Executive summary

AuthorMichèle Finck
Blockchain and the General Data Protection Regulation
Executive summary
In recent years, there has been ample discussion of blockchain technologies (or distributed ledger
technology DLT 1) and their potential for the European Union's digital single market. A recurring
argument has been that this class of technologies may, by its very nature, be unable to comply with
European data protection law, which in turn risks stifling its own development to the detriment of
the European digital single market project. The present study analyses the relationship between
blockchain and the GDPR, so as to highlight existing tensions and advance possible solutions. It
looks into developments up until March 2019.
1. Blockchain technology
In essence, a blockchain is a shared and synchronised digital database that is maintained by a
consensus algorithm and stored on multiple nodes (computers that store a local version of the
database). Blockchains are designed to achieve resilience through replication, meaning that there
are often many parties involved in the maintenance of these databases. Each node stores an integral
copy of the database and can independently update the database. In such systems, data is collected,
stored and processed in a decentralised manner. Furthermore, blockchains are append-only ledgers
to which data can be added but removed only in extraordinary circumstances.
It is important to note that blockchains a re a class of technology. Indeed, there is not one version of
this technology. Rather, the term refers to many different forms of distributed database that present
much variation in their technical and governance arrangements and complexity. This also implies,
as will be amply stressed in the analysis below, that the compatibility between distributed ledgers
and the GDPR can only be assessed on the basis of a detailed case-by-case analysis that accounts for
the specific technical design and governance set-up of the relevant blockchain use case. As a result,
this study finds that it cannot be concluded in a generalised fashion that blockchains are either all
compatible or incompatible with European data protectio n law. Rather, each use of the technology
must be examined on its own merits to reach such a conclusion. That said, it is easier to design
private and permissioned blockchains in a manner that is compatible with EU data protection law
than public and permissionless networks. This is because participants in permissioned networks are
known to another, allowing for the definition, for example, of contractual relationships that enable
an appropriate allocation of responsibility. Furthermore, these networks are, in contrast to public
and permissionless networks, designed in a way that enables control over the network, such as to
treat data in a compliant manner. Moreover, there is control over which actors have access to the
relevant personal data, which is not the case with public and unpermissioned blockchains.
2. The European Union's General Data Protection Regulation
The European Union's General Data Protection Regulation (GDPR) became binding in May 2018. It
is based on the 1995 Data Protection Directive. The GDPR's objective is essentially two-fold. On the
one hand, it seeks to facilitate the free movement of personal data between the EU's various
Member States. On the other hand, it establishes a framework of fundamental rights protection,
based on the right to data protection in Article 8 of the Charter of Fundamental Rights. The legal
framework creates a number of obligations resting on data controllers, which are the entities
determining the means and purposes of data processing. It also allocates a number of ri ghts to data
subjects the natural persons to whom personal data relatesthat can be enforced via-à-vis data
1 Various definitions of blockchain and distributed ledger technology exist, and some of these stress different technical
features of these respective forms of data management. Given the nature of this study and the lack of definitional
consensus the terms are used synonymously.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT