GDPR and Blockchain
Interest in blockchain does not seem to be going anywhere anytime soon. Increasingly, it is being proposed (in a variety of contexts) as a potential solution for the storage of patient health data. Much of the excitement about blockchain’s potential stems from blockchain’s features of immutability, anonymity, and decentralised control, which are particular benefits for the healthcare and life sciences sector. But, unless the personal data stored on the blockchain is truly anonymised (which, in practice, is very difficult to achieve), the storage and processing of that data will need to comply with the EU General Data Protection Regulation 2016/679 (“GDPR”). However, these very features make it very difficult for blockchain technology to comply with the GDPR.
For example:
- To understand how the GDPR applies to any arrangement, it is necessary to know who is acting as a ‘data controller’ and who is acting as a ‘data processor’. However, in a public blockchain model, it is often difficult to confirm the identity of all nodes, the activities each node performs, and under whose direction a node is processing the data. Indeed, the concept of a node acting as a data processor (simply treating data as it is directed to do so by the data controller) arguably goes against some of the fundamental concepts of blockchain. Without this understanding, it may be very difficult to ensure the participants’ compliance with GDPR.
- In the context of a public blockchain, nodes might be located anywhere in the world such that personal data is sent outside the EEA without the data controller knowing where/when such transfers takes place. Data controllers may, therefore, struggle to comply with the GDPR’s requirement for the required legal arrangements (such as data transfer agreements between EU-based data exporters and non-EEA based data importers) to be in place in respect of such transfers.
- A key right under the GDPR is that a data subject may request to have data held about them erased; however, this may be impossible given the immutable nature of blockchain. Even if each node could rely on an exception under the GDPR (and it remains to be seen whether such an exemption would permit the retention of personal data indefinitely in any event), the retention of personal data in this way is still likely to breach the GDPR’s data minimisation and storage limitation principles.
Many of these issues can be mitigated, but the result may be a solution which does not resemble a ‘true’ blockchain. For example, a private permission based blockchain, would allow a controlling entity to identify all participants, categorise their activities as a controller or processor, limit the risk of transfer of data outside the EEA and paper the participants’ obligations appropriately. Furthermore, “work arounds” such as storing most of the personal data “off chain” and being able to remove all access to the blockchain may alleviate some of the issues around erasure, data minimisation and storage limitation.
The EU Commission has expressly stated its interest in looking into opportunities offered by blockchain, including launching initiatives such as the EU Blockchain Observatory and Forum and the EU Blockchain Infrastructure (EuroChain) which aim to make the EU a knowledge hub and leader in the application of blockchain. As a result, the EU Commission may come to appreciate the difficulties posed by GDPR for certain blockchain applications and might adopt a progressive approach, providing guidance which endorses certain “work arounds” as GDPR compliant.
Sophie Sheldon, Supervising Associate, Simmons & Simmons and Lydia Torne, Managing Associate, Simmons & Simmons