On the 27th July 2019, the European Parliamentary Research Service published a study with the title of "Blockchain and the General Data Protection Regulation" (the "Study") authored by Dr. Michèle Finck. This Study examined the relationship between blockchain technology (a decentralised, distributed and public digital ledger technology) and the Regulation 2016/679 of the European Parliament and the Council (the “GDPR”).
The main part of the Study states that the technical structure of blockchain technology as well as its governance arrangements stand in contrast with the legal requirements of the GDPR and it highlights the following legal uncertainties:
Undefined data controller: according to the GDPR, each personal data point has a relationship with at least one natural or legal person – the data controller – that data subjects can address to enforce their rights under GDPR. In contrast, where the Blockchain network is public and permissionless, it is more difficult to appoint a unitary actor with many different players; and
Legal requirements of “erasure”: the main benefit of blockchain technology is that the blocks in the chain cannot be deleted or modified, however, the GDPR is based on the assumption that data can be modified or erased where necessary to comply with Articles 16 and 17 of the GDPR.
Beside to the above, this study also recommends that each blockchain network should be examined on the basis of a detailed case-by-case analysis and it suggests to elaborate the followings by the regulators:
Regulatory guidance on the interpretation of certain elements of the GDPR when applied to blockchains;
Codes of conduct and certification mechanisms; and
More widely research on how blockchains' technical design and governance solutions could be adapted to the GDPR's requirements.
Please feel free to contact us if you require more information on the legal requirements relating to Blockchain and GDPR.