nature of data on a blockchain discussed above, do not sit neatly with the key principles and obligations of the GDPR. The most obvious difficulties stem from the GDPR’s obligations to uphold data subjects’ rights to the erasure and rectification of their personal data, which are difficult to reconcile with a technology whose most valuable properties are the decentralised and immutable nature of the information it contains.
However, while some applications of blockchain technology (such as most public, permissionless blockchains, theoretically accessible to anyone in the world) will almost certainly end up not being compliant with the GDPR, GDPR-compliant solutions should not be viewed as being intrinsically unachievable.
Some possible solutions?
With some up-to-date and pragmatic guidance from data protection regulators, a blockchain solution that respects the fundamental principles of data protection and privacy could be achievable, particularly if the following four guiding principles are followed.
I. Use a private, permissioned blockchain.
While the most common vision of blockchain is of a fully public, permissionless network, there are a wide variety of blockchain solutions, many of which are in fact private and require permission to join. The principal point of a public, permissionless network is that any person in any location can become a participant in that blockchain, without registration or restriction, simply by installing the relevant software and downloading a full copy of the blockchain.
Generally, all participants on a public, permissionless blockchain can see all the data on that blockchain. Because anyone can join a public, permissionless blockchain, it is difficult to ensure that all participants will agree to (and comply with) governance rules around the protection of personal data.
By contrast, to interact with a private, permissioned blockchain network, participants must first obtain authorisation. Private, permissioned blockchain networks employ various processes to approve new participants and part of this process can be to ensure all new participants subscribe to a set of rules or terms and conditions that govern their participation in the network.
For these reasons, compliance with the GDPR requires use of a private, permissioned blockchain.
II. Avoid storing personal data on the blockchain.
The most obvious way to avoid GDPR compliance issues is, predictably, to avoid storing any personal data on the blockchain. Indeed, one crucial aspect of distributed ledger technology (i.e. that data should be decentralised and stored by participants rather than in a central repository) is particularly at odds with the GDPR’s principles of data minimisation, storage limitation, and purpose limitation. The ideal means to resolve this dilemma is to avoid it altogether.
While keeping a blockchain completely free of personal data will be difficult to achieve, this should not prevent efforts being made to keep personal data off-chain (as far as it is possible to do so). This may be done, for example, by storing a cryptographic hash of the personal data on-chain, with the underlying raw data being kept off-chain.
However, given the expanded definition of personal data under the GDPR, it is also important to consider the data environment within which the personal information sits, rather than focusing only on information that is clearly, on its face, personal data. After all, personal data under the GDPR also includes information relating to an indirectly identifiable individual, and this means that information which on its own may not be personal data can quickly become personal data when brought together with other information to build a profile of an identifiable individual.
Finally, while a blockchain solution may be designed to avoid storing personal data, there are a number of scenarios where personal data may nevertheless be added to the ledger. However, the development of blockchain middleware applications (software that sits on top of one or more underlying blockchain networks, enabling the application of those blockchain networks to particular use cases) could be used to prevent personal data being added to the network in the first place (by avoiding, for example, any free-form data or indeed any data fields for names and contact details). These applications could also employ more advanced techniques to recognise and remove personal data from information submitted to the blockchain network. AI or machine learning-based tools can, for example, be employed to recognise and blur faces in images (or anonymise other personal data) before it is submitted to the network.
III. Implement a detailed governance framework.
Given: (a) the need to ensure that personal data is adequately protected; (b) the requirements under the GDPR to establish contractual relationships governing the processing of personal data between parties; (c) the legal obligations on data controllers to provide individuals with privacy notices and a means to uphold their personal data rights; and (d) the use of contractual mechanisms to enable the export of personal data across international borders, a GDPR-compliant commercial blockchain solution will require a detailed governance framework that is contractually binding on all participants and clearly sets out each party’s rights and responsibilities.
The contractual governance framework can be built in such a manner that the GDPR responsibilities of network participants around the provisions of privacy notices, the upholding of data subjects’ rights, the response to subject access requests, the restriction of international transfers, and the proper administration of relationships between controllers and processors can all be appropriately addressed.
IV. Employ innovative solutions to data protection problems.
As discussed above, the immutable nature of blockchain data is the one element of the technology which clashes most obviously with the GDPR, especially the right to erasure and the right to rectification. However, through reliance on innovative solutions such as the use of advanced irreversible encryption (as a means of deletion), or the use of supplementary corrective statements (as a means of rectifying inaccuracies) there are solutions that enable compliance with the spirit and the policy of data protection legislation, if not yet fully the word.
For example, in relation to the right to erasure, while it is technologically difficult (and expensive) to delete historical blocks of data on a blockchain (“pruning”) or delete and rebuild a blockchain (“forking”), it may be possible to delete personal data stored on the blockchain by irreversibly encrypting the data. Under this approach, the encrypted data would remain permanently on the blockchain, but the personal data it contains would be “deleted” from the blockchain by deleting all keys that enable decryption of that data.
However, the Article 29 Data Protection Working Party (now the European Data Protection Board) previously classified encryption and hashing as pseudonymisation techniques which produce data that is not necessarily anonymised, though the guidance has not been formally endorsed by the EDPB for the purposes of the GDPR. The Working Party’s view seems to have been reached in part on the basis that data produced by pseudonymisation allows an individual data subject to be singled out and linked across different data sets. Indeed, the opinion left open the question of whether a combination of such techniques, with the help of innovative solutions, could produce data that is rendered anonymous in such a manner that the data subject is no longer identifiable. One pseudonymisation technique mentioned by the Working Party included producing a cryptographic hash and then deleting the key used to generate that hash. The opinion did note that employing this technique would make it “computationally hard for an attacker to decrypt or replay the function, as it would imply testing every possible key, given that the key is not available”, but it remains unclear whether personal data that is irreversibly encrypted or hashed and keyless can be considered to be anonymised for the purposes of the GDPR.
It is for this reason that it is of utmost importance for the European Data Protection Board and national data protection authorities to produce up-to-date, pragmatic and innovative guidance on the interplay between blockchain and the GDPR, especially in relation to innovative solutions to deletion and rectification.
A call for up-to-date regulatory guidance
It is clear that not all of the blockchain challenges posed by the GDPR and other privacy regimes can currently be completely bridged. However, the gap left by those challenges is in fact relatively small, and the fundamental freedoms forming the policy behind such privacy laws can be maintained and protected in particular blockchain environments with the help of an active and pragmatic approach by lawmakers and regulators alike.
Greater engagement by, and co-operation between, regulators, lawmakers and blockchain technology developers is now a necessity. The current legal and regulatory obstacles could then be overcome in a manner that facilitates the continued growth and exploitation of blockchain as a technology of great potential.
There is a risk that, if steps are not taken by regulators and lawmakers to bridge the gap between data protection law and blockchain technology, there will be a slowing in (or even end to) advancements in blockchain solutions. Such an outcome would ultimately be detrimental to technological developments having the capacity to deliver substantial benefits to the world as a whole.
 Article 29 Data Protection Working Party, opinion 05/2014 on Anonymisation Techniques (adopted on 10 April 2014), available at: https://iapp.org/media/pdf/resource_center/wp216_Anonymisation-Techniques_04-2014.pdf