December 4, 2019
Debate about the mainstream adoption of distributive ledger technology (DLT) is frequently characterised by questions regarding its compatibility with the GDPR. These questions have generally focused on two key issues:
- Whether DLT’s decentralised model is compatible with the ‘controller’ and ‘processor’ focused structure of the GDPR.
- The tension between DLT’s intention to make the deletion and modification of data deliberately difficult and the GDPR’s assumption that personal data can be modified or erased to deal with GDPR obligations such as the rights of erasure and rectification and the principles of data minimisation and storage limitation.
Many of the interventions to date have failed to progress the discussion. Notably, a paper from the generally tech savvy and forward-thinking French data protection authority, CNIL, at the end of last year raised more issues than solutions.
We are still a long way from consensus but a paper by Dr Michèle Finck for a panel of the European Parliament has identified the key issues and provided a helpful structure for considering them.
Finck discusses the difficulty of identifying a controller or controllers when using DLT. She does not consider that the difficulty is only due to DLT’s decentralised nature. Finck points to a lack of clarity, particularly in light of recent case law, about the concept of a controller under the GDPR. This lack of clarity includes the CJEU viewing different organisations working together as a chain of controllers, each responsible under the GDPR for their stage of the processing but limited to a framework of their powers, responsibilities and capabilities in respect of the personal data. Furthermore, it is increasingly clear that any influence on the purposes or means of processing, regardless of the degree and actual access to personal data, may result in an organisation being viewed as a controller.
When discussing the need to erase or anonymise personal data that has been stored on DLT in order to comply with GDPR, instead of only pointing to DLT’s commitment to a permanent immutable record, Finck again cites wider issues with the GDPR and a lack of consensus about what amounts to anonymisation as a key contributing factor to creating the tension between use of DLT (to the extent personal data is being stored on it) and compliance with data protection law.
There have been some tentative suggestions that the GDPR should be amended to facilitate DLT. However, given the technology agnostic approach and future-proof policy drivers underpinning the GDPR, this is very unlikely to happen. Consequently, much of the debate about DLT’s compatibility with the GDPR has focused on the nature of DLT rather than the nature of the GDPR.
Finck concludes that DLT and the GDPR are not necessarily incompatible but for the two to work together GDPR must be considered early in the design stage of any DLT project. Crucially, Finck notes that private uses of DLT are more likely to be compatible with the GDPR than public blockchains.
We fully agree with Finck on these points, but we consider her focus on the GDPR and the need to clarify many of its key concepts is the most important takeaway from her research. Without this clarity, it will remain difficult for DLT developers to undertake projects confident that their design will not breach the GDPR.