The question of whether the use of distributed ledgers are capable of being compatible with the GDPR is far from clear-cut, which will need to be determined on an individual basis, depending on the technical design and governance of the network. Public and permissionless blockchains provide:
- no requirements for participants to reveal their identity, meaning participants are able to contract on an entirely anonymous basis
- no restrictions as to who can access personal data, meaning personal data on these networks can be freely accessed by all participants
- a comprehensive and verified record of a transaction/ relationship which does not facilitate the easy deletion of data
These features make unrestricted blockchain networks incompatible with the GDPR, which works firstly on the fundamental assumption that there will always be at least one legal person, a controller, who is clearly responsible and accountable for ensuring personal data is used in a way that is fair and secondly provides data subjects with a far-reaching range of rights, including the rights of rectification and deletion of their personal data, which may not always be possible where distributed and centralised ledger technologies are used. We therefore expect to see the rise of new regulation to address these tensions and ensure that businesses are able to embrace these new technologies, while having a clear framework to operate within.
