Why Blockchain And The GDPR Collide Over Your Personal Data

If you haven’t heard about blockchain technology by now, you probably have not been paying attention.  Promising to transform everything from currencies to supply-chain management, blockchain (also referred to as distributed ledger technology, or DLT) provides an independent, distributed, secure mechanism to handle and process huge numbers of records in a traceable and verifiable way. That said, data can be made up of many different elements, including personally identifiable information (referred to broadly in this article as “personal data”). In the march to deploy this technology, however, there are questions that need to be asked regarding personal data that may be uploaded to the blockchain, and how the technology will comply with current U.S. and international data privacy laws.  Needless to say, the answers are elusive, and more difficult to address than you may think.

I have written about this technology previously (see here, here, and here), and remain convinced that it will be an effective technology, albeit a legally challenging one.  Most people understand the blockchain in the context of cryptocurrency (like Bitcoin), but the technology can operate to power private, permissioned blockchain applications as well.   It seems that technology evolves faster than the law can catch up, and blockchain is no exception in this regard.  When it comes to data privacy law and your personal data, the technology represents the proverbial round peg that does not fit squarely within the four corners of the law (yet).

On its face, blockchain technology seems a great fit for the privacy of personal data.  First, blockchain technology uses encryption to secure and verify data within the chain, but this is a two-way authentication technology (generally using a public key and private key) that could permit the decryption of personal data if someone else obtain the private key.  What makes the blockchain even more powerful is that it uses hashes — one-way functions that can take input of various lengths to create an output of fixed length that can act as a sort of digital fingerprint.  Without getting too detailed, hash functions are used to “hash” data into each block, and subsequent blocks incorporate the previous hash to verify the chain and add the new data. Any change to the data in the block would change the hash for that block and all the subsequent ones in the blockchain. When it comes to data privacy, these characteristics are a big plus, but when it comes to other characteristics of the blockchain, not so much.

For one, blockchain records are immutable — once a record is added, it is designed to remain unchanged.  This is at odds with requirements of the General Data Protection Regulation (GDPR) in the EU.  The GDPR requires that personal data of a “data subject” be changed or removed if the data subject so requests (sometimes referred to as the “right to be forgotten”).  Further, California’s recently enacted Consumer Protection Act (CCPA) seems to have taken a cue from the GDPR by providing “consumers” the right to have their “personal information” deleted under Cal. Civil Code § 1798.105. Blockchain applications that seek to incorporate personal data within the blockchain will need to address this conundrum, such as by “forking” to a new chain (not really a viable long-term solution, IMHO), using mutable “side chains” (which deflates one of the powerful features of blockchain), or otherwise placing such personal data outside the blockchain (which, some would argue, starts defeating the purpose of using a blockchain in the first place).

Further, the blockchain is highly distributed by design, creating some interesting jurisdictional issues. Whether public or private, a blockchain is made up of many, many, different nodes, Does each node need to be GDPR compliant? If so, who is responsible for ensuring each node is GDPR-compliant? In the event of a personal data breach, what is the appropriate jurisdiction and applicable law? Just to make things more complicated, how will EU regulators view (and answer) such issues? These are compelling questions with elusive answers, but answers will be required.  The penalties for non-compliance with the GDPR are up to €20 million or four (4) percent of gross annual turnover, whichever is greater (and yes, you read that correctly).

Notwithstanding the foregoing, I don’t believe that these questions will remain unanswered, as blockchain has arrived and is only getting started.  The pros of the technology are far outweighing the cons at this point. That said, the answers will be challenging, and will push both blockchain technology development as well as the law. Given the recent passage of the CCPA (becoming effective in January of 2020), there is now a push for national data privacy regulation in the U.S. (as the prospect of reconciling multiple state data privacy law statutes has definitely gotten everybody’s attention). Whether that will happen or not is yet to be seen, but something tells me that when it comes to the GPDR (and other U.S. state and federal statues) and blockchain, the party is just getting started.


Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Be the first to comment

Leave a Reply

Your email address will not be published.


*