EDPB and how GDPR interacts with blockchain
The European Data Protection Board (EDPB) recently opened its public consultation on its guidelines for the processing of personal data through blockchain technologies, write John O'Connor, Rachel Hayes and Conor Forde of William Fry.
The end of the public consultation phase yesterday (9 June) means it is timely to examine what the guidelines might mean for relevant users.
The EDPB flags from the outset that, for GDPR, the metadata which blockchains store (while pseudonymised and offering a high level of security) may contain identifiers, such as a public key, and blockchain addresses which could be used to indirectly identify a natural person when used with other, additional identifiers.
The EDPB further stresses that blockchain is simply a technology like any other, such as cloud computing or peer-to-peer networks.
As a result, there is no immediate exemption for blockchain from the rules on the processing of personal data under GDPR.
The EDPB thus raises the question of who is a data controller and who is a data processor when blockchain technologies are used.
The guidelines differ between permissioned blockchains, which require an entity to act as an authority (such as the private blockchain providers typically seen used in financial services) or public permissionless blockchains, which have no overarching authority governing their use (such as the Bitcoin network).
The EDPB believes the analysis regarding roles and responsibilities may be more straightforward with permissioned blockchains, but when examining public, permissionless blockchains, this could be on a case-by-case basis.
The EDPB states that some nodes on such a blockchain do not act "on behalf of the controller" and, in fact, they do not take instructions from any controller, with the guidelines concluding that some of those nodes pursue their own objectives.
If that is the case, then the EDPB suggests a consortium should be put in place to govern those nodes, with such a consortium likely to be seen as a controller.
Problem areas
The EDPB highlights several issues regarding the use of blockchain when processing personal data.
- Data Retention: The EDPB is critical of the presumption that the period of time for the retention of data stored on a blockchain is the lifetime of the blockchain. The EDPB states that personal data must be erased once the purposes have been met, and that this is difficult to achieve where privacy by design has not been incorporated into the development and deployment of blockchain technologies. The EDPB have highlighted that, as one possible necessary measure, controllers may be required to delete an entire blockchain to satisfy this principle if individual record deletion is not possible,
- Data protection by design: The EDPB flags this as one of the major challenges facing blockchain's interaction with data protection, as, according to the EDPB, controllers may struggle to show they have applied context-specific measures to implement data protection principles, and highlight that this may require a combination of different privacy enhancing technologies to provide sufficient levels of data protection (that is, use of off chain storage, zero-knowledge architecture, proof of existence only transactions),
- International Transfers: Blockchain nodes tend to be globally dispersed, which means that when personal data is processed on a blockchain, it is, in fact, an international transfer of personal data. The EDPB notes that the nodes used for a transaction on a public permissionless blockchain tend not to be vetted or chosen, so this will raise compliance concerns regarding transfers,
- Data subject rights: The ability for a data subject to exercise their rights under GDPR is a key point that the EDPB references throughout the guidelines. They specifically highlight that there may be compliance issues with the right to rectification and the right to erasure as the ability to ensure those rights can be respected may be technically impracticable and/or impossible when blockchain technologies are involved given that the immutability of the chain is one of the major selling points for a blockchain.
Compliant deployment
The EDPB has stressed that blockchain is just another technology, no different from cloud services.
As such, achieving compliance with GDPR when using blockchain has to be approached in the same manner as any other entity subject to GDPR, which is also why the EDPB frequently calls out the privacy by design principle throughout its guidelines.
The EDPB have highlighted that entities should seek to identify whether the use of blockchain technology is even required for the processing involved and, if so, whether the personal data can be kept from being processed on the chain itself and kept "off-chain" with the transactions on the chain simply being proof of existence markers.
The EDPB has stressed that compliance with GDPR needs to be properly recorded, and entities should be seeking to complete data protection impact assessments where the processing of personal data through blockchains would result in a high risk to the rights and freedoms of natural persons.
Commentary
The EDPB appears to have approached these guidelines with the view that the use of blockchain must change and conform to ensure absolute compliance with GDPR.
This has caused significant concern within the wider Web3 ecosystem, with many calling for the guidelines to be revised to achieve a more balanced approach.
While the guidelines will not have the same binding effect as mandatory law, we would also welcome a reframing of the guidelines to better account for the privacy-enhancing features already incorporated into blockchain technology when compared to the classic infrastructure in our day-to-day lives.
There are significant concerns surrounding the cooling effect that such guidelines may have on the numerous blockchain-reliant companies that exist within Ireland and the wider European Union.