Blockchain and the General Data Protection Regulation
10. Personal data transfers to third countries
Chapter V of the GDPR limits the circumstances under which personal data can be transferred
from the European Union to third countries. It clarifies that personal data can only be transferred
to third countries where these (i) benefit from adequacy decisions, (ii) appropriate safeguards are
offered, or (iii) on the basis of a derogation.537 The examination of these provisions in relation to
blockchain technology is important as the multiple nodes on which the ledger is kept can be located
in various jurisdictions, both inside and outside the European Union. Whereas the location of the
nodes can be controlled in a permissioned network, this is impossible in a permissionless system as
anyone may access the network without the need for prior authorisation by a central gatekeeper.
Pursuant to Article 45 G DPR, transfers of personal data to third countries are possible on the basis
of an adequacy decision. Where the European Commission has decided that a third country,
territory538 or specific sector in a third country (or an international organisation) ensure an adequate
level of protection, such data transfers do not require any specific authorisation.539 The European
Commission has the ability to issue adequacy decisions taking into account factors such as the
respect for the rule of law, human rights and fundamental freedoms as well as relevant legislation
and practices540, whether there is an independent supervisory authority that ensures and enforces
compliance with data protection rights541 and the relevant third country or international
organisation's international commitments regarding data protection.542 If the Commission reaches
the conclusion that that jurisdiction provides an adequate level of protection, it can issue an
implementing act that recognises this (the adequacy decision) which provides for periodic review
(at least every four years).543
Adequacy is defined as a level of protection that is 'essentially equivalent to that ensured
within the Union'.544 This has been interpreted by the Article 29 Working Party as requiring that
these foreign rules comply with a 'core' of GDPR principles, the Charter of Fundamental Rights as
well as relevant international instruments (including the Council of Europe's Convention 108).545
Where an adequacy decision with a third country exists, personal data can thus flow freely between
these jurisdictions, notwithstanding whether blockchains or another personal data processing
technology are used.
Where personal data is transferred to a jurisdiction that does not benefit from an adequacy decision,
a controller or processor may only transfer personal data to a third country where it is able to provide
appropriate safeguards. Under Article 46 GDPR, transfers to third countries are possible where
the controller or processor 'has provided appropriate safeguards, and on condition that enforceable
data subject rights and effective legal remedies for data subjects are available'.546 Such safeguards
do not require a specific authorisation from a supervisory authority and may include (i) legally
binding and enforceable instruments between public authorities or bodies, (ii) binding corporate
537 Note that there is a hierarchy between these different grounds. Essential equivalence can only be used where there is
no adequacy and derogations can only be used where there is no adequacy decision nor essential safeguards.
538 Territories include the Overseas Countries and Territories that have a special relationship with specific Member States
but to which EU law does not apply such as Greenland or French Polynesia and the Netherlands Antilles, among others.
539 Article 45 (1) GDPR. See als o Recital 103 GDPR.
540 Article 45(2)(a) GDPR.
541 Article 45(2)(b) GDPR.
542 Article 45(2)(c) GDPR.
543 Article 45(3) GDPR.
544 Recital 104 GDPR.
545 WP29 2017: Article 29 Working Party, ‘Adequacy Referential (updated)’ (WP 254, 28 November 2017) 3.
546 Article 46 (1) GDPR.