Most businesses don’t need blockchains to assure data integrity, and the GDPR should give them all pause when considering if it is the right technology fit for their needs.
With a market capitalization of more than 40 billion USD in July 2017, the business potential of Bitcoin and other blockchain technologies has begun to intrigue the financial industry and other big players.
For example, the Hyperledger project, an open source project created to advance cross-industry blockchain technologies, was launched in early 2016 with the backing of firms like IBM and JP Morgan and has since grown to include over 100 corporate and start-up members.
As a globally available, publicly accessible, immutable record, which obligations under the GDPR[2,3] (General Data Protection Regulation) might companies be subject to when participating in blockchain-enabled transactions, or when developing other blockchain-based technologies?  For example, will a Bitcoin payment address be considered a pseudonymization of a natural person’s identity?
Recital 26 of the GDPR explains the relationship of pseudonymized data to personal data: “Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person.” Could Bitcoin miners, therefore, be considered “data processors” of EU citizens’ and residents’ personal data? Will “personal information” stored in the public blockchain then be subject to the right to erasure?
A company’s participation in blockchain transactions may evoke GDPR controls in three ways:
- accepting cryptocurrencies, such as Bitcoin, as payment for goods and services,
- storing non-payment personal data in a public blockchain, and
- storing non-payment personal data in a private blockchain.
Accepting cryptocurrency as payment
A Bitcoin address may be considered pseudonymized personal information, just like an account number. The additional information needed to re-establish the associated identity exists outside of the blockchain, however.
While Bitcoin miners might technically be considered data processors of the pseudonymized payment addresses, it’s unlikely they will be held directly responsible for adhering to the GDPR’s constraints as they possess none of the extra information that could link an identity to their financial transactions. Instead, the onus will be on the businesses receiving Bitcoin to protect any correlation data which could be used to unmask individual payment transactions.
While traditional payment information stays localized within a business, the pseudonymized transaction information on the blockchain is necessarily publicly available worldwide. It can, therefore, be considered that firms which accept Bitcoin incur a greater responsibility to protect their customer identity records.
Even so, it might still be possible to identify Bitcoin users without this protected information. In research published in Science magazine, de Montjoye et al. (2015) analyzed credit-card transactions from 1.1 million shoppers in OECD countries. Even where names, addresses, and other information directly linked to card owners had been removed, the researchers identified 90% of the shoppers if they knew the date and location of just four of their credit-card transactions.
Storing non-payment personal data in a public blockchain
While Bitcoin has demonstrated its use as a currency and payment system, the blockchain can be used to solve a vast array of problems. New business ventures are already using Bitcoin’s official blockchain, as well as their own distributed, trusted ledgers of transactions to store all sorts of information, from land titles to autonomous IoT resource negotiations.
Since businesses can store any information they desire in their blockchains, which will be made public as part of the recording process, the GDPR will need to be considered in relation to any business application that uses blockchain technology to process EU citizen/resident personal data. A key question is whether one of the blockchain’s primary features, the immutability of past transactions, is likely to collide directly with the GDPR’s “right to erasure.”
Once a transaction is a part of the blockchain’s history, there is no practical, technical way to comply with the GDPR’s directives for erasure. The data cannot be erased by the business, or the distributed, global controllers processing the data. It seems that the GDPR is incompatible with this kind of blockchain-based application if any personal data is stored in the chain. Companies will, therefore, have to carefully consider which data they wish to expose in public blockchain records.
Storing non-payment personal data in a private blockchain
A private blockchain, verified completely within a business, at least has the potential to avoid the problems mentioned above but it is highly impractical. The fundamental design of a blockchain still makes deletion very difficult, but as all the controllers and processors are under the same authority, it is at least possible.
By controlling all the infrastructure, a company could generate entirely new internal blockchains, replaying previous transactions but omitting those required to be deleted. Such reconstitution would almost completely undermine any value provided by using blockchain technology to assure transactional integrity, however.
The easiest solution is just to exclude anything which could be considered personal data from public or private blockchain transaction records and store those data elsewhere in a more mutable form. Most businesses don’t need blockchains to assure data integrity, and the GDPR should give them all pause when considering if it is the right technology fit for their needs. If it is, they will need to assure they aren’t storing EU citizen/resident personal data in this immutable form.