From more or less niche beginnings, when blockchain technology first emerged as the engine driving that mysterious new financial device called Bitcoin, to today’s quasi-mainstream status, blockchain, or digital ledger technology (DLT), has rightly earned a distinguished place in the technological podium.
DLT is built on the principles of decentralization, transparency, and immutability. In blockchain, there is no central governing authority. Think of DLT as a kingdom without a king. There is no single entity looking down from a high castle in the distance. In this decentralized realm, the peasants, so to speak, own and rule the land, and do so with trust because all peasants are connected with each other, and can see what their neighbor is doing.
As good an analogy for a decentralized and transparent network as this is, DLT does have some challenges when it comes to governance and data protection and sharing.
GDPR and blockchain: Legal frameworks
Europe has traditionally been the home of kings and queens. For centuries, Europe has been a traditionally centralized territory, where a single governing body is in charge. Call it President, Prime Minister, or Chancellor, they all mean the same thing: A visible state figure that represents a country’s vision and opinion. And in its long-standing traditionality, back in 2018, the European Commission enacted the General Data Protection Regulation (GDPR), a framework for data privacy and protection and a set of laws to control the transfer of personal data outside the European Union and the areas of European Economic Activity (EEA). In very simplistic terms, GDPR aims to ensure that individuals control their own personal data.
As previously discussed, there is no single entity in control of a blockchain. But if there’s no one in control, who manages the blockchain, you might ask, and this is a perfectly valid question. And more importantly: Who controls the data that flows in all directions?
This is the point where DLT and GDPR enter a collision course. In blockchain, where no single entity is in charge, data flows with the same freedom as water in a river delta. But GDPR wants to ensure that for every ounce of data, there is at least a natural or legal person, referred to as the data controller, that can be held accountable.
To add on to that, in a blockchain environment, data is immutable. Once a record becomes part of the ledger, there it remains, unchanged, until the end of time. GDPR has other ideas though. The EU-born framework wants to have the option to erase or modify data at will, whenever necessary.
The stage is set for a challenge. Are DLT and GDPR fundamentally incompatible? Or is there a way for these two entities to become allies?
GDPR and blockchain: Nuanced realities
Blockchain design specifically rules out the possibility of erasing, deleting, or modifying data. This is so to maintain data integrity and safe-keep the inherent trust of the participating nodes.
This particularity has triggered debates as to whether blockchain and GDPR principles are irrevocably at odds, or if perhaps there is a way to somehow come to reconcile both systems into a platform to boost the greater good. Can blockchain accommodate GDPR principles, or can GDPR maybe come to understand blockchain’s need for privacy?
A report published in 2018 seemed to favor the former. The European Parliament Report on Blockchain: a Forward-Looking Trade Policy, published in November of 2018, seemed to favor the former. The paper concluded that blockchain-based applications must be compatible with GDPR. The issue remains undecided, largely because the EU cannot resolutely classify what blockchain really is.
DLT is not a single technology. Rather, it is a highly nuanced conglomerate of technological advances with disparate technical features and different methods of governance. It is this disparity that has kept blockchain and GDPR at arm’s length from each other, so far at least. In this context, a recent study by the European Data Protection Board (EDPB) revealed the impossibility to say with absolute clarity or certainty whether or not blockchain can be deemed to be compliant with GDPR. There are just too many nuances and intricacies within DLT. The EDPB’s ultimate decision was to look further into the matter of blockchain and its awkward cousin, GDPR.
GDPR and blockchain: Meeting in the middle
While current blockchain design rules out any way of complying with GDPR regulations, it leaves the question whether a different design does allow compliance with these regulations. Would it be possible for a certain entity to have enough power to be able to ensure compliance with GDPR, while having too little power to tamper with the immutability of a blockchain?
One example of a GDPR compliant blockchain would be the Europechain Public Blockchain (Europechain PB), which shows that, using a specific setup, this is possible. As is the case on most other blockchains, on the Europechain PB, all dApps are data controllers. They must conclude a processing agreement with the limited liability company Europechain B.V., which will be the data processor. Before dApps are allowed to deploy on the Europechain PB, they will have to prove that they will not store sensitive data on-chain.
Europechain B.V. concludes sub-processor agreements with all the nodes. Without concluding a (sub)processor agreement, a party cannot run a dApp or become a node. If there is no dApp involved in the transaction (e.g. in the event of a token transfer on the base layer) Europechain B.V. is the controller. In that event, the nodes are not sub-processors but processors. The agreements are drafted such that they allow for that.
These agreements have dispute resolutions in them so that the powers of Europechain B.V. are in check and the nodes can be easily forced to comply with Europechain B.V.’s instructions. This setup allows for adequate control to ensure the people are informed and are able to submit their request with a competent and compliant entity. Furthermore, this allows for the contractual infrastructure required under the GDPR.
Given that the powers Europechain B.V. has have been tailored to its position as a data controller, and given that they are kept in check by the dispute resolution system, there is no way Europechain B.V.’s position may endanger the blockchain core values.
Within the EU, the protection of one’s data is now considered a fundamental right, as stated in Article 8 of the Charter of Fundamental Rights. The Charter’s basic provision is that a person is entitled to have their data processed ‘fairly and for the specified purposes’, and crucially, with explicit consent to do so. Furthermore, the person must be able to access personal data related to them (including the right to have that data amended under justified circumstances).
Because of the multi-layered and multi-faceted aspect of DLT, every possible scenario involving GDPR and blockchain must be looked into on a case-by-case basis, and that’s what makes it so difficult to establish a clear-cut consensus between the two.
However, as has been shown by the Europechain PB, compliance with the current GDPR regulations is possible, as long as the design allows for clear data processors and data controllers.