Data Rights. Compliance with GDPR in Blockchain Networks
Articles 15-22 of the GDPR provide specific data rights. Data controllers are obliged to facilitate the exercise of these rights and cannot delegate this task to others. Some blockchain data rights do not pose specific problems, but others do cause technical problems and legal challenges. Possible solutions to these problems depend on the identity of the data controller as well as on their influence on the data. Of course, the application of these data rights can only be assessed on the basis of case analysis which assigns specific techniques to each data processing function.
According to Article 15 of GDPR, data have the right to receive confirmation from the data controller whether they are being processed, and if this happens how easy is the access to the following information:
- Purpose of processing
- Categories of relevant personal data
- Recipients or categories of recipients to whom the data have given
- Estimated period for which personal data will be stored
- Existence of the right to request the deletion or processing by the data controller
- Right for a complaint to a supervisory authority
- When data are not collected by the person in charge must give information about their source
Requests for access may be submitted to the data controller/s. However, it has been observed that some entities designated as data controllers may not have access to blockchain data. For example, nodes can only see encrypted data in the blockchain. As a result, they may not be able to determine whether the ledger contains real personal data about the subject to whom they refer, a fact which activates the right of access. Similar problems arise with the requirement that the controller has to provide a copy of the data to be processed. Consequently, the entity that decides about the use of the blockchain and the processing of personal data must ensure that there are appropriate governance arrangements in place to enable this right to be exercised effectively.
According to Article 16 of GDPR, the data subject has the right to request from the data controller the correction of inaccurate personal data. Taking into consideration the purpose of the processing, the data subject has the right to fill in incomplete personal information.
Blockchain networks allow the importation of data (append-only data structures). The deletion and modification are extremely difficult processes so to ensure network integrity and reliability. This is in contrast to the GDPR, as according to it the data must be changed in order to make it possible to delete them. Indeed, in most blockchain networks, the correction of data is not supported.
Private blockchain networks can support such requests. Correcting data on public blockchain networks is much more difficult and participants are not always able to comply with this request. This is not due to the fact that it is strictly technically impossible to do so, but because each node can change its own copy of the chain.
According to Article 17 of the GDPR, data has the right to be deleted by the controller when one of the following reasons exists:
- Personal data are no longer necessary in relation to the purposes for which there were collected or otherwise processed.
- The data subject withdraws the consent on which their processing is based
- The data subject opposes their processing
- The data has been illegally processed
- The data must be deleted to comply with a legal obligation to which the controller is the data subject
- The data has collected for the provision of information to services
Given the available technology and implementation costs, steps are taken to inform the data controller of the subject who has been asked for deletion. The right to delete data is an important information self-assessment tool, as it provides the data subject with direct control over personal data. Article 17 of the GDPR allows the data subject to acquire the right to delete them if one of the reasons mentioned above exists. Deletion of data may only take place under the conditions laid down in Article 17 and shall in addition comply with the estimates in Article 17.
Deleting data from a chain is undesirable as these networks are designed to build trust and therefore ensuring data integrity. For example, wherever the relevant consent mechanism is used, in the event of data deletion the majority of all nodes will have to re-verify the integrity of each backward transaction.
The difficulty of complying with Article 17 of the GDPR is a critical blow to blockchain networks. Indeed, even if there were a means of ensuring technical compliance, it could be difficult from an organizational point of view. In order to have a solution regarding blockchain networks and the right to delete data, attention should be paid to the definition of the term “deletion”. Indeed, it is difficult to assess whether the deletion of personal data is possible without accurate guidance on how to interpret this concept.
Restriction of the Right of Processing
Pursuant to Article 18 of the GDPR, the data subject has the right to ask for processing restrictions when one of the following applies:
- The accuracy of the data is questioned by the data subject, allowing the controller to verify the accuracy of the personal data
- The processing is illegal and the data subject objects to the specification of the personal data and restriction of their use
- The data controller is no longer needed personal data for processing purposes, but the data subject is required to create, exercise, or defend legal claims
- The data subject has refused to process whether the controller’s names prevail over those of the data subject
- In case the processing is restricted, the personal data other than the storage should be processed only with the consent of the subject
- The data subject who has restricted the processing shall be informed by the controller before canceling it
The data subject has the right to achieve a limitation of their processing regardless of the techniques used by the technology to perform the processing. Therefore, blockchain networks use EU data protection legislation and require the data subject to have the ability to restrict its processing when challenging its accuracy. In order to determine whether one of the many potential common controllers in a blockchain data class is able to comply with the requirements of Article 18 of the GDPR, special techniques and arrangements must be made.
Initially, there are technical barriers to restricting processing in automated processing environments such as blockchain networks. Indeed, these systems are designed to make data processing impossible in order to increase data integrity and network trust. With regard to public blockchain networks, there are no data processing regulations. It is worth noting that this is true both in relation to the application layer and in relation to applications based on the blockchain protocol.
There are also governance challenges regarding the ability of coordinators to undertake such network interventions. Under recent legislation on joint control, any entity exercising some degree of control through the means and in particular the purposes of data processing is considered a data controller. However, some potential data controllers, such as nodes or users, do not have the ability to intervene in the network in a way that would limit processing. This underscores the central importance of both technical and intergovernmental arrangements that will allow data controllers to comply effectively with Article 18 of the GDPR.
Right to Transition
According to Article 20 of the GDPR, the data subject has the right to receive the personal data concerning him/her and to transfer them to another auditor if:
- Processing is based on consent in accordance with Article 6
- Processing is by automated means
When exercising the right to transfer data in accordance with paragraph 1 of Article 20, the data subject has the right to transfer their personal data directly from one auditor to another. The exercise of the right referred to in paragraph 1 of this Article shall not infringe Article 17. The right referred to in paragraph 1 shall not affect the rights and freedoms of others.
The right to transfer data is one of the main innovations of GDPR. It is essentially a tool that allows data subjects to transfer their data from one data controller to another. The principle of personal data transfer aims to empower subjects about their personal data, as it facilitates their ability to move, copy, or transfer them from one environment to another. Where a transfer request meets the requirements of Article 20 of the GDPR, data controllers are required to make the data available in a structured, widely used, and legible format.
In order for a data subject to rely on Article 20 of the GDPR, certain conditions must be met:
- This right obviously only applies to their personal data
- Such personal data must have been transferred from the data subject to the data controller
- Personal data and their processing is based on the consent of the subject
- The processing is done through an automated process
Finally, Article 11 of the GDPR emphasizes that the right to transfer data does not apply if the auditor can prove that he is unable to locate the data subject.
The French Data Protection Authority (CNIL) considers that blockchain technology does not create problems in complying with the data transfer requirement. Article 20 of the GDPR, however, emphasizes the interest in ensuring interoperability between different solutions in blockchain networks. It has been emphasized in relation to social media networks that it does not make sense to transfer data from one provider to another. The same concerns raised by shared networks also apply to blockchain networks. Effective enforcement of data transfer is therefore one of the many reasons that should encourage the interoperability of different solutions.
It is important to remember the necessary relationship between accountability and control. According to the current position of the European Court of Justice on data control, there is a risk that operators may be controllers, even though it is not possible for them to comply with any of the transfer requirements of GDPR data controllers. Indeed, a node can be described as a data controller even though it can only access data that can be encrypted.