On July 24, 2019, the European Parliament published a study entitled “Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?” The study explores the tension between blockchain technology and compliance with the General Data Protection Regulation (the “GDPR”), the EU’s data protection law. The study also explores how blockchain technology can be used as a tool to assist with GDPR compliance. Finally, it recommends the adoption of certain policies to address the tension between blockchain and the GDPR, to ensure that “innovation is not stifled and remains responsible”. This blog post highlights some of the key findings in the study and provides a summary of the recommended policy options.
The EU Parliament study provides a detailed assessment of GDPR compliance issues created when using blockchain technology. It highlights key issues that have already been explored by many academics and practitioners, such as difficulties with aligning the decentralised nature of blockchain with the competing concepts under the GDPR, and the difficulties blockchain pose when addressing data subjects rights and data minimisation mandates due to the immutable nature of the blockchain network. For more information on these challenges, please see our previous blog post on this topic.
The study stresses that while it explores the tension between certain blockchain features and the GDPR, “it is impossible to state that blockchains are, as a whole, either completely compliant or incompliant with the GDPR”. Instead, compliance with the GDPR will depend on the particular blockchain use case, and as such it requires a “case-by-case assessment”. The study’s authors recognise that blockchain networks that are private and permissioned (i.e., only authorised individuals may access and view the network) will raise fewer GDPR compliance issues, as opposed to blockchain networks that are public and permissionless (i.e., anyone can access and view the network).
Most interestingly, the study provides a number of policy options for the European Parliament to consider going forward. Importantly, the study does not support the position that the GDPR needs updating to better adapt to new technologies, such as blockchain. The study recognises that the GDPR, as intended, is “technology neutral”, and considers that other options should be explored to align the existing principles under the GDPR with these new technologies. The study proposes the following options in particular:
- Regulatory guidance. The study highlights that many of the difficulties with aligning blockchain and the GDPR are due to broader legal uncertainties with respect to certain concepts under the GDPR, such as the meaning of “anonymisation” and “erasure”. To address this, the study recommends regulatory guidance from the European Data Protection Board (the “EDPB”), in order to ensure a harmonised approach across Europe (note that the CNIL, the French data protection authority, is the only regulator in Europe to date to publish specific guidance on this topic, please see our previous blog post here for more information). The study recommends two forms of regulatory guidance: (i) specific guidance from the EDPB on blockchain and compliance with the GDPR; and (ii) the EDPB updating existing Article 29 Working Party guidance that already addresses areas of uncertainty, such as anonymisation methodologies. The study also provides a list of specific questions that the regulatory guidance should look to address, such as questions on anonymisation, allocating GDPR responsibilities to the blockchain participants, and whether the use of blockchain technology triggers the need for a data protection impact assessment, among others.
- Codes of conduct and certification mechanisms. The study also recommends the adoption of codes of conduct and certification mechanisms for blockchain technology, as envisaged under the GDPR. Codes of conduct and certification mechanisms, agreed between regulators and the private sector, is one means to ensure that a technology is GDPR “complaint-by-design”. The study refers to the EU Cloud Code of Conduct as an example of such a collaborative, Code-based approach.
- Research funding. The study notes that “regulatory guidance, certification mechanisms and codes of conduct arguably will not go far enough” as compliance issues are also raised by technical limitations (for example, deleting information held on the blockchain). Therefore, the study recommends funding for interdisciplinary research that explores solutions to technical limitations, as well as developing governance mechanisms.
The EDPB recently published its Work Program 2019/2020, in which it notes that blockchain may be one of the topics that the body addresses, and as such we may see specific guidance from the EDPB on blockchain in the near future. We will continue to monitor key developments in relation to the GDPR and blockchain, and will provide further updates.
We also note that the authors of this blog post have contributed a chapter on privacy and blockchain in “Fintech Law and Regulation”, edited by Jelena Madir, Chief Counsel of the European Bank of Reconstruction and Development. The book will be published in September 2019, and is available to pre-order now.