GDPR & Blockchain: the Swiss Take
Gabriel Jaccard - University of Geneva;
Adrien Tharin - PwC Legal Switzerland
-- Blockchains being open and transnational types of systems by nature, they pose an inherent challenge to data protection regulations. The most trivial questions, such as “who is the data controller in a decentralized system?” or “under what regulation would a public international blockchain like Bitcoin fall?” remain indecisive from a legal perspective.
The reason is simple: most regulations, even the most recent pieces of legislation like the famous GDPR in the EU, exclusively accounted for hypothesis where an identified centralized party may be held liable towards the regulator.
In our recent article "GDPR & Blockchain: the Swiss take", we propose to answer some of the iconic legal problematics regarding blockchain. Among those, we discuss the concept of data controller. We determine, in the context of a blockchain environment, what should be the criteria to assess the “control” of certain actors and under what circumstances regulators might consider being in the presence of a “data controller” under data protection regulation. This problematic is essentially discussed in relation with public - i.e. potentially international - and open - i.e. potentially open to any other actors - blockchain.
Further, we develop the concept of "blockchain’s nationality", i.e. legally speaking whether we can narrow down a “nationality” regarding the blockchain. This concept would help when determining the scope of application of the regulation and may also be useful for an instance when a multinational processing of data occurs.
Another question dealt with in this article relates to the type of data available on the blockchain and its legal qualification. We highlight the difficulty to determine whether the register contains personal data and to whom they relate. We highlight some tips in order to successfully process data in a compliant manner on the blockchain.
In particular, we discuss the notion of encrypted data and the threshold between the qualification of pseudonymous and anonymous data under the GDPR. In a few words, we consider that the notion of absolute irreversibility required to consider data as anonymized under the EU law - i.e. when a 0% chance of reversibility exists - is too stringent vis-à-vis the requirements set by the jurisprudence of the ECJ.
Further, we briefly study the implications of the right to be forgotten in the context of the blockchain. In our view, the mechanism using some type of “golden keys” are not compatible with the raison d’être of a blockchain. In this regard, our work explains the concept of “forward secrecy”, which would in our view constitute a sufficient equivalent to the erasure of the data.
Finally, we believe that the success of any blockchain ecosystem heavily relies on its thorough consideration and respect of its regulatory environment. In general, the developments of projects, be it blockchain-related or not, must be made in harmony with regulations from the beginning. And when it is not the case, drastic measures might be expected from regulators.
In order to comply with often silent or incoherent regulators, the development of international standards plays an important role to assess how a blockchain should be designed to be legally compliant. In this regard, the cooperation of technical developers working hand-in-hand with (true) legal specialists of the blockchain is necessary to achieve such harmony in the long run.