Data Rights. Compliance with GDPR in Blockchain Networks

Articles 15-22 of the GDPR provide specific data rights. Data controllers are obliged to facilitate the exercise of these rights and cannot delegate this task to others. Some blockchain data rights do not pose specific problems, but others do cause technical problems and legal challenges. Possible solutions to these problems depend on the identity of the data controller as well as on their influence on the data. Of course, the application of these data rights can only be assessed on the basis of case analysis which assigns specific techniques to each data processing function.

Access Right

According to Article 15 of GDPR, data have the right to receive confirmation from the data controller whether they are being processed, and if this happens how easy is the access to the following information:

Requests for access may be submitted to the data controller/s. However, it has been observed that some entities designated as data controllers may not have access to blockchain data. For example, nodes can only see encrypted data in the blockchain. As a result, they may not be able to determine whether the ledger contains real personal data about the subject to whom they refer, a fact which activates the right of access. Similar problems arise with the requirement that the controller has to provide a copy of the data to be processed. Consequently, the entity that decides about the use of the blockchain and the processing of personal data must ensure that there are appropriate governance arrangements in place to enable this right to be exercised effectively.

Correction Right

According to Article 16 of GDPR, the data subject has the right to request from the data controller the correction of inaccurate personal data. Taking into consideration the purpose of the processing, the data subject has the right to fill in incomplete personal information.

Blockchain networks allow the importation of data (append-only data structures). The deletion and modification are extremely difficult processes so to ensure network integrity and reliability. This is in contrast to the GDPR, as according to it the data must be changed in order to make it possible to delete them. Indeed, in most blockchain networks, the correction of data is not supported.

Private blockchain networks can support such requests. Correcting data on public blockchain networks is much more difficult and participants are not always able to comply with this request. This is not due to the fact that it is strictly technically impossible to do so, but because each node can change its own copy of the chain.

Deletion Right

According to Article 17 of the GDPR, data has the right to be deleted by the controller when one of the following reasons exists:

Given the available technology and implementation costs, steps are taken to inform the data controller of the subject who has been asked for deletion. The right to delete data is an important information self-assessment tool, as it provides the data subject with direct control over personal data. Article 17 of the GDPR allows the data subject to acquire the right to delete them if one of the reasons mentioned above exists. Deletion of data may only take place under the conditions laid down in Article 17 and shall in addition comply with the estimates in Article 17.

Deleting data from a chain is undesirable as these networks are designed to build trust and therefore ensuring data integrity. For example, wherever the relevant consent mechanism is used, in the event of data deletion the majority of all nodes will have to re-verify the integrity of each backward transaction.

The difficulty of complying with Article 17 of the GDPR is a critical blow to blockchain networks. Indeed, even if there were a means of ensuring technical compliance, it could be difficult from an organizational point of view. In order to have a solution regarding blockchain networks and the right to delete data, attention should be paid to the definition of the term “deletion”. Indeed, it is difficult to assess whether the deletion of personal data is possible without accurate guidance on how to interpret this concept.

Restriction of the Right of Processing

Pursuant to Article 18 of the GDPR, the data subject has the right to ask for processing restrictions when one of the following applies:

The data subject has the right to achieve a limitation of their processing regardless of the techniques used by the technology to perform the processing. Therefore, blockchain networks use EU data protection legislation and require the data subject to have the ability to restrict its processing when challenging its accuracy. In order to determine whether one of the many potential common controllers in a blockchain data class is able to comply with the requirements of Article 18 of the GDPR, special techniques and arrangements must be made.

Initially, there are technical barriers to restricting processing in automated processing environments such as blockchain networks. Indeed, these systems are designed to make data processing impossible in order to increase data integrity and network trust. With regard to public blockchain networks, there are no data processing regulations. It is worth noting that this is true both in relation to the application layer and in relation to applications based on the blockchain protocol.

There are also governance challenges regarding the ability of coordinators to undertake such network interventions. Under recent legislation on joint control, any entity exercising some degree of control through the means and in particular the purposes of data processing is considered a data controller. However, some potential data controllers, such as nodes or users, do not have the ability to intervene in the network in a way that would limit processing. This underscores the central importance of both technical and intergovernmental arrangements that will allow data controllers to comply effectively with Article 18 of the GDPR.

Right to Transition

According to Article 20 of the GDPR, the data subject has the right to receive the personal data concerning him/her and to transfer them to another auditor if:

When exercising the right to transfer data in accordance with paragraph 1 of Article 20, the data subject has the right to transfer their personal data directly from one auditor to another. The exercise of the right referred to in paragraph 1 of this Article shall not infringe Article 17. The right referred to in paragraph 1 shall not affect the rights and freedoms of others.

The right to transfer data is one of the main innovations of GDPR. It is essentially a tool that allows data subjects to transfer their data from one data controller to another. The principle of personal data transfer aims to empower subjects about their personal data, as it facilitates their ability to move, copy, or transfer them from one environment to another. Where a transfer request meets the requirements of Article 20 of the GDPR, data controllers are required to make the data available in a structured, widely used, and legible format.

In order for a data subject to rely on Article 20 of the GDPR, certain conditions must be met:

Finally, Article 11 of the GDPR emphasizes that the right to transfer data does not apply if the auditor can prove that he is unable to locate the data subject.

The French Data Protection Authority (CNIL) considers that blockchain technology does not create problems in complying with the data transfer requirement. Article 20 of the GDPR, however, emphasizes the interest in ensuring interoperability between different solutions in blockchain networks. It has been emphasized in relation to social media networks that it does not make sense to transfer data from one provider to another. The same concerns raised by shared networks also apply to blockchain networks. Effective enforcement of data transfer is therefore one of the many reasons that should encourage the interoperability of different solutions.

It is important to remember the necessary relationship between accountability and control. According to the current position of the European Court of Justice on data control, there is a risk that operators may be controllers, even though it is not possible for them to comply with any of the transfer requirements of GDPR data controllers. Indeed, a node can be described as a data controller even though it can only access data that can be encrypted.

Department of Electronics and Computer Science, University of Southampton

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store