Conclusion

• Author: Michèle Finck
• Pages: 101-102

Blockchain and the General Data Protection Regulation

101

13. Conclusion

This study has discussed the application of the European Union's EU General Data Protection

Regulation to blockchain technologies. It has been observed that many points of tension between

blockchains and the GDPR can be identified. Broadly, it can be maintained that these are due to two

overarching factors. First, the GDPR is based on the underlying assumption that in relation to each

personal data point there is at least one natural or legal person – the data controller – that data

subjects can address to enforce their rights under EU data protection law. Blockchains, however,

often seek to achieve decentralisation in replacing a unitary actor with many different players. This

makes the allocation of responsibility and accountability burdensome, particularly in light of the

uncertain contours of the notion of (joint)-controllership under the Regulation. A further

complicating factor in this respect is that in light of recent developments in the case law, defining

which entities qualify as (joint-) controllers can be fraught with uncertainty. Second, the GDPR is

based on the assumption that data can be modified or erased where necessary to comply with legal

requirements such as Articles 16 and 17 GDPR. Blockchains, however, render such modifications of

data purposefully onerous in order to ensure data integrity and increase trust in the network.

Determining whether distributed ledger technology may nonetheless be able to comply with Article

17 GDPR is burdened by the uncertain definition of 'erasure' in Article 17 GDPR.

The study has concluded that it can be easier for private and permissioned blockchains to comply

with these legal requirements as opposed to private and permissionless blockchains. It has,

however, also been stressed that the compatibility of these instruments with the Regulation can

only ever be assessed on a case-by-case basis. Indeed, blockchains are in reality a class of

technologies with disparate technical features and governance arrangements. This implies that it is

not possible to assess the compatibility between 'the blockchain' and EU data protection law.

Rather, this study has attempted to map vari ous areas of the GDPR to the features generally shared

by this class of technologies, and to draw attention to how nuances in blockchains' configuration

may affect their ability to comply with related legal requirements. Indeed, the key takeaway from

this study should be that it is impossible to state that blockchains are, as a whole, either completel y

compliant or incompliant with the GDPR. Rather, while numerous important points of tension have

been highlighted and ultimately each concrete use case needs to be examined on the basis of a

detailed case-by-case analysis.

The second key element highlighted in this study is that whereas there certainly is a certain tension

between many key features of blockchain technologies setup and some elements of European data

protection law, many of the related uncertainties should not only be traced back to the specific

features of DLT. Rather, examining this technology through the lens of the GDPR also highlights

significant conceptual uncertainties in relation to the Regulation that are of a relevance that

significantly exceeds the specific blockchain context. Indeed, the analysis has highlighted that the

lack of legal certainty pertaining to numerous concepts of the GDPR makes it hard to determine how

the latter should apply to this technology, but also others. This is, for instance, the case regarding

the concept of anonymous data, the definition of the data controller, and the meaning of 'erasure'

under Article 17 GDPR. A further clarification of these concepts would be important to create more

legal certainty for those wishing to use DLT, but also beyond and thus also to strengthen the

European data economy through increased legal certainty.

The study has, however, also highlighted that blockchains can offer benefits from a data protection

perspective. Importantly, this is by no means automatically the case. Rather, blockchains need to be

purposefully designed in order for this to realize. Where this is the case, they may offer new forms

of data management that provides benefits to the data-driven economy and enable data subjects

to have more control over personal data that relates to them.