The GDPR and The Blockchain Technology – A Contradiction?

The GDPR and blockchain technology are often at odds with each other. What are the reasons for this, and how can frictions be eliminated?

Nov 15, 2022 - 4 min.

As a decentralised database, the blockchain guarantees complete transparency. Since it dispenses with a higher-level authority, the disruptive technology is considered to be immune to tampering and manipulation. It also prevents data from being deleted or changed. Consequently, the blockchain allows transactions using cryptocurrencies to be managed decentrally and checked and authenticated transparently. However, this creates fundamental questions from a data protection perspective. Especially with regard to European legislation concerning the erasure of personal data or the 'right to be forgotten'. Read on to find out how this disruptive technology can be reconciled with European legislation. 

The great potential of blockchain technology

Given the sheer variety of its possible applications, blockchain technology is regarded as a driver of the future. It promises major benefits: unmodifiable data that can be exchanged in a manner that remains transparent, traceable and secure for every node or user. Moreover, no third parties or state supervisory authorities are involved in individual transactions. 

However, the potential of the blockchain is not limited to financial products and services but is also already being applied in many other sectors. For instance, it is playing an increasingly important role in the healthcare sector, where ways of linking data from patient records are already under consideration to deliver innovative patient care. 

In the future, the possible applications of disruptive technology will become far more diverse and will enable companies across all sectors to tap into the new economic potential. Manual business processes can be streamlined and automated. 

Another major advantage of the blockchain is its immunity to manipulation and fraud. The technology can be used to make the exchange of data or transactions more secure. It also makes it difficult for cybercriminals to steal data or make money transfers, for instance. This is down to cryptographical procedures such as hash functions or digital signatures that are used to secure the blockchain. This assumes that no errors are made during the implementation, that insecure network protocols are not used and that poorly secured end-use applications (wallets) are not an issue. 

The blockchain – divorced from the GDPR? 

It's important to point out that the technology is not operating in a legal vacuum regarding data protection. When the blockchain is used, the regulations of the European Union's GDPR must be applied. 

According to Art. 17 Par. 1 of the GDPR (Right to erasure - right to be forgotten), every person has the right to erasure their personal data if specific conditions are met. These include cases where the controller no longer has any need for the data or if data was processed unlawfully without the data subject's consent. Similarly, consent to processing personal data can also be withdrawn, or there may not be any legitimate reason for processing the data. What's more, a legal obligation to delete applies to any collected data related to a child. 

The personal data used in a blockchain is stored using hash codes. In addition, public keys are used for usernames. This enables personal data to be pseudonymised. Nevertheless, the blockchain operator or the person who issues the username for a private blockchain, for example, can still use this information to trace the individual persons. 

So, this is where a conflict arises between the blockchain and the GDPR in terms of their respective approaches. That's because immunity from manipulation and the associated immutability of the individual blocks undermines the right to erasure. So erasure is basically only possible if the vast majority of nodes or the users consent to this – in other words, by means of a consensus mechanism. 

Furthermore, the controller must be aware of several principles during data processing. According to Art. 5 of the GDPR, the principles of integrity and confidentiality apply to guarantee the security of data to be processed. This legal principle aims to ensure that information is processed using appropriate technical or organisational measures and is protected against unauthorised processing and accidental loss or destruction. Data is guaranteed to be confidential if it cannot be viewed by unauthorised third parties. However, this is also contradictory with regard to the blockchain because the GDPR is also opposed to the requirement for transparency in this context. 

Does this mean that the blockchain is not GDPR-compliant? 

Possible approaches towards reconciling the blockchain with the GDPR 

In addition to the above-mentioned consensus mechanism, technical possibilities can be applied to a request for erasure. A process known as ‘forking' can be used to create two blocks within the chain instead of one, thereby forming a fork. In other words, the blockchain is split into two parts – which means that protocol rules can be changed and personal data deleted if forking is used. With a 'soft fork', the original chain disappears, and all nodes are transferred to the new chain. But this process is extremely laborious. Its use is also disputed in some areas – as was the case in relation to Bitcoin in August 2017. This forking process led to the creation of Bitcoin Cash – one of the most important altcoins or successors of the first and oldest cryptocurrency: Bitcoin. Other technical possibilities include mutable blockchains, rollbacks or the use of chameleon hash functions. 

When it comes to a private blockchain, it is possible to agree that certain nodes within the closed network can delete information retrospectively. In this case, it is important that users make sure that all data is stored in the form of hash codes and that the 'actual' data is stored 'off-chain'. This means that the data is stored externally and only referenced in the blockchain, which is made possible by linking individual modules to an off-chain database. Even if the hash code is invalidated, as a result, the transaction block can still be verified, and the entire blockchain remains intact. 

In this way, the friction between the GDPR and the blockchain can be significantly reduced. 

Is the end of the conflict in sight? 

Ultimately, the conflict between the GDPR and blockchain technology cannot be fully resolved, and changes on one side or the other will cause this tense relationship to flare up again. 

Nevertheless, blockchain and data protection should not always be seen as contradictory. Both share the goal of allowing transactions to be completed in a transparent, traceable manner and free of manipulation. And there are already blockchains that are focused on protecting data.


Nevis Security Barometer #2