A blockchain is construed as a type of distributed ledger technology that is a replicated, shared and synchronised digital data structure spread across multiple sites and jurisdictions. Data are recorded in blocks which are linked together in a chronogical order to form a chain – the blockchain.
When blockchain technology is confronted with the legal framework for protecting personal data, the challenges are immense.
In terms of regulatory compliance, it is important to mention:
- The immutable nature of blockchain poses compliance challenges with regulations such as the GDPR in Europe, which provides the right to be forgotten and the deletion of personal data.
- Some blockchains, such as the Bitcoin or the Ethereum blockchains, are public and specific data types related to transactions can be consulted by anyone, which poses risks for the personal information stored on them.
- Although transactions can be pseudonymous, it is often possible to trace a person's real identity through in-depth analysis.
Conversely, the use of blockchain ultimately offers advantages for the protection of personal data, in particular:
- Once data has been entered into a blockchain, it cannot be modified or deleted, thus preventing malicious alteration.
- Data is often encrypted, ensuring that it can only be read by authorised persons.
- Data is not stored on a single server, but distributed across numerous nodes, reducing the risk of data loss.
- Blockchain enables the use of pseudonymous identities, limiting the amount of personal information shared.
Can these benefits offset the risks and challenges that the use of blockchain poses to the protection of personal data? Blockchain and crypto-assets have revolutionised various sectors, from finance to supply chain management. However, integrating personal data rules into decentralised systems poses unique challenges, in particular regarding the types of data collected, the potential data controllers, and their roles within blockchains.
Types of Data Collected and Pseudonymisation
According to the GDPR, ‘personal data’ refers to any information related to an identified or identifiable natural person. This includes online identifiers provided by devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers, or other identifiers. Even a dynamic IP address may constitute personal data.
In a blockchain, the types of personal data collected may include:
- Transaction Data: Details about a transaction amount, timestamp, and involved parties’ addresses.
- Identifiers: Addresses or public keys (analogous to bank account numbers).
- Metadata: Additional information such as IP addresses, device identifiers, and geolocation data (collected indirectly).
Although some argue that "blockchain data" is anonymous because it does not include names, it is actually pseudonymised data that may often be processed. Pseudonymised data refers to personal data that cannot be attributed to a specific natural person without additional information. Unlike anonymous information, which is not covered by the GDPR, pseudonymised data remains personal data and its processing falls within the scope of the GDPR. The same applies to encrypted data and hash functions: they may contribute to the confidentiality of personal data but do not render personal data irreversibly anonymous.
For instance, public keys that function as identifiers in blockchains, while concealing the identity of an individual, are linked to a specific natural person who can be identified through additional information. Therefore, they qualify as personal data.
Luxembourg virtual asset service providers (VASPs), such as providers of exchange services and of custodian wallets for virtual currencies, and crypto-asset service providers (CASPs), perform KYC and AML duties. These providers store real identities that reveal the person behind a public key.
Additionally, public keys may reveal patterns of transactions, which could be used to identify an individual user through transaction graph analysis.
On the Bitcoin blockchain, encrypted data can also reveal a user and transaction nexus, allowing transactions to be traced back to a specific user. Public keys can also be traced back to IP addresses and geolocation data, aiding in the identification of a user.
Data controller in Decentralised Networks
Under the GDPR, a data controller is the entity that determines the purposes and means of processing personal data – essentially, it decides on "the why and the how" personal data will be processed. In a traditional centralised system, determining the data controller may be relatively straightforward.
However, in a decentralised network, this is not the case. Data processing activities are distributed across numerous participants that validate and record transactions (network nodes), with each node having partial control over the data. Various other actors can also influence how personal data is processed on a blockchain. Blockchain actors may include:
- Entities using an application anchored on a blockchain layer: For example, the user of a smart contract algorithm qualifies as data controller.
- Software developers: Those who use or contribute to the establishment and maintenance of a blockchain are unlikely to qualify as data controllers.
- Miners: Miners are unlikely to qualify as controllers since they only validate the transactions submitted by participants and do not intervene in the substance of these transactions.
- Nodes: Nodes that store transactions in their own copy of the distributed database may be considered controllers.
- Users as natural persons entering personal data in the blockchain: These users may exceptionally not be considered data controllers if data is processed in the course of a purely personal or household activity. However, if transactions are part of a professional or commercial activity or conducted on behalf of other persons, the user can be considered a data controller such as, for example, VASPs and CASPs.
GDPR obligations and rights
The GDPR aims to protect individuals' privacy and gives them control over their data. Key principles and rights with which data controllers must comply include: data minimisation and purpose limitation, data subject rights, and accountability.
In the context of blockchains, complying with these principles is particularly challenging since blockchains are not a technology that can easily be equated with data minimisation. Furthermore, certain rights, such as the right to erasure, conflict with the immutable nature of blockchains which were purposefully designed to make any unilateral data modification hard.
Conclusion
Blockchain and the protection of personal data is conceivable even if the convergence of personal data and blockchain technology presents significant challenges. While the GDPR provides a comprehensive framework for data protection, its application to decentralised networks is complex and may require innovative technical solutions.
Article provided by INPLP members: Virginie Liebermann and Michel Molitor (Molitor, Luxembourg)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)