A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 14 noviembre 2022
Blockchain and associated distributed ledger technologies (DLTs) are increasing in prominence and use across a number of sectors – including healthcare, logistics, real estate, banking and insurance. However, it is probably owing to more trendy applications such as crypto assets, including non-fungible tokens (NFTs) that they are gaining more and more in terms of popularity and acceptance.
Nonetheless, despite their popularity and central role in emerging technologies, concerns remain around whether the use of Blockchain technology involving personal data can be achieved in compliance with data protection law – in particular the EU and UK GDPR (together, “the GDPR”)and Data Protection Act 2018.
Some of the core features of a Blockchain, particularly (a) its immutable nature (meaning it cannot be changed); (b)its reliance on a decentralised framework (making it difficult to define who the controllers and processors are); and (c) that the data is shared across a peer-to-peer network, mean that by nature, it conflicts with some key requirements of the GDPR. In particular, the principles of data minimisation, purpose compatibility, accountability and data retention need to be looked at carefully, as well as upholding data subjects’ rights.
Of the two main types of Blockchain (private/permissioned versus public/permissionless, although there are hybrid varieties), it is the public/permissionless variety which presents the most concerns in relation to its ability to facilitate data protection compliance. Permissionless Blockchains offer little in the way of suitable controls, accountability, permissions or protocols on data sharing, with no clear identifiable data controller to carry the responsibility for managing compliance centrally.
Furthermore, one of the key features of any Blockchain is its immutable nature – in other words, once data is recorded on the Blockchain, it cannot be altered or deleted. Whilst this offers security and trust, insofar as the integrity of transactions is concerned, it obviously conflicts with the principles of data retention and upholding of data subject rights under the GDPR (particularly the rights of rectification and deletion under Articles 16 and 17 respectively).
In response to these challenges, data protection regulators are increasingly looking at how to square the onerous and restrictive obligations under the GDPR against this increasingly ubiquitous and all-encompassing technology. Whilst UK organisations await substantive guidance from the Information Commissioner’s Office (ICO), it has been helpful to read the views of the French data protection authority, the CNIL, who have cautiously issued recommendations around how Blockchain may be used in a GDPR-compliant fashion.
Furthermore, an EU research paper by the European Parliamentary Research Service has encouragingly stated that “…this study finds that it cannot be concluded in a generalised fashion that blockchains are either all compatible or incompatible with European data protection law. Rather, each use of the technology must be examined on its own merits to reach such a conclusion.” Therefore, whilst caution is advised, it is useful to know that the regulators do not rule out the possibility that a Blockchain is incapable of achieving GDPR compliance.
As a light at the end of the tunnel, there is even suggestion that, where used responsibly (particularly in the context of a private, permissioned Blockchain), the technology could ultimately help facilitate compliance with the GDPR. In particular, it has the potential to encourage transparency, offer a solid basis for a secure data sharing framework, assist with data portability and promote meeting other data subject rights.
Either way, the uncomfortable but fascinating interplay between the evolving technology and the legislative landscape will remain for the foreseeable future and it will be really interesting to see how the regulators respond to these concepts to provide guidance to organisations wanting to embrace this technology in a responsible manner.
+44 (0)161 934 3167
London - Walbrook
+44 (0) 20 7894 6443
Hans Allnutt, Camilla Elliot
Jade Kowalski, Astrid Hardy
Hans Allnutt, Stuart Hunt
Astrid Hardy, Hans Allnutt
Louise Gallagher, Katie Anderson
Patrick Hill, Hans Allnutt
Hans Allnutt, Astrid Hardy
Aidan Healy, Alexander Dimitrov
Patrick Hill, Stuart Hunt
Astrid Hardy, Alexander Dimitrov
Patrick Hill, Sonali Malhotra
Justin Tivey, Brett Randles, Shanaka Wijetunge