Blockchains and Data Protection in the European Union

Abstract: This article examines data protection on blockchains and other forms of distributed ledger technology. Whereas the General Data Protection Regulation was fashioned for centralised methods of data collection, storage and processing, blockchains decentralise each of these processes. We engage with the resulting tensions in the below analysis.

“…While, as demonstrated, it is impossible to delete, update or rollback transactions once they are included in a blockchain, some would argue otherwise: considering that immutability is an emergent, and not intrinsic, property of a blockchain data structure, and therefore an agent or set of agents with a sufficient amount of computing power can modify it, stating that a blockchain is by default immutable is incorrect and misleading [54], [55], [56]. Especially in the context of permissioned blockchains where the number of nodes is limited, tampering with blockchain data should not be regarded as impossible since there is always a possibility of the majority of the consortium or the dominant organisation nodes to vote for their version of truth and to amend the ledger accordingly [29], [57].…”

“…Blockchains by definition are unable to forget since tampering with transactional data stored in blockchains has been identified as nearly impossible [55]. Indubitably, this immutable and transparent record keeping of blockchain data facilitates the movement and storage of information in a secure, auditable and credible way, and consequently guarantees blockchains' credibility, persistency and security.…”

“…On the other hand, however, this was because over the long period under which the final GDPR text was being debated and finalised, blockchain technology has not been a widespread technological trend that is these days. As a result, various legal and technical divergences and incompatibilities between the GDPR and the blockchain technology have been unavoidably identified [55], [59], [61], [62], [63].…”

“…Blockchain technology, due to its immutability, is one such advanced development that contradicts the RtbF. Although one might argue that anonymizing personal data residing in blockchains through public key cryptography is a reasonable step for blockchain data to fall outside of the scope of GDPR, it should be outlined that private and public keys as well as hashed data are pseudonymous, not anonymous, and therefore also qualify as personal data under the GDPR (since pseudonymous data are still personal and consequently they are not exempted from the Regulation (Article 4(1))) [65], [60], [55]. Put differently, blockchain compliance with the GDPR only through the use of hash values and public key cryptography cannot be guaranteed [59].…”

“…Pruning [55,85,86] Redactable blockchains Chameleon hash [79] Meta-transactions [99] Consensus-based Voting [100] Omit content of Transactions [76] Self-destruct/suicide Functions [104] Block matrix [101] Storage Immutability & the RtbF Fig. 2.…”

Blockchain Mutability: Challenges and Proposed Solutions

“…While, as demonstrated, it is impossible to delete, update or rollback transactions once they are included in a blockchain, some would argue otherwise: considering that immutability is an emergent, and not intrinsic, property of a blockchain data structure, and therefore an agent or set of agents with a sufficient amount of computing power can modify it, stating that a blockchain is by default immutable is incorrect and misleading [54], [55], [56]. Especially in the context of permissioned blockchains where the number of nodes is limited, tampering with blockchain data should not be regarded as impossible since there is always a possibility of the majority of the consortium or the dominant organisation nodes to vote for their version of truth and to amend the ledger accordingly [29], [57].…”

“…Blockchains by definition are unable to forget since tampering with transactional data stored in blockchains has been identified as nearly impossible [55]. Indubitably, this immutable and transparent record keeping of blockchain data facilitates the movement and storage of information in a secure, auditable and credible way, and consequently guarantees blockchains' credibility, persistency and security.…”

“…On the other hand, however, this was because over the long period under which the final GDPR text was being debated and finalised, blockchain technology has not been a widespread technological trend that is these days. As a result, various legal and technical divergences and incompatibilities between the GDPR and the blockchain technology have been unavoidably identified [55], [59], [61], [62], [63].…”

“…Blockchain technology, due to its immutability, is one such advanced development that contradicts the RtbF. Although one might argue that anonymizing personal data residing in blockchains through public key cryptography is a reasonable step for blockchain data to fall outside of the scope of GDPR, it should be outlined that private and public keys as well as hashed data are pseudonymous, not anonymous, and therefore also qualify as personal data under the GDPR (since pseudonymous data are still personal and consequently they are not exempted from the Regulation (Article 4(1))) [65], [60], [55]. Put differently, blockchain compliance with the GDPR only through the use of hash values and public key cryptography cannot be guaranteed [59].…”

“…Pruning [55,85,86] Redactable blockchains Chameleon hash [79] Meta-transactions [99] Consensus-based Voting [100] Omit content of Transactions [76] Self-destruct/suicide Functions [104] Block matrix [101] Storage Immutability & the RtbF Fig. 2.…”

Blockchain Mutability: Challenges and Proposed Solutions

Distributed Data Protection and Liability on Blockchains

Privacy Implication and Technical Requirements Toward GDPR Compliance