The General Data Protection Regulation amounts to a
significant overhaul of existing data protection regulation and is designed to
be ‘technology neutral’. However, how the GDPR will cope with emerging blockchain
technology and a move towards the decentralisation of data storage remains to
be seen.
What is a blockchain?
Blockchain is the underlying technology behind platforms
such as Bitcoin and Ethereum. Whilst blockchains are best known for their use
in the field of ‘crypto currencies’, they have a broad range of potential applications
such as storing medical data, supply chain management or social networking.
The term ‘blockchain’ has no single definition but it is
generally used to refer to a way of recording transactions across a network of
computers. Transactions sent to the network are grouped into ‘blocks’ which are
time stamped and linked to the previous block. Linking each block to the
previous block confirms the integrity of the chain all the way back to the
first block. Information on the block is encrypted and protected through cryptography.
The blockchain is stored on a network and no centralised ‘official
copy’ exists. The process of adding transactions to the chain is performed by
mining ‘nodes’. Mining is essentially a record keeping service whereby miners
compete to collect in and verify transactions.
Who are the data controllers?
The GDPR continues to use the existing concepts of data
controllers (who determine the purposes for which and the manner in which any
personal data are to be processed) and data processors. In addition to
introducing penalties for data processors, it imposes even more stringent
obligations on the controller of personal data and increases the potential
penalties for non-compliance.
In a decentralised system where there is no individual
entity in control of the data, it is difficult to identify who the obligations
are placed upon and, even once the controller has been identified, enforcement
does not seem feasible. For example, in the case of Bitcoin, the miners who
verify transactions and build the blockchain may be deemed to be the data
controllers. Identifying each of these individuals (a recent study found that
there are likely to be over 100,000) and then taking action against them is
clearly not possible.
What laws apply to a data controller or data processor?
The GDPR seeks to extend the territorial reach of EU data
protection law. The Regulation will apply to EU-based controllers and
processors or entities processing an EU resident’s personal data in connection
with goods or services offered to them or tracking the behaviour of individuals
in the EU.
Applications of this technology are broad and in many cases
it is simply not possible to ascertain the identity or the location of the data
controller, data processor or even the data subject. In such a situation,
determining the appropriate choice of law may not be straightforward and
regulators may struggle to argue that they have the jurisdiction to take
enforcement action.
How does this fit in with the right to be forgotten?
The right to be forgotten is codified in the GDPR and provides
individuals with the right to request the deletion or removal of personal data
where there is no compelling reason for its continued processing.
A key feature of the majority of blockchains is their
immutability. Once a block has been verified and added to the chain, it may not
be removed, edited or updated. Whilst in the vast majority of cases the data is
protected by encryption and pseudonymisation, it is easy to envisage a
situation in which an individual may want their data removed. With the majority
of public blockchain platforms, such a request would not be possible.
The FCA has warned firms developing this type of technology
to beware of the incompatibility of immutability and the right to be forgotten.
Some solutions to this issue have been proposed such as allowing administrators
to edit the blockchain where necessary. However, immutability is one of the key
security features of a blockchain and it remains to be seen how this challenge
may be overcome.
Conclusion
The GDPR was designed using the assumptions that custodians
of data would continue to be centralised entities. However, technologies such
as blockchain are facilitating a move towards a decentralised model of data
management. In spite of the dramatic changes taking place, regulators appear to
be taking a ‘wait and see’ approach before considering how best to address the challenges
of the future. Regulating the use of private blockchains (such as the global
payment network being developed by banks) may be facilitated by legislation
such as the GDPR. However, the regulation of large public blockchains (such as
Bitcoin or Ethereum) may require a fundamental rethink as to how data is
managed.
Andrew Solomon is a Senior Associate at Kingsley Napley LLP.
Tom Cox is a trainee solicitor at Kingsley Napley.
