Abstract: Recent publications on the data protection aspects of blockchain technology focus on the characteristics of the initial public (Bitcoin) blockchain, and do so in a generalized manner. The authors then conclude that the characteristics of a public blockchain are profoundly incompatible at a conceptual level with the principles of the EU General Data Protection Regulation (GDPR). The GDPR requires identification of a central ‘controller’ who is responsible for compliance with the GDPR, while a public blockchain decentralizes the storage and processing of personal data, as a result whereof there is no such central point of control. For lack of a better alternative, the authors conclude that all ‘nodes’ involved in operating a blockchain qualify as a controller under the GDPR, raising enforcement and jurisdictional issues that make it impossible for individuals to enforce their rights. The transparency and immutability of a public blockchain would further not sit well with principles of data confidentiality, data minimization, data accuracy and the rights of individuals to correction and deletion of their data.
I disagree with the analysis of these authors for a host of different reasons, the main one being that the authors focus on the shortcomings of the initial public (Bitcoin) blockchain when already many new types of permissioned private and consortium blockchain have been developed that significantly diverge from the original, permissionless public blockchain. In fact, these types of permissioned blockchain have been developed in response to the shortcomings of public blockchain. The authors further consider the data processing implications of blockchain as if this technology constitutes in itself a data processing activity for which a controller has to be identified. Controllership is, however, decided based on a specific use or deployment of a certain technology. Blockchain, like the internet, is a general-purpose technology that is subsequently deployed by actors for a certain purpose in a specific context. Applying the question of controllership to the internet at large would pose similar data protection issues under the GDPR as identified by the authors in respect of blockchain. This publication explains why none of these issues are currently hampering application of the GDPR to the internet and are equally unlikely to pose issues for blockchain applications. This publication describes the issues in their broader context, as well as how each of these issues can be addressed to ensure compliance with the GDPR. The conclusion is that the GDPR is also well able to regulate this new technology. This does not, however, mean that blockchain will thus be suitable for all use and deployment cases.
European Review of Private Law