STOA | Panel for the Future of Science and Technology
12. Policy options
This study has examined the relationship between blockchain technologies and European data
protection law. It has been seen, firstly, that there is a significant tension between the very nature of
blockchain technologies and the overall structure of the GDPR. Whether specific blockchain use
cases are compliant with the supranational legal framework can, however, not be examined in a
generalised fashion but rather ought to be determined on the basis of a case-by-case analysis.
Secondly, the study has also highlighted that in specific cases, this class of distrib uted technologies
may offer distinct advantages that can be helpful to achieve some of the GDPR's objectives. It is on
the basis of the preceding analysis that this section develops concrete policy options that could be
adopted to ensure that these distributed technologies develop in a manner that is aligned with the
legal framework's objectives.
12.1. Regulatory guidance
The key point highlighted in the first and main part of the present study is that there is currently a
lack of legal certainty as to how various elements of European data protection law ought to be
applied to blockchains. This uncertainty is anchoredin two overarching factors. First, it has been seen
that oftentimes, the very technical structure of blockchain technology as well as its governance
arrangements stand in contrast with legal requirements. Second, it has also been observed that
trying to map the Regulation to blockchain technologies reveals broader uncertainties regarding
the interpretation and application of this legal framework. The GDPR is indeed legislation that is
based on broad general principles. This bears flexibil ity and adaptability advantages in an age of fast
technological change, yet also has downsides, such as that it can be difficult determine with
certainty how a specific provision ought to be applied in a specific context.
Indeed, one year after the GDPR became binding and although the legal regime is largely based on
Many instances of that phenomenon have been highlighted above. For example, it is currently
unclear where the dividing line between anonymous data and personal data due to conflicting
statements to this effect in the Regulation and the A rticle 29 Working Party's interpretation thereof.
Moreover, whereas the GDPR recognises a right to 'erasure' that data subjects are free to exercise in
some circumstances, there is no indication regarding what 'erasure' actually requires. As such, it is
unclear whether erasure in the common-sense understanding of the word is required or whether
alternative technical approaches with a similar outcome may be sufficient. These are important
questions as erasure in the common-sense understanding of the word is difficult to achieve on DLT
whereas alternative technical approaches have been envisaged. Oftentimes, the interpretation of
core GDPR concepts is burdened by a lack of harmonious interpretations between the various
supervisory authorities in the European Union.
Furthermore, there is currently – in the blockchain context and beyond – an on-going debate
regarding the allocation of responsibility for GDPR compliance. The Regulation considers that the
data controller is the entity determining the purposes and the means of personal data processing.
Yet, in practice only the purposes are taken into account to make that determination. This has led
to an expanding number of actors that may be qualified as data controllers – particularly joint-
controllers, as is also obvious from recent case law of the CJEU. In addition, there is a lack of legal
certainty as to what consequences flow from a finding of controllership, precisely whether the (joint-
) controller ought to comply with all GDPR requi rements, only those assigned to it in an agreement
with other joint-controllers, or only those that are effectively within its responsibilities, powers and
capabilities. It is hoped that future case law, especially the upcoming judgment in FashionID, will
clarify at least some of these questions, which are important for blockchains but also beyond.