Blockchain and GDPR: why so serious? has been saved
Blockchain and GDPR: why so serious?
Let’s start with the basics and unravel what the discussion is about.
We are (almost) certain that blockchain technology will bring world peace, solve climate change and make everyone’s whites whiter. But sign of the times - at one point in any discussion about innovation, technology and disruptors someone will bring up: what about the GDPR?
What is interesting in these tech vs. law discussions is that it seems that the participants do not speak the same language or even dwell in the same dimension. Lawyers, they seem so comfortable in the grey area – considering all circumstances of the case, weighing factors, debating them. Tech-savvies - not so much. Shades of grey do not appeal to them, they prefer the world of zeros and ones. It either works, or it does not.
We have declared it to be our mission to try and bring these parties closer together, moving from the grey to the black and white and then maybe to the zero, or the one. Let’s start with the basics: how does the GDPR come into play in relation to blockchain?
2. MEET THE BLOCKCHAIN
It seems very unlikely that you’ve missed every conversation or news article about blockchain and the hype surrounding it. The discussion about blockchain has shifted from “Will blockchain work?”, to “How can we make blockchain work for us”. Blockchain has not reached its full potential yet and new use cases are still being developed. As lawyers we do not pretend to understand how blockchain works exactly (we have much smarter colleagues who do). What we (and you) do need to understand is the following.
Blockchain allows for participants to connect and exchange value in an immediate and efficient way. Transactions are digitally signed using public key cryptography and gathered in blocks by validator nodes, or miners, who (through competitive computation) add new blocks to the chain. Dependent on the type of blockchain (yes, there are many different variations), it is possible to add a (small) amount of data to a transaction. This small amount of data can for example be a hash value (digital fingerprint) of a much larger piece of data. An entire block of transactions is hashed and cryptographically linked to the previous blocks. The chain of blocks is immutable, so once this data is added to a transaction that was included in a block and added to the chain, it cannot be removed.
3. MEET THE GDPR
The GDPR only applies to personal data. Personal data is broadly defined: it entails personal data when a data subject can directly or indirectly be identified. So what information in a blockchain could potentially qualify as personal data?
Transactional data is a collective term for any data saved to the blockchain. Whether or not transactional data qualifies as personal data strongly depends on the user, the type of blockchain, and the type of data that is included in a specific transaction and sent to the blockchain.
The public key is a pseudonymized (encrypted and/or hashed) letter/number-combination that allows for “pseudonymous identification”. A public key does not directly identify the user, but effectively functions as the user’s “account number” and is used for communication or transactional purposes (e.g. the public key can be used by the network to verify the digital signature). Since it is unique to the user and because it can often be connected to natural persons with additional information, it should be considered personal data. This is in line with the European Court of Justice decision in Patrick Breyer v Germany, ruling that classified dynamic IP-addresses qualify as personal data.
Considering the public key, it is safe to say that if the user of a public key is a natural person, it would be complicated to maintain “privacy” in an open and permissionless blockchain. Recalling that each participating device is identified by its public key and all the transactions are open; any party interested could start identifying patterns and create connections between addresses. It could construct informed inferences about the persons behind the public keys. A suggestion in the Bitcoin white paper to protect privacy in this respect, is to use a new key pair for each transaction to keep them from being linked to a natural person. It can be questioned however, whether this can be considered as anonymisation or merely as a security measure.
Considering the transactional data, the answer is less straightforward. And considering the different use cases for which blockchain technology is being explored and the variety of the information that can be included in a blockchain transaction – it is worth to zoom in on the transactional data.
4. NEXT UP
In the upcoming blogs we will address the obvious questions, the challenges and the balancing act of some apparently conflicting characteristics relating to blockchain and the GDPR. First topic in line is the hash value. The use of hashing algorithms and hash values is omnipresent in blockchain technology but should a hash be considered personal data or not?
Do you want to know more on Blockchain and the GDPR in practice? Please contact Marloes (+31 (0) 6 20057902), Charlotte (+31 (0) 6 20123968) or Diderik (+31 (0) 6 83639361).