The General Data Protection Regulation (GDPR) has been signed on April 27, 2016 and will enter into force on May 25 of this year.
Contrary to the directive on data protection of October 24, 1995 which it abrogates, the GDPR is a European regulation, which means that it is supposed to be applied in all member States of the European Union without the necessity to adopt a transposition law in every state. This undoubtedly permits the harmonization at the European level of the legislation on data protection.
The particularity of the regulation is that it comes with significantly high penalties in case of breach. Companies that do not comply may receive fines from the data protection authorities of up to 20 million euros, or 4% of the company’s global turnover, whichever is highest.
The main purpose of this text is to enforce the right of people whose data are processed, to secure the organisations that carry out data processing and to establish an effective regulation.
The problem that arises here is whether and how the above goals can be achieved if blockchain is used.
Blockchain is usually defined as a decentralized data registry. Data is shared by users through a specific network, which allows them to perform a number of operations of various natures, including making money payments.
It is therefore quite conceivable that a lot of personal data circulates through the blockchain. The GDPR text defines personal data as « any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly » (Article 4).
The issue stems precisely from the decentralized character of the blockchain, with which the provisions of the GDPR will probably have difficulty agreeing. Note that only open blockchains will be the subject of our concern, the private blockchains have the particularity of having a control authority.
The most flagrant issue is the obligation to designate the controller. According to the regulation, the controller is « the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data » (Article 4).
The controller « shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation » (Article 24).
But who is supposed to be the controller in the blockchain ? A solution could be to designate miners as such, as joint controllers. Indeed, article 26 of the GDPR states that « where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers ».
Nevertheless, it is very unlikely that this hypothesis will be retained, the concern being that miners are not, in principle, aware of the content they circulate via their machines. Thus, they have a simple role of technical order which seems to distance them from the eventuality of being considered as controllers.
Moreover, the blockchain could involve some difficulties relating to the application of the rights of the people concerned by data processing. How can one claim, for instance, the right to erasure covered by Article 17 of the GDPR, the right to the limitation of treatment in Article 18 or the right to portability of Article 20, where there is no authority to ensure that these rights are enforced?
Furthermore, in Articles 44 to 50, the regulation imposes a whole series of rules on the transfer of data. For example, « a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection » (Article 45). But how to ensure that these principles are respected while the essence of the blockchain is decentralization?
Finally, it seems difficult to foresee a solution that would make it possible to apply the GDPR to the blockchain, which was initially based on the very idea of substituting for any form of control that would come from a governmental authority.