Policy options

• Author: Michèle Finck
• Pages: 96-100

STOA| Panel for the Future of Science and Technology

96

12.Policy options

This studyhas examined the relationship between blockchain technologies and European data

protection law. It has been seen, firstly, that there is a significant tension between the very nature of

blockchain technologies and the overall structure of the GDPR. Whether specific blockchain use

cases are compliant with the supranational legal framework can, however, not be examined in a

generalisedfashion but rather ought to be determined on the basis of a case-by-case analysis.

Secondly, the studyhas also highlighted that in specific cases, this class of distrib uted technologies

may offer distinct advantages that can be helpful to achieve some of the GDPR's objectives. It is on

the basis of the preceding analysis that this section develops concrete policy optionsthat could be

adopted to ensure that these distributed technologies develop in a manner that is aligned with the

legal framework's objectives.

12.1.Regulatory guidance

The key point highlighted in the first and main part of the present studyis that there is currently a

lack of legal certainty as to how various elements of European data protection law ought to be

applied to blockchains. This uncertainty is anchoredin two overarching factors. First, it has been seen

that oftentimes, the very technical structure of blockchain technology as well as its governance

arrangements stand in contrast with legal requirements. Second, it has also been observed that

trying to map the Regulation to blockchain technologies reveals broader uncertainties regarding

the interpretation and application of this legal framework. The GDPR is indeed legislation that is

based on broad general principles. This bears flexibil ity and adaptability advantages in an age of fast

technological change, yet also has downsides, such as that it can be difficult determine with

certainty how a specific provision ought to be applied in a specific context.

Indeed, one year after the GDPR became binding and although the legal regime is largely based on

the previous 1995 Data Protection Directive, it is evident that many pivotal concepts remain unclear.

Many instances of that phenomenon have been highlighted above. For example, it is currently

unclear where the dividing line between anonymous data and personal data due to conflicting

statements to this effect in the Regulation and the A rticle 29 Working Party's interpretation thereof.

Moreover, whereas the GDPR recognises a right to 'erasure' that data subjects are free to exercise in

some circumstances, there is no indication regarding what 'erasure' actually requires. As such, it is

unclear whether erasure in the common-sense understanding of the word is required or whether

alternative technical approaches with a similar outcome may be sufficient. These are important

questions as erasure in the common-sense understanding of the word is difficult to achieve on DLT

whereas alternative technical approaches have been envisaged. Oftentimes, the interpretation of

core GDPR concepts is burdened by a lack of harmonious interpretations between the various

supervisory authorities in the European Union.

Furthermore, there is currently – in the blockchain context and beyond – an on-going debate

regarding the allocation of responsibility for GDPR compliance. The Regulation considers that the

data controller is the entity determining the purposes and the means of personal data processing.

Yet, in practice only the purposes are taken into account to make that determination. This has led

to an expanding number of actors that may be qualified as data controllers – particularly joint-

controllers, as is also obvious from recent case law of the CJEU. In addition, there is a lack of legal

certainty as to what consequences flow from a finding of controllership, precisely whether the (joint-

) controller ought to comply with all GDPR requi rements, only those assigned to it in an agreement

with other joint-controllers, or only those that are effectively within its responsibilities, powers and

capabilities. It is hoped that future case law, especially the upcoming judgment in FashionID, will

clarify at least some of these questions, which are important for blockchains but also beyond.