The Puzzle of Squaring Blockchain with the General Data Protection Regulation
Raffi Teperdjian, The George Washington University Law School
-- The 2018 enactment of the General Data Protection Regulation (GDPR) was a monumental step forward in the European Union’s (EU) continued legislative effort to protect its citizens’ personal data. The legislation is broad, unprecedented in scope, and omnibus in its protections for individuals’ rights to privacy. Integral to the protections afforded under the legislation is the concept of the Data Controller – the natural or legal person to whom Data Subjects (EU citizens in a given system to whom personal data relates) turn to exercise their rights, and who is ultimately accountable for compliance and liable if the rules are breached. While the GDPR was designed to account for important technological advances of the last 25 years, it failed to anticipate the importance of a radically different decentralized method of dealing with data known as blockchain.
A blockchain is a system of records that stores multiple exact copies of data across several or more computers in a network. Blockchain is not an entirely new technology but is instead a novel application of several existing technologies combined: (1) asymmetric key encryption, (2) hash values, (3) Merkle trees, and (4) peer-to-peer networks. While it is becoming common knowledge that all blockchains generally share these aforementioned components, less well understood – particularly in the legal community – are the significant variations and legal implications of the data governance models for different individual blockchains. The regulatory conflicts caused by blockchain data governance model variations in the context of EU privacy law, and the failures to address the conflicts by EU regulators, are the focus of my recent article, “The Puzzle of Squaring Blockchain with the GDPR.”
The problem the GDPR encounters in trying to regulate blockchains arises from the legislation making the assumption that the entities in a system that define the means and purpose of processing users’ personal data, that is, the Data Controllers, are readily identifiable and remain constant. In blockchains with decentralized data governance, where a user’s role can vary over time, this assumption is often false. Several commissions in the EU have tried to tackle the conundrum of how to fit blockchain into the GDPR’s framework, but the analysis and recommendations of these bodies has failed to adequately resolve the conflicts. One of the reasons for these shortcomings is that these commissions initially had a very reductive and limited view of blockchain, and later provided the vast majority of compliance recommendations only for those blockchains with centralized data governance while largely ignoring more innovative decentralized varieties.
“The Puzzle of Squaring Blockchain with the GDPR” is the first article to provide an overview of blockchain technology that distinguishes between the variety of centralized and decentralized data governance models. To bring about the truly revolutionary applications of blockchain while ensuring adequate individual personal data protections, I propose that the EU eliminate untenable GDPR Data Controller obligations for blockchains with decentralized data governance models.
The article is broadly divided into four sections. It begins with an introductory section describing blockchain and GDPR terminology at a high level and previewing the issues to be discussed therein. This is followed by an overview of blockchain written with the presumption that a reader has no prior knowledge of the technology. All topic-specific terms are defined, and commentary is included on the lack of a fully settled-on lexicon of terminology. Notably, this section illustrates the spectrum of centralized-decentralized data governance models inherent in currently existing blockchain systems by discussing three different hypothetical possibilities for executing a financial transaction – i.e., showing how a grandmother would buy groceries at a store using (1) a fiat banking system, (2) a centralized blockchain system, and (3) a decentralized blockchain system. In the next section, there is a basic discussion of the GDPR, including the legislative definition of personal data, and the interplay of Data Subjects, Data Controllers, and Data Processors.
Throughout the discussion, I revert back to the three aforementioned examples, the real life examples of Bitcoin and the Decentralized Autonomous Organization, and the concept of lex cryptographia (rules administered through self-executing smart contracts) to provide context and demonstrate possible legal conflicts. The article then discusses the recommendations made by regulators to deploy GDPR-compliant private blockchains while distinguishing how they differ from several innovative public blockchain applications. The remainder of the article is devoted to exploring the conflicts between blockchains and the GDPR, proposing several recommendations and highlighting open questions.