Contributions and Interviews

The clash between the right to be forgotten according to the GDPR and the blockchain technology

08. 08. 2017

Matija Urankar

Matija Urankar

Partner

The blockchain technology, seen today by many people as a precursor for the fourth industrial revolution, provides, among other things, greater security for economic operators. What is written in a block and joined in a chain is supposed to be durable and uniform in practice. Such a solution – the durability and uniformity of data – when implemented and functioning, certainly facilitates operations and entrance to the market for businesses, as it enhances confidence, increases the security of transactions (by automating them) and, consequently, has a beneficial effect on the entire economy. Namely, the number of investments depends on the predictability and safety of operations in a particular business environment.

And yet: after 25th May 2018, will the blockchain technology still be suitable for storing all data?


Protection of personal data after 25th May 2018

At the end of May 2018, the so called GDPR Regulation, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, will come into force.

The GDPR introduces a number of new features, including the so-called right to be forgotten. Thus Article 17 of the GDPR specifies that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. Such a right can be invoked for a number of reasons, inter alia, for the reason that the data subject withdraws consent on which the processing of his/her data is based. A consent given in accordance with the provisions of the GDPR is actually one of the legal bases for the processing of personal data, whereby the data subject has in accordance with Paragraph 3 of Article 7 of the GDPR the right withdraw his or her consent at any time (it shall be as easy to withdraw as to give consent).

A controller may also reject a request for erasure, but the possibilities for rejection are exhaustively listed and also restrictively provided.


Blockchain technology

The essential feature of blockchain technology is the uniformity and durability of data. Because of this feature, this technology is not interesting for publishers and holders of crypto chips only, but also for the service sector of the economy, including banks, insurance companies or law firms. The functioning of these entities is based on the trust of their clients, which increases with the safety of the business of the entities themselves. If banks, insurance companies and law firms operate with the help of blockchain technology, their business will be safer, which will result in more (rational) clients. As an example, I would like to mention the smart contract: if parties enter into a contract (here the law firm is involved), which is written in a block, its execution (e.g. the initiation of a transaction – the bank is involved), upon fulfilment of a predetermined contractual condition, is independent of human will and consciousness.


Right to be forgotten and data chaining

In addition to the abovementioned uniformity and durability of data, blockchain is characterized by an additional important feature: the absence of a central authority. This feature, however, is clearly contrary to the basic idea of the GDPR: the controller or processor of personal data must be undisputedly and always known, while the person whose personal data are being processed must be given at all times the possibility to address the requests for the processing of their personal data to a known operator or processor.

The GDPR therefore undoubtedly requires the supervision of a central and determinable authority over the collections of personal data.

To summarize the above findings, we may conclude that the idea of uniformity and durability of the data that are or will be recorded in a blockchain, providing these are personal data, is completely incompatible with the right to be forgotten as provided by the GDPR.

A solution to the collision presented above is probably in a technical solution. Legally speaking, it might be worthwhile to consider the following: can data be written in a block in an anonymous form? Can data be written in a block in a pseudonymized form and identifiers stored separately (outside the blocks) and destroyed at the request of an individual? Is it worth writing personal data in the blocks at all? It is obvious that the solutions presented reduce the added value of the technology of blockchains – which is precisely the fact that the data remains recorded in a uniform and durable way.

Cookies and privacy settings

The website uses cookies to provide online services and improve user experience. By selecting the "I agree" option, you agree to the use of cookies. You can change your decision at any time. Read more