GDPR applicable to a blockchain ledger PART 1
Written by Mark Reed on 18 May 2018« Return to Reading Room
Some of the key words used to describe certain individuals concerned with data protection require preliminary clarification. Primarily, the definition of a data subject, data processor and more importantly the data controller are outlined in Article 4 of the new GDPR. Data subject refers to information relating to an identified or identifiable natural person. This would simply be the person that the information on the blockchain is referring to, or the subject matter of whom the information is pertaining to. A data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data. It is difficult to clarify any legal identity of the controller within a blockchain.
In a blockchain or distributed ledger scenario, it is more than probable that there will be multiple controllers who are deemed responsible for data protection and privacy expectations on behalf of the data subject or could even be the data subject themselves. Firstly, there would surely have to be some form of contract agreement between the co controllers to ascertain who is in control of each block or distribution. It is also important to identify who is the controller and who is the data processor acting on behalf on the controller to process the information for liability purposes. In a peer-to-peer network it could be argued that every individual involved in the blockchain is both a controller for their own participation, and a processor for the distribution of the data that they are contributing to the network/blockchain.
There are several provisions in this new regulation which stand out as significant. It must be noted that everyone has a fundamental right to be protected in relation to the processing of personal data. This is no different for the information stored or distributed within a blockchain ledger. Even if the technology is so new that it is not officially recognised or widely understood yet, it is more than commonly ascribed as being just a transaction distributor to support cryptocurrency.
One provision that stands out is the right to erasure or ‘right to be forgotten’. How can this be possible on a public ledger that is permanent, and time stamped. It is this sort of legal issue that will be difficult to action and lead to a dispute between parties. Possibly, it could be implied that data on a blockchain could be understood to give someone a right to have extra encryption covering their information maybe. It still could leave a data trace on that individual though, so would not necessarily conform to a right to be forgotten even if it did limit the accessibility of others directly seeing this information. There could be two types of blockchains; a public and private block. The private block is controlled by a specific number of nodes (computers), so it may be possible to have certain information redacted by the way of a secondary key held by the data subject, that can only unlock the information when the subject approves it. In fact, the use of Ethereum blocks with MedRec, (explained in article entitled ‘potential cross-border issues in a blockchain network’) works by a key held by both the registrar and the data subject. In that instance, it could be resolved by simply revoking the key from the registrar, so the data subject is the only one to have access to the records unless another key is generated at a later date. This doesn’t prevent all potential hacks that could retrieve enough information to identify a person.
The public key itself, which is the coding embedded on each block on a public ledger, may not be fully masked, even if it does mask the data within. If this coding could be traced back to an individual then would essentially constitute as personal information for the purposes of the GDPR, but only if it can be traced back to an individual. Ultimately, this could only be traced back if the public key was visible and then traceable either through the service provider or IP address possibly. There would also have to be a form of pseudonymisation to remove any requirement for the information to fall within any data protection laws. It would have to function in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Food for thought!!
Keep checking back in for further considerations on blockchain technology and how it could be applicable to the law.
Want to speak
Complete the form below and we’ll call you back free of charge.