(Well, at least for some sectors)

The Challenge

There have been numerous articles stating the incompatibility of the EU’s General Data Protection Regulation (GDPR) and Distributed Ledger Technology (DLT), specifically Blockchain. The often-raised challenge emerges particularly around the Individual Rights afforded by GDPR, where data should be deleted or modified by request, when incorrect or when lawfulness for processing (as described in Article 6) has expired. 

As DLTs constantly process all previous data and the historic data registry is effectively immutable, being able to comply with the above requirements from a technical standpoint is mostly impossible in your standard DLT, making the solution non-compliant with the regulation. 

Except… the Public Sector Exceptions

Despite EU Regulation often being prescriptive in nature, GDPR seems to give some leeway to specific circumstances. GDPR Article 89.3 provides exceptions (amongst others) to the Rights of Rectification (Art. 16), Right to Restrict Processing (Art. 18) and Right to Object (Art. 21) where archiving is done for purposes of the public interest, union and member state legislation. 

Already, legislation published after GDPR sees mention of these exceptions: The new AML Directive explicitly raises the need for data protection but explicitly mentions public interest in relation to the maintenance of data in national ledgers. As directives require transposition into national legislation by the EU27, those derogations could be included by each country, making the utilisation of DLT-technology possible, and the immutability conflict in a public-sector DLT solution a moot issue. There would still be a dependency on national legislators to rely on this advantage to implement a “GDPR-compliant” solution.

Private Sector Options

For the private sector, where article 89 provides little use, storing part of the data you need off-chain in a traditional database to ensure rights execution seems like a viable solution. This would still require the usage of pseudonyms within the DLT, which in turn might not be compliant based on the guidance provided by the Article 29 Working Party[1] (A29WP). The challenges to pseudonymisation are masterfully covered by Michele Finck (2017)[2]. However, A29WP is focused on providing recommendations, which in turn according to EU regulation are not binding only suggesting a line of action[3]. The A29WP was replaced by the European Data Protection Board (EPDB) on May 25th 2018, and while the EPDB can provide binding decisions[4] and has endorsed A29WP guidance in a published letter, it is not clarified if this endorsement is in fact a binding decision from a compliance point of view[5].

Using a combined off-chain and pseudonym solution will increase complexity, confusing architects, and the additional costs will make the technology less appealing to any finance department. The purists will shout in anger that the sanctity of the Blockchain is compromised, defeating its original purpose. Ultimately compromise is needed in any solution.

More importantly, if you are removing layers of data from a specific system, the perceived value and potential return calculations are diminished, making the investment harder to justify. And yet, it seems for private companies this may be the only option available, short of waiting for the next generation of Blockchain/DLT where these challenges are addressed or unconventional solutions such as Chameleon Hashes become a viable and secure option. 

Conclusion

Each specific use case needs to be considered, particularly its applicability to the public or private sector environment. In regards to the public sector, EU regulation fortuitously allows DLT some leeway in regards to data privacy requirements when considering purposes of the public interest, union and member state legislation. However, article 89 exceptions require derogation and are not applicable to the private sector. A solution where part of the data is stored off-chain and linked through the usage of pseudonyms will be required for the short term.

Figure 1 shows a reference table for GDPR compliant DLT solution considerations for each type of DLT framework. 

Ultimately, a GDPR compliant pure-DLT solution will be a considerable challenge until regulators and technology experts focus on the issue and embrace DLT as a solution worth certain exemptions. Until then we will continue seeing a growing demand for technical experts who can work closely with lawyers and governments to untangle these knots caused by the divergence of innovation and law.


Notes

[1] The Article 29 Working Party was the EU-established advisory body represented by member states data protection authority. Its mission is to provide expert advice, consistency and recommendations.

[2] Michele Finck (2017), “Blockchains and Data Protection in the European Union”

[3] https://europa.eu/european-union/eu-law/legal-acts_en

[4] https://edpb.europa.eu/news/news/2018/europes-new-data-protection-rules-and-edpb-giving-individuals-greater-control_en

[5] https://edpb.europa.eu/news/news/2018/endorsement-gdpr-wp29-guidelines-edpb_en