AuthorMichèle Finck
Blockchain and the General Data Protection Regulation
13. Conclusion
This study has discussed the application of the European Union's EU General Data Protection
Regulation to blockchain technologies. It has been observed that many points of tension between
blockchains and the GDPR can be identified. Broadly, it can be maintained that these are due to two
overarching factors. First, the GDPR is based on the underlying assumption that in relation to each
personal data point there is at least one natural or legal person the data controller that data
subjects can address to enforce their rights under EU data protection law. Blockchains, however,
often seek to achieve decentralisation in replacing a unitary actor with many different players. This
makes the allocation of responsibility and accountability burdensome, particularly in light of the
uncertain contours of the notion of (joint)-controllership under the Regulation. A further
complicating factor in this respect is that in light of recent developments in the case law, defining
which entities qualify as (joint-) controllers can be fraught with uncertainty. Second, the GDPR is
based on the assumption that data can be modified or erased where necessary to comply with legal
requirements such as Articles 16 and 17 GDPR. Blockchains, however, render such modifications of
data purposefully onerous in order to ensure data integrity and increase trust in the network.
Determining whether distributed ledger technology may nonetheless be able to comply with Article
17 GDPR is burdened by the uncertain definition of 'erasure' in Article 17 GDPR.
The study has concluded that it can be easier for private and permissioned blockchains to comply
with these legal requirements as opposed to private and permissionless blockchains. It has,
however, also been stressed that the compatibility of these instruments with the Regulation can
only ever be assessed on a case-by-case basis. Indeed, blockchains are in reality a class of
technologies with disparate technical features and governance arrangements. This implies that it is
not possible to assess the compatibility between 'the blockchain' and EU data protection law.
Rather, this study has attempted to map vari ous areas of the GDPR to the features generally shared
by this class of technologies, and to draw attention to how nuances in blockchains' configuration
may affect their ability to comply with related legal requirements. Indeed, the key takeaway from
this study should be that it is impossible to state that blockchains are, as a whole, either completel y
compliant or incompliant with the GDPR. Rather, while numerous important points of tension have
been highlighted and ultimately each concrete use case needs to be examined on the basis of a
detailed case-by-case analysis.
The second key element highlighted in this study is that whereas there certainly is a certain tension
between many key features of blockchain technologies setup and some elements of European data
protection law, many of the related uncertainties should not only be traced back to the specific
features of DLT. Rather, examining this technology through the lens of the GDPR also highlights
significant conceptual uncertainties in relation to the Regulation that are of a relevance that
significantly exceeds the specific blockchain context. Indeed, the analysis has highlighted that the
lack of legal certainty pertaining to numerous concepts of the GDPR makes it hard to determine how
the latter should apply to this technology, but also others. This is, for instance, the case regarding
the concept of anonymous data, the definition of the data controller, and the meaning of 'erasure'
under Article 17 GDPR. A further clarification of these concepts would be important to create more
legal certainty for those wishing to use DLT, but also beyond and thus also to strengthen the
European data economy through increased legal certainty.
The study has, however, also highlighted that blockchains can offer benefits from a data protection
perspective. Importantly, this is by no means automatically the case. Rather, blockchains need to be
purposefully designed in order for this to realize. Where this is the case, they may offer new forms
of data management that provides benefits to the data-driven economy and enable data subjects
to have more control over personal data that relates to them.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT