Introduction

• Author: Michèle Finck
• Pages: 1-7

Blockchain and the General Data Protection Regulation

1

1. Introduction

Blockchain technologies are a much-discussed instrument that, according to some, promises to

inaugurate a new era of data storage and code-execution, which could in turn stimulate new

business models and markets. The precise impact of the technology is, of course, hard to anticipate

with certainty, and many remain deeply sceptical of blockchains' eventual impact. In recent times,

many have voiced concerns that existing regulatory paradigms risk stifling the technology's future

development and accordingly stand in the way of transforming the European Union into a global

leader in blockchain technology and related developments at a time where there are already

broader concerns regarding the EU's ability to keep up with the data-driven economy.

In particular the EU General Data Protection Regulation ('GDPR') is a much-discussed topic in this

regard. Indeed, many points of tension between blockchain technologies and the GDPR can be

identified. Broadly, it can be maintained that these are due to two overarching factors. First, the

GDPR is based on the underlying assumption that in relation to each personal data point there is at

least one natural or legal person – the data controller – that data subjects can address to enforce

their rights under EU data protection law. Blockchains, however, often seek to achieve

decentralisation in replacing a unitary actor with many different players. This makes the allocation

of responsibility and accountability burdensome, particularly in light of the uncertain contours of

the notion of (joint)-controllership under the Regulation. A further complicating factor in this

respect is that in light of recent developments in the case law, defining which entities qualify as

(joint-) controllers can be fraught with uncertainty. Second, the GDPR is based on the assumption

that data can be modified or erased where necessary to comply with legal requirements such as

Articles 16 and 17 GDPR. Blockchains, however, render such modifications of data purposefully

onerous in order to ensure data integrity and increase trust in the network. Determining whether

distributed ledger technology may nonetheless be able to comply with Article 17 GDPR is burdened

by the uncertain definition of 'erasure' in Article 17 GDPR as will be seen in further detail below.

These factors have triggered a debate about whether the GDPR stands in the way of an innovative

EU-based blockchain ecosystem. Indeed, some have argued that in order to facilitate innovation and

to strengthen the Digital Single Market, a revision of the GDPR may be in order, or that blockchains

should benefit from an altogether exemption of the EU data protection framework. Others have

stressed the primacy of the legal framework and stated that if blockchains are unable to comply with

EU data protection law then this means that they are probably an undesirable innovation

considering their inability to comply with established public policy objectives.2

These debates have not gone unnoticed to the European Parliament. A recent European Parliament

report by the Committee on International Trade highlighted the 'challenge posed by the

relationship between blockchain and the implementation of the GDPR'.3 A 2018 European

Parliament resolution underlined that blockchain-based applications must be compatible with the

GDPR, and that the Commission and European Data Protection Supervisor should provide further

clarification on this matter.4 Recently, the European Data Protection Board ('EDPB') indicated that

blockchain may be one of the topics that it may examine in the context of its 2019/2020 work

2 Meyer D (27 February 2018), Blockchain technology is on a collision course with EU privacy law

<https://iapp.org/news/a/blockchain-technology-is-on-a-collision-course-with-eu-privacy-law/>.

3 European Parliament Report on Blockchain: a Forward-Looking Trade Poli cy (AB-0407/2018) (27 November 2018), para

14, http://www.europarl.europa.eu/doceo/document/A-8-2018-0407_EN.html .

4 Proposition de Résolution déposée à la suite de la question avec demande de réponse orale B8-0405/2018 (24 September

2018), para 33, http://www.europarl.europa.eu/doceo/document/B-8-2018-0397_FR.html