Blockchain’s eternal memory confounds EU’s ‘right to be forgotten’

The European Union’s “right to be forgotten” privacy law is on a collision course with blockchain, whose hallmark is that it “never forgets” the vast amount of information it collects.

The technology is being integrated into a growing number of businesses, and companies across the European economic bloc want privacy regulators to clarify how blockchain and the EU’s landmark General Data Protection Regulation can co-exist.

“There is serious tension between blockchain and GDPR,” said Jörg Hladjk, a partner with Jones Day in Brussels. “There is a general perception that blockchain technology uses anonymous data, but that is not really the case.”

The effort is growing. The global blockchain market is predicted to explode this decade – from around $6 billion last year to $160 billion by 2029.

Blockchain’s distributed ledgers – which contain data that cannot be deleted or altered – are rapidly evolving beyond cryptocurrency transactions to facilitate efficient supply chain management, product traceability, proof of identity and countless other business functions.

“This is a whole new area for regulators that raises a ton of issues,” Hladjk said.

Europe’s privacy regulators must grapple with who controls blockchain data and who is responsible if something goes wrong, as well as “how to exercise rights [and] legal basis for processing,” said Hladjk. “And often overlooked, whether a data protection impact assessment – and with what level of detail – is required.”

“Most of the time the data will rather be pseudonymous data and thus personal data, triggering the application of the GDPR,” he said.

EU, US guidance

The European Data Protection Board, an independent EU body responsible for facilitating the GDPR, is working on blockchain guidance, but “we cannot say when the guidelines will be ready for publication, nor can we comment on their possible content,” it said it in an e-mail message.

That leaves businesses to navigate the fast-paced technology as best they can.

“I’ve been asked whether blockchain is legal or illegal so many times,” said Marijn Storm, a data protection associate at Morrison & Foerster LLP in Brussels. “It depends on how the technology is used,” he said.

In the US, Congress is considering comprehensive digital privacy legislation for the first time in years this summer, spurred in part by the EU but also by a handful of state laws that mimic the GDPR, which took effect in 2018.

The federal US Data Protection Act (HR 8152), which has bipartisan support and is awaiting a vote in the House of Representatives, would for the first time give all Americans the right to access, correct and delete their data. Laws in California, Colorado, Connecticut, Virginia and Utah include a right to erasure, similar to the European right to erasure.

Companies Wait

In the EU in particular, legal uncertainty could be “a reason not to use blockchain,” and lead companies to take a wait-and-see approach, Storm said.

Data security and privacy are the main concerns for those just venturing into blockchain, according to Deloitte’s 2021 Global Blockchain Survey.

Public blockchains that anyone can access, such as Ethereum and Bitcoin, “not only do not fit into the principle of minimality, nor can they always ensure the data subject’s ability to change or delete data,” said Liisi Jürgen, head of IT law at NJORD Law firm in Tallinn, Estonia.

A Bcash cryptocurrency vending machine in Athens, Greece.

Photographer: Yorgos Karahalis/Bloomberg via Getty Images

For public blockchains, which by definition are open to anyone to join, it can be impossible to identify a central data controller responsible for compliance, creating a headache for authorities who want to know who is responsible if something goes wrong.

Despite the uncertainty, the privacy authorities have been slow to step in.

France’s Commission Nationale de l’Informatique et des Libertés published guidance in 2018, finding that the storage of personal data on a blockchain should be limited to “commitments,” or hashes, which link to data off-chain. The CNIL also said permissioned blockchains, or non-public blockchains set up by a limited number of known users, were preferable to public blockchains.

“Reflection at the European level is essential” to provide definitive guidance on blockchain and the GDPR, the CNIL said.

But four years later, this still hasn’t happened.

Encrypted data

“We follow the CNIL guidance and I think everyone follows it,” said Niels Vandezande, a consultant at Timelex digital technology lawyers in Brussels. “There are many projects underway; everybody wants to do everything on the blockchain right now.”

Blockchain and crypto are moving so quickly “it’s very difficult for regulators to get an understanding,” he said.

Hungary’s Data Protection Authority was one step ahead of the CNIL, issuing blockchain guidance in 2017, but in relation to Hungary’s Data Protection Act which was replaced in May 2018 by the GDPR.

Since 2017, Hungary’s law has received “general consultation requests from specific controllers” related to blockchain, but “has not received any specific complaint from data subjects regarding blockchain-based data processing,” said Gabriella Dél, the Hungarian Data Protection Authority’s international rapporteur. .

The encrypted nature of data on a blockchain—typically a hash that connects to a wallet address—also makes it practically impossible to access personal data.

Through the use of encryption technology, blockchain is a tool for managing data in a way that protects information and facilitates trust in record keeping, rather than exposing it or compromising its integrity, said Sujit Raman, general counsel at blockchain analytics firm TRM Labs.

“Penetrate the Veil”

There are some areas that need further theorizing to accommodate privacy regulations, such as blockchain’s rejection of centralized authorities controlling data flows. Blockchain’s fixed nature can also pose a challenge to changing or deleting personal data.

“There are ways to reconcile the concept of privacy with blockchain technology,” said Raman, who previously represented the US government in international data protection negotiations.

But under Europe’s GDPR, even encrypted data that can only be linked to a digital wallet counts as personal data because of its potential to identify wallet holders.

Chain analytics companies are already profiling cryptocurrency wallets based on public blockchain data, said Yannis Kalfoglou, author of “Blockchain for Business: A Practical Guide for the Next Frontier.”

Data “can be anonymized, it can be pseudonymized, it can be hashed, but that doesn’t mean it can’t be recovered,” he said. “You can always penetrate the veil.”

Risks ahead?

Contrary to CNIL’s 2018 advice that permissioned blockchains are preferable, the future is public blockchains, said Mary Lacity, director of the Blockchain Center of Excellence at the University of Arkansas.

“The problem with private networks is that they don’t scale,” while “governance issues are challenging” in larger private blockchains with many participants, she said.

Public blockchains can facilitate decentralized identity, where individuals hold identity information in digital wallets and use it as the basis for a variety of transactions – everything from buying a non-functional token, to registering a property purchase, to accessing online public services, to provide proof of age to enter a bar.

For real estate records, for example, “it would be perfect to have something immutable,” said Storm of Morrison & Foerster.

Decentralized identity can be attractive in Europe, as a digital alternative to identity cards that most EU states issue. The governments will provide the credentials held in digital wallets.

“The basic concept is that I want to control all of my identity data,” said Jeremy Grant, managing director of technology business strategy at Venable LLP in Washington, D.C. “I decide who can see it and when.”

However, the challenge for decentralized identity will lie in implementation, since this type of identity architecture is based on people’s ability to navigate their set of cryptographic keys, Grant said.

“Digital ID puts a lot of ownership on the citizen,” who would have to “actively manage” their credentials to ensure they don’t fall into the wrong hands, Kalfoglou said.