Permanent distributed ledger technology and its compatibility with EU data protection law.

(1)

Permanent distributed ledger technology and its

compatibility with EU data protection law.

Thesis for the Master of Laws Degree

International and European Law: European Union Law

The University of Amsterdam

Words: 12 994

Natalie Tunstall-Jackman

Submission date: 17 July 2018

(2)

Abstract

Blockchain technology is the subject of growing interest amongst various sectors and it is being trialled in a wide range of applications. Its fundamental features provide advantages over other technologies. However these features pose problems for data protection law. The new European Union General Data Protection Regulation has a more extensive scope over its predecessors and carries heavy penalties in case of non-compliance. This thesis explores in which circumstances applications of blockchain technology fall within the scope of this Regulation and which data protection rights may be infringed by the technology. Analysis attempts to reconcile the technology with data protection rights and identifies areas where blockchain may enhance the protection afforded by the European Union regime. In spite of stronger data protection rights certain features of blockchain technology may limit the effective enforcement of the Regulation and therefore it is posited that more specialised legislation should be welcomed and perhaps even a rethinking of the legal regime that surrounds disruptive technologies.

(3)

I - Introduction

Blockchain technology has been described as 'the most disruptive technology since the advent of the Internet’1_{and has been the subject of growing publicity worldwide, the original and most}

famous of which is the blockchain supporting the Bitcoin cryptocurrency. ‘The idea of having an open, universally accessible ledger was born with Bitcoin, and the system provided the first solution to the problem of establishing trust in an unsecure environment without relying on a third-party’.2

The technology has received increasing attention from businesses and governments alike owing to its advantageous features over previous technologies. For example, Estonia has used blockchain technology to support its government e-registries, ‘such as national health, judicial, legislative, security and commercial code systems, with plans to extend its use to other spheres such as personal medicine, cyber security and data embassies’.3_{The UK Government has been considering how}

blockchain may be used in the private and public sector to increase transparency and to drive efficiencies.4_{In February 2018 the Commission of the European Union (EU) launched the EU}

Blockchain Observatory and Forum to keep up to date with key developments and promote European actors and engagement with those working with this technology.5_{In November 2017 it}

launched a study aimed to assess the feasibility and potential of an EU-wide blockchain infrastructure.6

Blockchain can be described as permanent distributed ledger technology (DLT). Traditional ledgers are centralised. They are owned and updated by a central authority which may share the data but this would only be a copy of the ledger as it exists at that time. However in DLT the ledger is

1 Matthias Berberich and Malgorzata Steiner, ‘Blockchain Technology and the GDPR - How to Reconcile Privacy and Distributed Ledgers’ (2016) 2 European Data Protection Law Review 422.

2 Svein Ølnes, Jolien Ubacht and Marijn Janssen, ‘Blockchain in government: Benefits and implications of distributed ledger technology for information sharing’ (2017) 34 Government Information Quarterly 355.

3 ‘Factsheet: Estonian Blockchain Technology’ <https://e-estonia.com/wp-content/uploads/facts-a4-v03-blockchain.pdf> accessed 22 May 2018.

4 UK Government Chief Scientific Advisor, ‘Distributed Ledger Technology: beyond blockchain’ (GS/16/1, December 2015) <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/492972/gs-16-1-distributed-ledger-technology.pdf> accessed 25 February 2018.

5 European Commission, ’European Commission launches the EU Blockchain Observatory and Forum’ (Brussels, 1 February 2018) <http://europa.eu/rapid/press-release_IP-18-521_en.htm> accessed 25 February 2018.

6 European Commission, ‘Study on opportunity and feasibility of a EU blockchain infrastructure’

<https://ec.europa.eu/digital-single-market/en/news/study-opportunity-and-feasibility-eu-blockchain-infrastructure> accessed 25 February 2018.

(5)

owned and updated in a decentralised manner by a network of computers (nodes), whenever the ledger is updated, all the nodes are concurrently updated. There are various levels of access and amendment rights that can be programmed within a blockchain. ‘Whether a ledger is public or

private determines who has access to copies of the ledger, whereas the attribute of permissioned

versus permissionless determines who maintains the ledger’.7_{Users may access the blockchain}

using their public and private keys. The public key is the visible address whereas the private key can only be seen by its owner which adds a level of security.8_{As a general rule}9_{blockchain operates}

through recording transactions10_{(and the associated data such as the timestamp) electronically in a}

block, these blocks are joined to the previous block by a hash which is a unique code providing a

reference to the previous block. In this way the blockchain gives a visible and transparent record of all transactions made. Furthermore, each transaction must be verified before it can go onto the blockchain. Verification, otherwise known as cryptography, ensures that the quality of the data on the network is high and this is usually done through a mathematical process or proof-of-work (e.g. for Bitcoin and Ethereum this process is called mining). Verification is also incentivised (usually by rewarding miners with coins) which helps to ensure that those carrying out verification do it correctly and accurately. Blockchain is also being used to support smart contracts which are ‘contracts that are written in computer code and that are enforced by software when certain pre-determined conditions are satisfied. When the conditions are satisfied (e.g., delivery of goods, the making of a payment), then the blockchain can perform the transactions, record them and pay money automatically'.11

The nature of blockchain technology provides a number of technological advantages12_{such as near}

immutability.13_{The automatic distribution of the ledger reduces the number of failure points since}

each copy of the ledger is replicated automatically. This feature also provides protection against fraud since if one copy of the ledger is tampered with all other copies remain in their original state.

7 Ølnes, Ubacht and Janssen (n 2).

8 Gabrielle Patrick and Anurag Bana, ‘Rule of Law Versus Rule of Code: A Blockchain-Driven Legal World’ (2017) IBA Legal Policy & Research Unit Legal Paper <https://www.ibanet.org/Document/Default.aspx?

DocumentUid=73B6073F-520D-45FA-A29B-EF019A7D7FC9> accessed 22 May 2018.

9 As the technology has developed, various blockchains have been created which may or may not share all of these features. For the purposes of this thesis the generic features of blockchain will be discussed.

10 Here the word transactions is used in a broad sense and need not be limited to monetary transactions.

11 Donald B. Johnston, ‘More on the Law of Blockchain’ (Spotlight, 25 April 2016)

<https://www.airdberlis.com/insights/blogs/thespotlight/post/ts-item/more-on-the-law-of-the-blockchain> accessed 21 May 2018.

12 For an overview of the possible weaknesses of the Bitcoin blockchain see: Satoshi Nakamoto, ‘Bitcoin: A Peer-to-Peer Electronic Cash System’ (31 October 2008) <https://bitcoin.org/bitcoin.pdf> accessed 21 May 2018.

13 However in exceptional cases the ‘controlling parties that set up the [blockchain] (ranging from citizens to public or private organizations) can decide to alter’ its history (e.g. the splitting of the Ethereum blockchain in 2016). See: Ølnes, Ubacht and Janssen (n 2); Nicola Atzei, Massimo Bartoletti and Tiziana Cimoli, ‘A survey of attacks on Ethereum smart contracts’ in Matteo Maffei, Mark Ryan (eds), Principles of Security and Trust (Springer 2017).

(6)

However, these features which provide protection against error and fraud may be in direct conflict with EU data protection rules that provide for the autonomy of a data subject, for example the incoming EU General Data Protection Regulation14_{(GDPR) provides for enforceable rights such as}

the right to be forgotten,15_{data retention periods}16_{and the right to rectify information.}17

Research Question: Are the features of blockchain technology, a system of immutable,

decentralised and distributed records, compatible with EU Data Protection law?

The thesis provides a legal analysis of the features of the technology that present a challenge for existing data protection law. The thesis answers questions about data protection law (its content, scope and application) and blockchain technology as a subject of the law. The research used secondary sources from case law, legislation, academic works and working papers. As this is a new and rapidly developing technology, the thesis takes a more general approach to consider core features of blockchain technology rather than delving into specific examples of blockchain technology. The thesis also considers academic arguments from parallel areas of data protection law or law and technology and analyses whether these apply to blockchain technology.

Case law decided under earlier EU data protection laws has explored the scope of some of these privacy and data protection rights, for example the right to be forgotten18_{but so far there is no}

jurisprudence concerning the GDPR or the impact of blockchain technology on data protection law. These earlier judgments will be explored to assess whether blockchain technology is in conflict with those rights, and whether the features of blockchain technology, as it now exists, and data protection rights may be reconciled. This paper will not delve into an analysis of whether the technology of blockchain could be modified to overcome these data protection concerns. This thesis aims to draw on the theories of EU data protection law largely concerning the incoming GDPR and apply them to blockchain technology, assessing whether or not these theories are applicable to blockchain technology.

Chapter 2 provides an overview of the scope of EU data protection law and determines under which circumstances it is applicable to blockchain technology. Chapter 3 considers key data protection 14 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC OJ L119/1 (GDPR).

15 GDPR, art 17.

16 GDPR, art 5(1).

17 GDPR, art 5(1)(d).

18 Case C-131/12 Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja

(7)

principles and certain data protection rights. It will specifically address the immutable, permanent and distributed nature of blockchain and why this presents a problem for data protection law. Chapter 4 considers how data protection law may be reconciled with blockchain technology. Firstly, it assesses whether data protection rights are absolute before determining if a balance of rights may be achieved in the context of blockchain and then considers blockchain’s potential role in strengthening data protection. Chapter 5 introduces some issues related to the enforcement of data protection law in the context of blockchain technology, notably the problem of accountability and the current lack of legal definitions in relation to blockchain before concluding with some thoughts on the suitability of data protection law as a tool for regulating blockchain technology.

(8)

II - The EU Data Protection Regime

Within the EU, privacy as a human right stems from Article 8 of the European Convention on Human Rights (ECHR). As a fundamental right, The Charter of Fundamental Rights of the European Union (CFR) distinctly recognises the right to privacy (Article 7) and the protection of personal data (Article 8 in conjunction with Article 16(1) Treaty on the Functioning of the European Union). Supplementing these texts is comprehensive EU secondary legislation regarding the right to protection of personal data. It has been commented that ‘the roots of data protection lie in the right to privacy, and indeed the right to data protection has been developed specifically to protect privacy in the information society’ and data protection is different to privacy because it lays ‘down positive actions to be taken rather than a general interdiction, and thus not only set forth the right but also the specific elements of the right’.19_{This Chapter explores the scope of this right.}

Although the text of Article 8 ECHR appears narrow the case law of the European Court of Human Rights (ECtHR) has evolved to encompass the right to data protection.20_{Although not a contracting}

party of the ECHR, the EU recognises the ECHR rights21_{and insofar as the CFR, which is binding}

on the Union, contains rights which correspond to those protected by the ECHR, the meaning and scope of those rights are the same as those laid down by the ECHR not preventing Union law from providing more extensive protection.22_{In this regard the ECHR and interpretation by the ECtHR}

can be seen as a minimum level of protection with the EU data protection regime being a reinforced system of protection.23

The EU data protection regime encompasses fundamental rights as interpreted by the CJEU and harmonising EU secondary legislation. The GDPR became directly effective within the Member States as of 25 May 2018, however as there is currently little case law on which to base an analysis of the content of data protection rights for the purposes of this thesis it is also necessary to consider the now repealed Data Protection Directive24_{and its interpretation by the CJEU. Supplementing the}

19 Christopher Docksey, ‘Four fundamental rights: finding the balance’ (2016) 6(3) International Data Privacy Law 195.

20 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (adopted 28 January 1981, entered into force 01 October 1985) ETS 108; S. and Marper v UK App nos. 30562/04 and 30566/04 (ECtHR 4 December 2008); Rotaru v. Romania App no 28341/95 (ECtHR 4 May 2000).

21 Consolidated Version of the Treaty on European Union [2012] OJ C326/13 (TEU), art 6; Joined Cases C-465/00, C-138/01 and C-139/01 Rechnungshof v Osterreichischer Rundfunk [2003] ECR I-04989, paras 70-71.

22 CFR, art 52(3).

23 Case C-28/08 European Commission v The Bavarian Lager Co. Ltd. [2010] ECR I-06055, paras 58-60.

24 Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31 (Data Protection Directive).

(9)

Data Protection Directive is the e-Privacy Directive25_{which deals with the processing of personal}

data in the electronic communications sector, including the internet. Specific EU Regulations provide obligations for the EU institutions in the field of data protection.26

This overview of the relevant EU law will consider the type of data and activities which come under the regime, those affected by it and the territorial application of the regime. Where required there will also be a discussion of its applicability to blockchain technology.

What constitutes personal data?

The Data Protection Directive defined personal data as information relating to an identified or identifiable natural person, 'an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity'.27_{The Directive excludes}

data which is rendered anonymous in such a way that the subject is no longer identifiable.28

Through its interpretation of the Data Protection Directive the CJEU has held that, inter alia, the following constitutes personal data: names,29_{contact details and information about working}

conditions or hobbies,30_{static IP addresses because they allow the concerned users to be precisely}

identified,31_{data concerning working times and work period of individual workers,}32_{tax data,}33_an

exam script because its aim is to determine and establish the individual performance of a specific person, irrespective of whether the paper is pseudonymised using a student number because the central body could easily identify that candidate34_{and the handwriting sample itself may be}

identifiable data.35_{In Breyer the Court gave further guidance on the meaning of ‘identifiable’ that it}

is not necessary that the information alone allows the data subject to be identified and that it is not required that all the information enabling the identification of the data subject must be in the hands

25 Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L 201/37 (e-Privacy Directive).

26 Regulation (EC) 45/2001 of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the institutions and bodies of the Community and on the free movement of such data [2001] OJ L8/1.

27 Data Protection Directive, art 2(a).

28 Data Protection Directive, recital (26).

29 Bavarian Lager (n 23), paras 58-60, 68.

30 Case C-101/01 Criminal Proceedings Against Lindqvist [2003] ECR I-12971, para 24.

31 Case C-70/10 Scarlet Extended SA v SABAM [2011] ECR I-11959, para 51.

32 Case C-342/12 Worten — Equipamentos para o Lar SA v ACT ECLI:EU:C:2013:355, para 19.

33 Case C-201/14 Smaranda Bara and Others v Casa Naţională de Asigurări de Sănătate and Others ECLI:EU:C:2015:638, para 29.

34 Case C-434/16 Peter Nowak v Data Protection Commissioner ECLI:EU:C:2017:994, paras 31, 40-41.

(10)

of one person.36_{It must however be determined whether it is reasonably likely that the information}

could be combined with the additional information held by another party which would not be the case ‘if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant’.37_{CJEU interpretation of the}

e-Privacy Directive has established that metadata (such as traffic and location data) may be no less sensitive as the actual content of communications and thus is to be regarded as personal data as it allows for profiling of an individual.38

The GDPR builds upon the definition in the old Data Protection Directive and codifies the case law of the CJEU defining personal data as information relating to an identifiable natural person (‘data subject’), i.e. ‘one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.39_{The recitals to the GDPR give further indication as to the}

definition of personal data.40_{The Regulation does not cover the processing personal data which}

concerns legal41_{or deceased persons.}42_{Personal data which has 'undergone pseudonymisation,}

which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person’ but the principles of data protection do not apply to anonymous information.43_{The GDPR incorporates the CJEU’s interpretation of}

‘identifiable’, that account ‘should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments'.44

Blockchain technology may record any number of types of data, including the metadata relating to a transaction which could be stored within the hash linking together two blocks. Dependent upon whether the data can be classified as identifiable may mean that the blockchain falls within the data protection regime. Suffice to say that the envisaged applications of blockchain technology, for

36 Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland ECLI:EU:C:2016:779, paras 41-43.

37 Ibid, paras 45-46.

38 Joined Cases C-203/15 C-698/15 Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home

Department v Tom Watson and Others ECLI:EU:C:2016:970, paras 98-99.

39 GDPR, art 4(1).

40 Recitals are not legal rules but are interpretive tools, see: Case 215/88 Casa Fleischhandels-GmbH v Bundesanstalt

für landwirtschaftliche Marktordnung [1989] ECR 02789, para 31.

41 GDPR, recital (14).

(11)

recording property rights or smart contracts would likely fall under the scope of the GDPR given that they would contain information about rights holders or contract parties.45_{Berberich and Steiner}

also note that although the information on a blockchain is usually encrypted and can only be accessed with the correct keys, encryption will not as such take the data outside of the scope of the GDPR.46_{As per the GDPR, and cases Nowak and Breyer, the fact that only unique ID references are}

used and ‘additional information may be necessary to attribute the information to the data subject, such information would be merely pseudonymised and count as personal information’.47

Who is a data controller?

The GDPR defines ‘controller’ as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’48_{and ‘processor’ as ‘a natural or legal person, public authority, agency or other body}

which processes personal data on behalf of the controller'.49_{Under the Data Protection Directive the}

CJEU gave the notion of controller a broad definition to ensure complete and effective protection of data subjects finding that search engine operators are controllers because they make personal data accessible to any internet user who would otherwise not have found the web page on which the data is published.50

Here the distinction between public and private blockchains is relevant. For a private blockchain the owner/operator of the blockchain would be considered the data controller whereas for a public blockchain which is characteristically decentralised then every node on the blockchain could be considered a data controller.51_{If each node were to be considered a joint controller within the}

meaning of the GDPR then there is an obligation to determine respective responsibilities for compliance with the regulation in a transparent manner.52_{In such a situation ‘the data subject may}

exercise his or her rights under this Regulation in respect of and against each of the controllers’.53

Chapter V will explore how this raises enforcement issues.

45 Berberich and Steiner (n 1).

46 Ibid.

47 Ibid.

48 GDPR, art 4(7).

49 GDPR, art 4(8).

50 Google Spain (n 18), paras 33-41.

52 GDPR, art 26.

(12)

What is data processing?

The Data Protection Directive encompassed a broad range of activities under ‘processing’. This included the processing of personal data wholly or partly by automatic means and processing contained in a filing system structured according to specific criteria relating to individuals to permit easy access to the data in question.54_{Only two exceptions exist: security and criminal law activities}

of the state and where processing by a natural person takes place in the course of a purely personal or household activity.55_{The Court has held that ‘the processing of personal data carried out in the}

context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites, consisting in loading those data on an internet page'.56

The GDPR defines ‘processing’ as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.’57_{Applying this to blockchain technology means that whether the}

blockchain includes original data or merely replicates data from other sources it falls within the

scope of the regime.

Territorial scope

Article 3 of the GDPR extends the territorial scope of the Regulation to the processing of personal data by a controller established within the EU, regardless of whether the processing takes place inside the EU58_{and where the data subjects but not the controller/processor are situated within the}

EU where processing is related to the monitoring of behaviours or the offering of goods or services, irrespective of whether payment is required.59_{Consistent with the old Data Protection Directive the}

scope also applies to overseas territories of the Member States.60_{When considering blockchain}

technology, this aspect is important since not only blockchains established inside the EU or by Union controllers will fall under the Regulation but also those which utilise the personal data of EU

54 Data Protection Directive, art 3 and recital (15).

55 Data Protection Directive, art 3(2); Case C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and

Satamedia Oy [2008] ECR I-09831, paras 35-37.

56 Google Spain (n 18), para 35.

57 GDPR, art 4(2).

58 GDPR, art 3(1).

59 GDPR, art 3(2) and recitals 23-34.

(13)

data subjects. In case of a breach of the Regulation, controllers or processors meeting the above criteria may be liable for damages61_{or administrative fines.}62

The wide territorial scope and broad definitions of the notion of controller now means that a greater number of persons fall under the new data protection regime than earlier versions, however the decentralised nature of blockchain technology can cause difficulties in identifying who is a controller. This discussion has demonstrated that current and envisaged uses of blockchain technology can fall within the scope of EU data protection law. It is therefore necessary to consider whether the use of blockchain technology may be in conflict with EU data protection rights.

61 GDPR, art 82.

(14)

III - Blockchain technology and its compatibility with

EU Data Protection Rights

This chapter will consider the individual rights under the GDPR and how the features of blockchain technology may be incompatible with them.

General principles of processing of personal data

The GDPR builds upon general principles of EU law, previous legislation and the CJEU’s case law to set out conditions under which data processing is lawful. In the Google Spain judgment, decided under the old Data Protection Directive, the Court held that ‘all processing of personal data must comply, first, with the principles relating to data quality set out in Article 6 of the directive and, secondly, with one of the criteria for making data processing legitimate listed in Article 7 of the directive’.63_{Therefore it must be examined how these two articles apply to blockchain technology.}

Article 5 GDPR64_{sets out the principles relating to processing of personal data which includes}

temporal limitations,65_{data quantity,}66_{data quality}67_{and appropriate safeguards.}68_{These principles}

can be seen reflected in other rights under the GDPR such as the right to erasure and the right to rectification which will be considered below. It is worth noting that storage limitations may be problematic for permanent and immutable ledgers such as blockchain insofar as the ‘period for which the personal data are stored is limited to a strict minimum’ and for ‘no longer than is necessary’.69_{This requirement may severely limit the possible uses of blockchain technology to}

those where a persistence is required i.e. situations where it is necessary for data to be retained indefinitely such as land registries or copyright ownership records. Conversely the requirement that data should be processed ‘in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’70_{may be met well}

by blockchain technology. The cryptography that goes into putting the data on the blockchain coupled with its near immutability makes it difficult (although not impossible) for the data to be damaged and the proof of work means that the data quality is usually of a high standard.

65 ‘Storage limitation’ GDPR, art 5(1)(e).

66 ‘Data minimisation’ GDPR, art 5(1).

67 ‘Purpose limitation’ GDPR, art 5(1)(b); ‘accuracy’ GDPR, art 5(1)(d).

68 ‘Lawfulness, fairness and transparency’ GDPR, art 5(1)(a); ‘integrity and confidentiality’ GDPR, art 5(1)(f).

69 GDPR, art 5(1)(e) and recital (39).

(15)

Article 6 GDPR states that the processing of personal data shall be lawful only if one of the conditions applies: the data subject has given consent;71_{in the absence of consent where processing}

is necessary for the performance of a contract to which the data subject is party;72_{for compliance}

with a legal obligation to which the controller is subject;73_{to protect vital interests;}74_{for the}

performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;75_{legitimate interests pursued by the controller of a third party.}76_{Where processing}

is carried out under the final two conditions the data subject has a right to object to processing unless the controller ‘demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims’.77_{In the absence of the data subject’s consent it is not difficult to imagine the use of}

personal data on a blockchain fitting into one of the listed conditions. For example the use of blockchain for land registries or e-voting in Estonia would be classified as a task carried out in the public interest or official authority. The use of blockchain for smart contracts may fall under the category of performance of a contract or compliance with a legal obligation. Such examples may also satisfy the defence of legal claims exception to the right to object.

Where processing is only legitimate on the basis of the data subject’s consent then the withdrawal of such consent removes its legitimacy. Where the legitimacy of data on a blockchain is only predicated on consent then the immutable nature of blockchain may cause difficulties in providing an appropriate legal remedy where consent is withdrawn. The Article 29 Working Group has given further guidance (concerning the old Data Protection Directive) that it is implied that withdrawal of consent ‘is exercised for the future, not for the data processing that took place in the past, in the period during which the data was collected legitimately. Decisions or processes previously taken on the basis of this information can therefore not be simply annulled. However, if there is no other legal basis justifying the further storage of the data, they should be deleted by the data controller’.78

The argument could be made that so long as no future processing occurs then the retention of data on the blockchain prior to the withdrawal of consent would not cause problems, but it must be remembered that under the definitions provided in case law and the GDPR ‘processing’ includes the

71 GDPR, art 6(1)(a). 72 GDPR, art 6(1)(b). 73 GDPR, art 6(1)(c). 74 GDPR, art 6(1)(d). 75 GDPR, art 6(1)(e). 76 GDPR, art 6(1)(f). 77 GDPR, art 21(1).

78 Article 29 Data Protection Working Party, ‘Opinion 15/2011 on the definition of consent’ (01197/11/EN WP187,13 July 2011) <http://www.pdpjournals.com/docs/88081.pdf> accessed 01 May 2018, 33.

(16)

mere storage of data. So it would fall to whether there is a legal basis, a legitimate ground for further processing, such as an exception relating to the nature of blockchain technology itself which justifies the continued storage of data collected legitimately at the time when consent was given.79

No clarifications have been given by the legislature in this regard.

Right of access by the data subject

Article 15 GDPR gives data subjects the right to confirmation about whether their personal data is being processed. if so, they have the right to access that data. In a case decided under the old Data Protection Directive the CJEU emphasised that the right of access is necessary to enable the data subject to exercise their other rights.80

Article 15 also gives the data subject the right to information about ‘the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations’81_{and ‘where possible, the envisaged period for which the}

personal data will be stored, or, if not possible, the criteria used to determine that period'.82_For

private blockchains this poses less of a problem since there may be records of the closed group that have access to the blockchain. However for public blockchains it is difficult to determine who has access and from where they are accessing data since users are visible only by their public key. For example, at its highest point there were 1,072,861 public keys used on the bitcoin blockchain,83_it

would be near impossible to convey that volume of information to a data subject to enable them to enforce their rights in any meaningful way.

Automated decision making

The GDPR applies to the processing of personal data wholly or partially by automated means84_and

gives data subjects ‘the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her’.85_{It is expected that over time smart contracts will ‘evolve and develop to make}

automated decisions’ that could be based on EU citizen’s data and that if a smart contract is running

79 Paulan Korenhof and others ‘Timing the Right to Be Forgotten: A study into “time” as a factor in deciding about retention or erasure of data’ (Computers, Privacy and Data Protection Conference 2014) 11

<http://ssrn.com/abstract=2436436> accessed 21 May 2018.

80 C-553/07 College van burgemeester en wethouders van Rotterdam v Rijkeboer [2009] ECR I-03889, paras 51-52.

81 GDPR, art 15(1)(c).

82 GDPR, art 15(1)(d).

83 Highest point at 14/12/2017 01:00. ‘Number of Unique Addresses Used’ <https://blockchain.info/charts/n-unique-addresses> accessed 13/04/2014.

84 GDPR, art 2. 85 GDPR, art 22.

(17)

on a public blockchain and does not contain a means to reverse any automated decisions made then it will not be GDPR compliant.86_{In just one example of how smart contracts could engage in}

automated processing, Gatteschi et al consider the potential use of blockchain technology in the insurance sector. They posit the situation where blockchain is used to record information about a person for example through wearable devices or through the Internet of Things in the home. The devices record data and add these to the blockchain where a smart contract can read the information linked to a person and automatically compute insurance premiums, perform risk assessments, or automatically activate and deactivate pay-per-use insurance and execute payments in case an external factor is realised. However, they do acknowledge that under current models smart contracts could only be deployed for a limited number of policies and that the majority of claims processed by insurance companies would need to be evaluated by an expert.87

Article 22 does not apply if the decision is necessary for entering into, or performance of a contact between the data subject and controller;88_{is authorised by law}89_{or is based on the data subject’s}

explicit consent.90_{It is posited that another way to ensure GDPR compliance is to include code in}

the contract that allows a reversal of transactions conducted but if subsequent transactions have been conducted based on the original decision then these will need to be reversed which could be a lengthy or impossible action.91

Right to rectification

Article 16 GDPR gives the data subject the right to rectification of inaccurate personal data concerning them or to have incomplete personal data completed by means of providing a supplementary statement. When applied to blockchain this may be problematic since one of the core features of blockchain is that it is nearly impossible (or only possible with extreme difficulty as it involves undoing the blockchain) to amend data that has been cryptographically added to the blockchain. Furthermore, even if one copy of the blockchain could be amended to comply with the right to rectification the fact that automatic distribution occurs to all nodes concurrently means that the other copies will remain in their original form i.e. without the rectification. Conversely, it could be argued that due to the verification process that takes place before data is placed on the blockchain, the quality of data will typically be high, reducing the risk that the data placed on the blockchain will be inaccurate as a result of controller error. Nevertheless, personal data pertaining

86 ChainFrog, ‘Blockchain and GDPR: How to square privacy and distributed ledgers’ (2017) <http://www.chainfrog.com/wp-content/uploads/2017/08/gdpr.pdf> accessed 4 July 2018.

87 Valentina Gatteschi and others, ‘Blockchain and Smart Contracts for Insurance: Is the Technology Mature Enough?’ (2018) 10 Future Internet 20.

88 GDPR, art 22(2)(a). 89 GDPR, art 22(2)(b). 90 GDPR, art 22(2)(c). 91 ChainFrog (n 86).

(18)

to an individual may change in its content over time and so the inability to amend the data means that the problem persists. One solution may be to provide an update in a subsequent block.

Right to erasure (‘right to be forgotten’)

The earlier drafts of the GDPR92_{referred to this as the 'right to be forgotten’ however, following}

objections by some Member States and companies involved in the processing of large volumes of data93_{the final GDPR reads ‘right to erasure’. Whilst Article 12 of the old Data Protection Directive}

gave data subjects the right to the erasure of data which was processed in contravention of the Directive the prominence of the right to be forgotten was established following the Google Spain judgment where the CJEU held in light of their fundamental rights that a data subject may request that their information is no longer made available to the public via search results (i.e. a right to de-indexing) without going so far as to require the removal of the content on the original webpage.94

The judgment does not explicitly refer to a right to be forgotten and its content and context differs to the requirements set out in Article 17 GDPR. Debate has argued whether the judgment truly did bring into being a right to be forgotten.95_{For these reasons only the right to erasure as expressed in}

the GDPR will be considered here.

Article 17 GDPR grants the right to erasure and where invoked a data controller has the obligation to erase personal data where one of six grounds applies.96_{These include, but are not limited to,}

where data is no longer necessary for the purposes for which it was collected or processed;97_the

data subject withdraws consent on which the processing is based and there is no other legal ground for processing;98_{the data subject objects and there are no overriding legitimate grounds for}

processing.99_{Berberich and Steiner identify the challenges that distributed ledger technology poses.}

Firstly it would be difficult to identify a data controller in a public blockchain that could carry out the right to erasure and secondly and most crucially ‘the distributed, persistent [blockchain] architecture may technologically even preclude a simple deletion upon request by the data subject’ at least in public and permissionless blockchains.100_{The authors recall the fact that data cannot be}

92 Comparison of the three versions of the GDPR adopted by the Commission (2012), the European Parliament (2014) and by the Council (2015). European Data Protection Supervisor, ’Annex to Opinion 3/2015: Comparative table of GDPR texts with EDPS recommendations’ (27 July 2015) 96 <https://edps.europa.eu/sites/edp/files/publication/15-07-27_gdpr_recommendations_annex_en.pdf> accessed 30 April 2018.

93 Cesare Bartolini and Lawrence Siry, ‘The right to be forgotten in the light of the consent of the data subject’ (2016) 32 Computer Law & Security Review 218.

95 Bartolini and Siry (n 93).

97 GDPR, art 17(1)(a).

98 GDPR, art 17(1)(b).

99 GDPR, art 17(1)(c).

(19)

altered without the acceptance of the other nodes and the fact that all transactions are stored permanently. Under current blockchain models it appears ‘unfeasible’ to work backwards to unbuild and then reverify each block in order to erase data.101_{However, ’because permissioned DLT}

systems involve known and trusted parties, historical entries can be amended provided the required number of parties agrees to an erasure’.102

The impracticalities of enforcing the right to be forgotten can be seen in other areas of new technology. As Villaronga et al discuss in the application of the right to be forgotten to artificial intelligence, the problem of this right ‘lies in the clash between the good intentions of the regulators —written from an abstract point of view—and the actual complexity of real-life technical environments’.103_{They argue that the notion of forgetting is unique to human minds and does not}

translate to machine learning. Furthermore, the GDPR is not clear on what exactly erasure means, whether anonymisation would count, or restricting access. The law also does not address whether this impossibility or impracticability of erasure in the context of certain technologies would allow for alternative remedies to suffice. Berberich and Steiner argue that the wording of Article 17(1)(a) GDPR may consider the functioning of blockchain if it can be assured that the grounds for erasure do not apply, i.e. the data is still necessary for processing purposes since the very design of blockchain requires a persistent and continuously written chain of data blocks, but this is yet to be tested in EU law.104

The GDPR also imposes an obligation on controllers that where the data is made public and there is an obligation to erase the data, the controller ‘taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data’.105_{This is problematic for}

DLT for a number of reasons: as mentioned, there could be thousands of nodes each with a copy of the ledger containing personal information and practically it may not be feasible to contact each node and inform them of the data subject’s request. Furthermore, the actual ability of each node to erase the personal data is questionable, even if one copy of the ledger is amended it does not alter

101 Ibid.

102 Baker McKenzie and R3, ‘Blockchains and Law: Are they compatible?’ (Baker McKenzie White Paper, July 2017) <https://www.bakermckenzie.com/en/-/media/files/expertise/fig/br_fig_blockchainsandlaws_jul17.pdf> accessed 21 May 2018.

103 Eduard Fosch Villaronga, Peter Kieseberg and Tiffany Li, ‘Humans forget, machines remember: Artificial intelligence and the Right to Be Forgotten’ (2017) Computer Law & Security Review: The International Journal of Technology Law and Practice (forthcoming) <https://ssrn.com/abstract=301818 6 > accessed 21 May 2018.

(20)

the actual integrity of the blockchain which remains in its earlier form. This is perhaps where the language of the GDPR may allow for some leeway since it requires ‘account of available technology’ and ‘reasonable steps’. Could this therefore provide an exception for technologies that by their nature are unable to ‘forget’?

Article 17(3) states that the obligations do not apply to the extent that processing is necessary for, inter alia, ‘compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;’106_{archiving or historical}

research purposes107_{and for the establishment, exercise or defence of legal claims.}108_{As previously}

discussed certain applications of blockchain technology may satisfy these exceptions. Public registries (land, voting) may be classified as tasks performed in the public interest or may qualify as historical records; smart contracts may fall under the exemption relating to legal claims.

It is apparent that the fundamental features of blockchain technology may pose both threats and opportunities to data protection principles and rights. Placing blockchain technology under either category depends entirely upon what it is used for and the type of data it holds. Discussion has focussed on the principal rights that are most at risk in the area of blockchain technology but the effects of blockchain technology on EU data protection law are not limited to the rights presented here. Having established that certain data protection principles and rights may be infringed an assessment must be made as to whether these rights may be reconciled with blockchain technology.

106 GDPR, art 17(3)(b).

107 GDPR, art 17(3)(d).

(21)

IV - Reconciling blockchain and data protection rights

Balancing rights

In order to assess whether blockchain and the GDPR could be reconciled by balancing the rights of the data subject with those of the data controller it is first necessary to consider whether the rights under the EU data protection regime are absolute. This section will consider case law of the CJEU and the wording of the GDPR before assessing whether any balancing of rights could occur in the context of blockchain technology.

Are data protection rights absolute?

In its case law, the CJEU has recognised the need to balance data protection with fundamental rights using the rules within the Data Protection Directive and e-Privacy Directive.109_{It has carried}

out this balancing exercise of data protection with freedom of expression,110_{the right to protection}

of property and an effective remedy,111_{intellectual property rights,}112_{the legitimate interests of the}

controller in protecting the property, health and life of his family and himself.113_{In Schecke the}

Court emphasised the need for the EU Institutions to try to strike a balance between fundamental rights when enacting legislation requiring publication of personal data and that ‘no automatic priority can be conferred on the objective of transparency over the right to protection of personal data’ even when publication pursues important economic objectives.114

In ASNEF the CJEU held that Article 7 of the Data Protection Directive provides an exhaustive list of cases where the processing of data may be lawful including if it is ‘necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject’.115_{This precluded a Member State from excluding in a generalised}

manner ‘the possibility of processing certain categories of personal data, without allowing the

109 Although the case law cited here concerns the interpretation of the old data protection legislation there is no indication that the court will depart from its jurisprudence.

110 Lindqvist (n 30), paras 82-90.

111 Case C-275/06 Promusicae v Telefónica de España SAU [2008] ECR I-00271, paras 65-66.

112 Scarlet Extended (n 31), para 53.

113 Case C-212/13 František Ryneš v Úřad pro ochranu osobních údajů ECLI:EU:C:2014:2428, para 34.

114 Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen [2010] ECR I-11063, para 85.

(22)

opposing rights and interests at issue to be balanced against each other in a particular case’.116_The

Court in ASNEF stated that the Directive set ‘two cumulative conditions that must be fulfilled in order for the processing of personal data to be lawful: firstly, the processing of the personal data must be necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed; and, secondly, such interests must not be overridden by the fundamental rights and freedoms of the data subject’.117

Considering the balancing exercise carried out under Article 7(f) Data Protection Directive, the Court in Google Spain clarified the weighting of the different interests. Here the interest of the data subject weighed higher because of the role of the Internet and search engines in linking together various sources of information to create a profile of an individual.118_{In light of the seriousness of}

this interference it could not be justified by the mere economic interests of the data controller however 'the legitimate interest of internet users potentially interested in having access to that information’ may also be considered.119_{The Court held ‘whilst it is true that the data subject’s rights}

protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life’.120_{Finally, the Court considered that a separate balancing of interests must be}

carried out for processing by the search engine and processing by the original web publisher.121

In Breyer the Court considered the whether the Data protection Directive precluded Member State legislation permitting the collection and use of personal data without the subject’s consent only insofar as it is necessary in order to facilitate the specific use and ensure the general operability of certain services. The Court held that the legislation in question, by prescribing the result to be achieved, reduced the scope of Article 7(f) of the Directive ‘by excluding the possibility to balance the objective of ensuring the general operability of the online media against the interests or fundamental rights and freedoms of those users’.122_{In Tele2}123_{the Court went further than previous}

judgments unequivocally stating that blanket data retention measures, even in the interest of

116 Joined Cases C-468/10 and C-469/10 ASNEF and FECEMD v Administración del Estado [2011] ECR I-12181, paras 37, 47-48.

117 Ibid, para 38.

119 Ibid, para 81.

120 Ibid.

121 Ibid, paras 82-85.

122 Breyer (n 36), para 63.

(23)

national security are incompatible with EU law, read in light of the Charter giving further weighting in favour of data protection rights.124

Finally, in Manni the Court considered the accessibility by third parties of personal data of a company director held in the companies register and whether the data subject could exercise his right to erasure.125_{Here the Court had to weigh the interests of disclosure (a duty provided for by}

legislation) against the rights of the data subject. It considered that ‘even after the dissolution of a company, rights and legal relations relating to it continue to exist’ and the data may be necessary ‘to assess the legality of an act carried out on behalf of that company during the period of its activity or so that third parties can bring an action against the members of the organs or against the liquidators of that company'126_{perhaps even years after the company has ‘ceased to exist’.}127_{Given the}

impossibility of identifying a single time limit ‘as from the dissolution of a company, at the end of which the inclusion of such data in the register and their disclosure would no longer be necessary’ it held that the Member States could not guarantee, in principle, the right to erasure of that data.128_It

reasoned that this interpretation was not a disproportionate interference in the data subject’s fundamental rights since the disclosure obligations related to a limited number of personal data items (related to company functions); since the disclosure obligations are a safeguard to third parties ‘it appears justified that natural persons who choose to participate in trade through such a company are required to disclose the data relating to their identity and functions within that company, especially since they are aware of that requirement when they decide to engage in such activity’.129

Although in principle the interests of third parties in relation to companies, legal certainty, fair trading and thus the proper functioning of the internal market take precedence, it cannot be excluded, that national legislatures may decide on a case-by-case basis whether in certain situations the overriding interests of the data subject allows them to apply to the companies register for a limitation on access to data concerning them.130

Recital (4) to the GDPR states that the right to protection of personal data is not absolute and must be balanced against other fundamental rights.131_{The GDPR includes the specific obligations for}

124 Orla Lynskey, ‘Tele2 Sverige AB and Watson et al: Continuity and Radical Change’ (European Law Blog, 12 January 2017) <http://europeanlawblog.eu/2017/01/12/tele2-sverige-ab-and-watson-et-al-continuity-and-radical-change/> accessed 12 April 2018.

125 Case C-398/15, Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni ECLI:EU:C:2017:197. 126 Ibid, para 53. 127 Ibid, para 54. 128 Ibid, paras 55-56. 129 Ibid, paras 57-59. 130 Ibid, paras 60-61. 131 GDPR, recital (4).

(24)

Member States to reconcile the right to protection of personal data with the freedom of expression and information for journalistic or academic, artistic or literary expression132_{and the right of public}

access to official documents in the context of personal data held by public bodies or private bodies acting in the public interest.133_{The GDPR also allows for derogations for processing for archiving}

purposes in the public interest, scientific or historical research purposes or statistical purposes providing appropriate safeguards are met.134

How may this balancing be achieved in relation to blockchain?

It is clear from the Court’s case law that purely economic reasons will not be considered in the balancing of rights however one may consider the freedom to conduct a business (Article 16 CFR) as encompassing economic factors. This fundamental right is explicitly listed in Recital 4 of the GDPR as one of the rights to be reconciled with data protection. Consider a business that is reliant on blockchain technology in order to function (for example a cryptocurrency or a supply chain network) then the mere existence of the blockchain as being essential to the functioning of that business could be sufficient to tip the balance in favour of blockchain.

One approach may be to follow the Court’s lead in Manni and look at the purpose of the blockchain. For example, a blockchain recording copyright ownerships would be protecting intellectual property; other uses may support transparency or like Manni a companies register aids the protection of third parties. Supposing there is no egregious violation of data protection law and the data is limited to that necessary to fulfil its role these interests in certain cases may be sufficient to tip the balance in favour of the data controller. It is clear from the case law that there must be a balancing act on a case-by-case basis and that any blanket prohibition or acceptance of data processing will not be upheld.

Further consideration is given that the weighting of competing interests will vary over time. A number of academics have commented on the influence of time as a factor in whether the right to be forgotten can be enforced135_{and that the ‘passing of time may reverse the balance of interests}

involved in the processing of personal data’.136_{Korenhof et al argue that time can play two parts in}

law, it can play a ‘role as a weight in a balance of interests’ tipping the balance in either direction or 132 GDPR, art 85.

133 GDPR, art 86.

134 GDPR, art 89.

135 Meg Leta Jones, ‘It's about time: privacy, information life cycles, and the right to be forgotten’ (2012) 16 (2) Stanford Technology Law Review 101.

136 Giovanni Sartor, ‘The right to be forgotten: balancing interests in the flux of time’ (2016) 24 International Journal of Law and Information Technology 72.

(25)

can play a role as the ‘marker of a discrete moment where the grounds for [data] retention no longer hold’ and the data should be erased.137_{The authors argue that the ‘time-cycle’ of data processing is}

highly dependent on the use and purpose of the data collection. This factor is worth considering alongside blockchain technology since the immutability of the data on the blockchain could mean that it not possible to edit or remove data. For example, data on the blockchain that was once legitimately processed may over time weigh below the interests of data protection but its removal may not be possible. Therefore, it is important to consider the future value of data on a blockchain even if its current use is compliant with data protection principles.

Certain applications of blockchain technology may benefit from the explicit exemptions in the GDPR. If the blockchain were to be used as an archive of information (owing to its near immutability and transparency) then providing that safeguards are in place it is unlikely to be an issue. As discussed, the use of blockchains for public registries (e.g. Estonia’s e-registries) may be exempt under the public interest or official authority exceptions under the specific data protection rights.138

Digital single market considerations

Recitals (6) and (7) GDPR recognise the role of rapid technological development in the data protection regime (as a threat and an opportunity) and state that ‘those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market.’ It is clear that the legislature had in mind the need to promote the digital economy when drafting this regulation. In Manni the Court considered the weighting of interests to be carried out under the old Data Protection Directive and in that case legal certainty, fair trading and thus the proper functioning of the internal market took precedence.139_{Therefore could the promotion of the}

internal or digital market be classified as a legitimate interest to be considered in certain cases? It is important to recall the Court’s pivotal role in single market integration in past cases. The adoption of the Commission’s Blockchain Observatory and a potential EU blockchain infrastructure within the ambit of the digital single market may provide scope for the balancing of rights between data protection and considerations of the need to promote the digital single market. It could further be argued that because blockchain operates as a trustless system (i.e. it does not require ‘trusted’ intermediaries to operate) it could be further developed as a tool for enhancing the digital single

137 Korenhof and others (n 79).

138 GDPR, art 17(3).

(26)

market. Although ‘trust is not created by a technology’ blockchain ‘can facilitate better control and audit which ultimately might result in more trust’.140_{If a blockchain were to be developed that}

promotes the digital single market this may weigh heavily in the balancing exercise between

blockchain and data protection rights.

Designing blockchain with GDPR compliance in mind

Article 25 GDPR requires data protection by design and default. This means that at the time of determining the means of processing and at the time of processing itself they must implement ‘appropriate technical and organisational measures’ which are ‘designed to implement data protection principles’ and to integrate safeguards into the processing.

Types of data stored on the blockchain

The easiest way of designing or using blockchain with GDPR compliance in mind would be to limit the type of data stored on the blockchain. As per the GDPR141_{a data controller may take measures}

such as pseudonymisation142_{to fulfil its obligations of data protection by design. When applied to a}

large blockchain such as bitcoin this may mean that the visible data of a participant such as their public key could be regarded as pseudonymised data since the individual is not instantly recognisable, or for example for e-registries individual ID numbers could be used in place of names. Caution must be taken with the use of pseudonymised data143_{since the CJEU has previously held}

that unique ID references may be classified as personal data if the additional information needed to identify a person is not difficult to obtain.144_{The GDPR requires the controller to take technical and}

organisation measures to ensure that additional ‘identifying’ information is kept separately.145_{For a}

private blockchain it would fall upon the owner to ensure that these measures are in place however, for a large public blockchain would the obligation rest with the original creator?

The GDPR does not apply to the personal data of deceased persons which remain subject to Member State rules146_{or anonymous data.}147_{There may therefore be an exception if the blockchain}

140 Ølnes, Ubacht and Janssen (n 2).

141 GDPR, art 25(1).

142 GDPR, art 4(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

143 GDPR, recitals (26) (28) (29).

144 Nowak (n 34) and Breyer (n 36).

(27)

is used as a permanent historical ledger (such as historic title registries) or for statistical or research purposes if the data is anonymised.

Programmable features of blockchain

The GDPR suggests measures to mitigate data processing risks (accidental or unlawful destruction, loss, alteration, unauthorised disclosure/access of personal data) such as encryption.148_{Here it could}

be argued that blockchain enhances data protection because instead of relying on passwords that could be easily compromised the use of public and private keys encrypts the data that is placed onto the blockchain. Multi-signature protection or the requirement for multiple keys (public and private) to authorise a transaction increases the security of the system and because the proof of identity is stored in a cryptographic format it is difficult to compromise.149_{As previously discussed, once the}

data is on the blockchain it is very difficult to be tampered with and so it could be argued that blockchain technology offers a solution to mitigate some risks associated with data processing.

The GDPR states that the controller ‘should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features’.150_{It could be argued that blockchain may provide solutions to}

enhance data protection.

Kshetri identifies a number of roles that blockchain can play in strengthening cybersecurity and privacy. He argues that traditionally ‘the security features of many of the important systems across many industries rely on what is known as “security through obscurity” approach in security engineering. The idea in this approach is to keep a system's security mechanisms and implementation secret. However, a major drawback of this method is that the entire system may collapse when someone discovers the security mechanism’.151_{Blockchains avoid this because the}

information is stored on a distributed ledger, consequently there is no need to hold information with third parties and no single point of failure. For hacking to be successful over 50% of the nodes would need to be simultaneously hacked to gain control. The creator of the Bitcoin blockchain 148 GDPR, recital (83).

149 Nir Kshetri, ‘Blockchain's roles in strengthening cybersecurity and protecting privacy’ (2017) 41 Telecommunications Policy 1027.

Permanent distributed ledger technology and its compatibility with EU data protection law.